[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Suraj K. Rai" <surajrai at mac dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC and DHCP WAN interface
 Date:  Mon, 9 Jun 2003 10:34:58 +0200 (CEST)
On Sun, 8 Jun 2003, Suraj K. Rai wrote:

> I am very new to IPSEC and I was wondering why m0n0wall requires a
> static IP on the WAN interface for IPSEC.  Is this a limitation on the
> protocol, FreeBSD or m0n0wall?  Is it because the keys will have to
> re-generated when the DHCP address changes?  The reason I ask is, my
> DHCP address has not changed in ages.

Let's say it's a shortcoming in the way the SPD is handled. When the
script installs new entries in the SPD using setkey, it must specify both
endpoints of the tunnel - the local and the remote one. The only way I see
to solve this would be to write some small program that gets called by
dhclient or MPD when the IP address changes. It would have to flush the
SPD and SAD, reinstall all entries with the new local IP address and
possibly restart racoon. I'll consider this for a future version.

> Also, what about using IPSEC over the WLAN interface?  I understand
> that pb11 has made it possible for WLAN to be used as the WAN interface
> however it would be nice if the WLAN interface could be used as one of
> the "optional" interfaces and still be able to do IPSEC.

Maybe, one day...

- Manuel