[ previous ] [ next ] [ threads ]
 
 From:  Claude Hecker <claude dot hecker at phoenix dash mecano dot com>
 To:  "Jonathan S. Romero" <jromero at raydiance dash inc dot com>, "m0n0wall dash dev at lists dot m0n0 dot ch" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re:[m0n0wall-dev] Statement -- Question
 Date:  Thu, 17 Mar 2005 21:30:12 +0100 
Hello Jonathan,

By the way it wasn¹t really a question.
I asked myself, because at the moment there are ongoing problems with dyn.
Endpoints.
I¹ll try to explain.... What I mean.....

Dynamic IP Endpoint ‹ Static IP Endpoint
There is an ongoing problem with multiple SAD¹s which can be solved by
changing the following in vpn.inc to

    /* prefer old SAs only for 30 seconds, then use the new one */
    /* mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); // original
entry */
    mwexec("/sbin/sysctl -w net.key.preferred_oldsa=0");

// sometimes posted to the list but never included in the real version or
betas

And switching back in racoon.conf from
proposal_check obey to claim...
// you have to do these changes also in vpn.inc

Then everything would work fine...

Second was Dynamic IP Endpoint ‹ Dynamic IP Endpoint
Currently you¹re only able to enter IP addresses for the remote endpoints --
So the trick is to configure it for the moment using mobile user IPSec...
But racoon.conf is also able to handle fqdn¹s for the peers_identifier...


!! As I told, we use a customized version of 1.2b3.
One of the changed things is to have a tunnel so called ³Keepalive Service²
so that the downtime of a
Dyn to dyn tunnel (we use our own dyndns server RFC 2136{orig. WebGUI RFC
2163 number is wrong}) is at least 10 min. a day. Second is to have the
described changes included in vpn.inc

!! I¹m really happy with m0n0wall, because it¹s useful and easy installed.
But the main question for me is, why switched to FBSD 5.x, because
everything is working fine under FBSD 4.1x
Scott¹s PFSENSE is ok to go a different way, because the goals are
different, but why Manuel?

Regards

Claude 

Am 17.03.2005 15:32 Uhr schrieb "Jonathan S. Romero" unter
<jromero at raydiance dash inc dot com>:

> Hello Claude, 
> 
> Disclaimer: i've only used the stable versions of m0n0wall.
> 
> Can you clarify question 2.  Are you asking why dynamic endpoints dont
> work with m0n0wall?  I'm assuming you are referring to IPSEC tunnels
> network-to-network.
> 
> I have long wanted a solution that would involve half the tunnel being
> on a static endpoint, and the other half on dynamic IP.  From what I
> have been able to gather via past posts, the reasoning for not doing
> this is the lack of capability to verify the identity of the remote
> endpoint, along with the need to have the connection rebuilt every time
> the DNS entry changes (assuming you use DynDNS or equivalent).
> 
> I have very little background with racoon, the ipsec system that
> m0n0wall uses if I understand it correctly.  I'd imagine that the
> endpoints are passed to racoon via their IP addresses, so in order to
> consistently maintain a connection you would need a daemon to poll the
> status of active ipsec tunnels marked as dynamic, and if they go down,
> create a brand new ipsec connection for it.
> 
> Perhaps OpenVPN is the way to go with the dynamic endpoints, since you
> have the built in certificate support.  I'm not sure how fast it
> rebuilds connections when the remote ip changes.
> 
> For right now I will have to use a mixed mode ipsec setup, with m0n0wall
> serving to bridge together nets with static endpoints, and a linux
> system running other VPN software on it's own static endpoint to hook in
> the dynamic ip's.
> 
> 
> On Thu, 2005-03-17 at 12:14 +0100, Claude Hecker wrote:
>> > Hi folks, 
>> > 
>> > First of all Manuel and all the other guys have done a great job in
>> > developing such a useful software which is even as stable as commercial
>> > products. At this point, we use this solution together with a commercial
>> > product in a little bit customized version at our company's in about 54
>> > destinations. 
>> > 
>> > Questions: 
>> > 
>> > 1.  Why switching to FBSD 5.x like pfsense has done
>> >     everything is working well on FBSD 4.1x with a few hacks
>> > 
>> > 2.  All the problems with dynamic endpoints currently included in all
>> >     versions after 1.11, by the way we use as source 1.2b3
>> > 
>> > Regards 
>> > 
>> > Claude 
>> > 
>> > 
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>> > For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>> >