Hi,

I've just started to learn about IPsec and VPNs and I think it's very interesting. As I understand there are 2 modes for IPsec. Transport for peer-to-peer connection and Tunnel where you can connected to networks. My question now is, if I have a linux machine with 1 NIC (that is no local network) and I want to be able to connect to it with a windows 2k/xp using VPN. This windows machine is portable (that is the IP changes). Is this possible or must I have a local network for VPN to work ?

Thanks for any reply!

Transport mode encrypts parts of the header so that any intermediate host must understand IPSEC. Tunnel mode totally encapsulates the encrypted packet into another IP header so that the entire contents can pass non-ipsec intermediate hosts, i.e internet routers. Its a bit more overhead but more useful and more secure. You can connect using tunnel mode to your host no matter where it is, as long as you are on a network that allows IP protocol 50 (Authentication Header) and 51(Encapsulating Security Payload) and also allows UDP port 500 (Internet Key Exchange). So if you took your machine to a freinds house you could VPN to it from somewhere else as long as his firewall allowed these protocols/ports.

If behind a NAT device, I believe that NAT-T support is required on both "endpoints" in order to pass IPSEC/L2TP.

Brians right, not sure what the term is but NAT definitely needs to support IPSEC as I think even in tunnel mode AH is used to protect the tunnel header from being tinkered with and NAT obviously changes the header!

Having said that we would normally place VPN concentrators and the like on DMZ's with a public address.