IPSec within an L2TP - not PIX :-(

  1. AM

    AM Guest

    Hi guys,

    my company bought a service of Intranet access through GPRS/UMTS technology.
    The provider requires us to be able to terminate an L2TP tunnel with IPsec packets wrapped within.

    Just for test, do you think I can use an 871-SEC-K9 router (regardless of performances)?

    They claim for at least 1812-K9 but I have an 871.

    By now there is an old 2611 that manages all our connections and is put in the middle between
    Internet and a PIX firewall. The 871 would manage the tunnels and would forward the packets
    (completely L2TP unwrapped and IPsec decrypted) coming from the Intranet to a DMZ interface of the 2611.
    In case my tests run successfully I will upgrade the 2611 with something bigger than an 1812-K9.

    The real goal of this experiment is to bring the IPsec packets unwrapped from the L2TP tunnel and
    forward them to another device (a PIX firewall) that will decrypt them. The PIX is put behind the 2611.

    The worst side of the game is that both the tunnels uses the same public IP address.
    My idea is to take the IPsec packets (just unwrapped out of the L2TP tunnel and not still decrypted)
    to apply a NAT (using a route map specifying that it would happen only if they are IPsec packets
    and the destination is that public IP address, [I will use a public IP address just for that
    purpose]) and so to forward them to the PIX.

    What do you think about? Is it possible?
    Is it true that out of the L2TP tunnel I can NAT before the router looks up the routing table and
    forward them to the interface with the same endpoint IP address of the L2TP tunnel.

    Any hint is really appreciated.
    I hope that someone replies to me because I'm very keen on that and so far I haven't seen any
    sample. I hope to be clear and I wish to continue the topic with someone else.
    Keep in mind the scenario is different from L2TP within IPsec managed by PIX 7.2 or higher and that
    the reason I moving through all this stuff.

    TIA Alex.
    AM, Sep 21, 2006
  2. AM

    AM Guest

    Hi guys,

    really no one at all interested on the topic?

    I'm going to overcome the constraints put by the provider. I have a roadmap but I'd like to talk to some one else.

    AM, Sep 26, 2006
