[ previous ] [ next ] [ threads ]
 From:  Claude Hecker <claude dot hecker at phoenix dash mecano dot com>
 To:  "Jonathan S. Romero" <jromero at raydiance dash inc dot com>, "m0n0wall dash dev at lists dot m0n0 dot ch" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re:[m0n0wall-dev] Statement -- Question
 Date:  Thu, 17 Mar 2005 21:30:12 +0100
Hello Jonathan,

I asked myself, because at the moment there are ongoing problems with dyn.

changing the following in vpn.inc to

    /* prefer old SAs only for 30 seconds, then use the new one */
    /* mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); // original
entry */
    mwexec("/sbin/sysctl -w net.key.preferred_oldsa=0");

// sometimes posted to the list but never included in the real version or

And switching back in racoon.conf from
proposal_check obey to claim...
// you have to do these changes also in vpn.inc

Then everything would work fine...

So the trick is to configure it for the moment using mobile user IPSec...

!! As I told, we use a customized version of 1.2b3.

so that the downtime of a
Dyn to dyn tunnel (we use our own dyndns server RFC 2136{orig. WebGUI RFC
2163 number is wrong}) is at least 10 min. a day. Second is to have the
described changes included in vpn.inc

But the main question for me is, why switched to FBSD 5.x, because
everything is working fine under FBSD 4.1x

different, but why Manuel?



Am 17.03.2005 15:32 Uhr schrieb "Jonathan S. Romero" unter
<jromero at raydiance dash inc dot com>:

> Hello Claude, 
> Disclaimer: i've only used the stable versions of m0n0wall.
> Can you clarify question 2.  Are you asking why dynamic endpoints dont
> work with m0n0wall?  I'm assuming you are referring to IPSEC tunnels
> network-to-network.
> I have long wanted a solution that would involve half the tunnel being
> on a static endpoint, and the other half on dynamic IP.  From what I
> have been able to gather via past posts, the reasoning for not doing
> this is the lack of capability to verify the identity of the remote
> endpoint, along with the need to have the connection rebuilt every time
> the DNS entry changes (assuming you use DynDNS or equivalent).
> I have very little background with racoon, the ipsec system that
> m0n0wall uses if I understand it correctly.  I'd imagine that the
> endpoints are passed to racoon via their IP addresses, so in order to
> consistently maintain a connection you would need a daemon to poll the
> status of active ipsec tunnels marked as dynamic, and if they go down,
> create a brand new ipsec connection for it.
> Perhaps OpenVPN is the way to go with the dynamic endpoints, since you
> have the built in certificate support.  I'm not sure how fast it
> rebuilds connections when the remote ip changes.
> For right now I will have to use a mixed mode ipsec setup, with m0n0wall
> serving to bridge together nets with static endpoints, and a linux
> system running other VPN software on it's own static endpoint to hook in
> the dynamic ip's.
> On Thu, 2005-03-17 at 12:14 +0100, Claude Hecker wrote:
>> > Hi folks, 
>> > 
>> > First of all Manuel and all the other guys have done a great job in
>> > developing such a useful software which is even as stable as commercial
>> > products. At this point, we use this solution together with a commercial
>> > product in a little bit customized version at our company's in about 54
>> > destinations. 
>> > 
>> > Questions: 
>> > 
>> > 1.  Why switching to FBSD 5.x like pfsense has done
>> >     everything is working well on FBSD 4.1x with a few hacks
>> > 
>> > 2.  All the problems with dynamic endpoints currently included in all
>> >     versions after 1.11, by the way we use as source 1.2b3
>> > 
>> > Regards 
>> > 
>> > Claude 
>> > 
>> > 
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>> > For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>> >