[ previous ] [ next ] [ threads ]
 From:  "Jonathan S. Romero" <jromero at raydiance dash inc dot com>
 To:  Claude Hecker <claude dot hecker at phoenix dash mecano dot com>
 Cc:  "m0n0wall dash dev at lists dot m0n0 dot ch" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Statement -- Question
 Date:  Thu, 17 Mar 2005 09:32:31 -0500
Hello Claude,

Disclaimer: i've only used the stable versions of m0n0wall.

Can you clarify question 2.  Are you asking why dynamic endpoints dont
work with m0n0wall?  I'm assuming you are referring to IPSEC tunnels

I have long wanted a solution that would involve half the tunnel being
on a static endpoint, and the other half on dynamic IP.  From what I
have been able to gather via past posts, the reasoning for not doing
this is the lack of capability to verify the identity of the remote
endpoint, along with the need to have the connection rebuilt every time
the DNS entry changes (assuming you use DynDNS or equivalent).  

I have very little background with racoon, the ipsec system that
m0n0wall uses if I understand it correctly.  I'd imagine that the
endpoints are passed to racoon via their IP addresses, so in order to
consistently maintain a connection you would need a daemon to poll the
status of active ipsec tunnels marked as dynamic, and if they go down,
create a brand new ipsec connection for it.

Perhaps OpenVPN is the way to go with the dynamic endpoints, since you
have the built in certificate support.  I'm not sure how fast it
rebuilds connections when the remote ip changes. 

For right now I will have to use a mixed mode ipsec setup, with m0n0wall
serving to bridge together nets with static endpoints, and a linux
system running other VPN software on it's own static endpoint to hook in
the dynamic ip's.

On Thu, 2005-03-17 at 12:14 +0100, Claude Hecker wrote:
> Hi folks,
> First of all Manuel and all the other guys have done a great job in
> developing such a useful software which is even as stable as commercial
> products. At this point, we use this solution together with a commercial
> product in a little bit customized version at our company's in about 54
> destinations.
> Questions:
> 1.  Why switching to FBSD 5.x like pfsense has done
>     everything is working well on FBSD 4.1x with a few hacks
> 2.  All the problems with dynamic endpoints currently included in all
>     versions after 1.11, by the way we use as source 1.2b3
> Regards
> Claude 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
Jonathan S. Romero
IT Manager - Raydiance Inc.
2602 Challenger Tech Court Suite 240
Orlando FL, 32826
Tel:    407-515-3180
E-mail: jromero at raydiance dash inc dot com
Fax:    407-515-3014