[ previous ] [ next ] [ threads ]
 
 From:  Rui Correia <rds underscore correia at mailshack dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSec between 2 m0n0 - Static to DHCP...
 Date:  Tue, 23 Nov 2004 12:23:56 +0000 (UTC)
Hi there,
First time here in the lists.
All my thanks goes to Manuel and the rest of the team for their great effort on
providing us this great free firewall.
I've never seen something as cool as the webGUI on free products, and for a big
noob as me it's really intuitive.
Still I have some questions I'd like to pose.
Some of them have been thoroughly discussed here.
But for some reason I don't think they were completely cleared before.

1-I have two m0n0 boxes running 1.11, one at home (soekris 4521) and another one
at the office (PC).
At the office I have WAN static IP, at home I have DHCP.
Is it still possible to make an IPSec VPN tunnel between both boxes?
At the DHCP side I've checked and my IP keeps the same for more than a week.
Could I use that IP as long as it is mine to build the tunnel?
Here are my settings.
*Site A*
*Static side*
WAN IP: 62.48.181.181
LAN IP: 192.168.1.249/24
VPN>IPSec
WAN
LAN subnet
remote ip: 10.0.0.254/24
remote gw: 217.129.14.137 (current WAN IP!)
Phase 1
Aggressive
My IP Address
3DES
SHA1
DH 2
Lifetime 3600
Preshared is configured with the same string as in Site B config
Phase 2
ESP
Blowfish
SHA1
PFS 2
Lifetime 3600
Diagnostics>IPSec
SAD shows
No IPsec security associations.
SPD shows
10.0.0.254/24  192.168.1.0/24  ->  ESP  217.129.14.137-62.48.181.181
192.168.1.0/24  10.0.0.254/24  <-  ESP  62.48.181.181-217.129.14.137

*Site B*
*DHCP side*
WAN IP: DHCP (currently 217.129.14.137)
LAN IP: 10.0.0.254/24
VPN>IPSec
WAN
LAN subnet
remote ip: 192.168.1.0/24
remote gw: 62.48.181.181
Phase 1
Aggressive
Domain name kvideo.dyndns.org (as set in the other box dynamic IP...)
->Note: I've also tried My IP Address and leaving the input field empty but
->still no luck...
3DES
SHA1
DH 2
Lifetime 3600
Preshared is configured with the same string as in Site B config
Phase 2
ESP
Blowfish
SHA1
PFS 2
Lifetime 3600
Diagnostics>IPSec
SAD shows
No IPsec security associations.
SPD shows
192.168.1.0/24  10.0.0.254/24  ->  ESP  62.48.181.181-217.129.14.137
10.0.0.254/24  192.168.1.0/24  <-  ESP  217.129.14.137-62.48.181.181
From what I've read so far, it seems that with the current racoon specs it is
impossible to have DHCP on one of the sides.
What I need to have clarified is; isn't it supposed to work while the WAN IP
address on the DHCP side remains the same?

2-Although I've seen SafeNet's RemoteLT being addressed as THE choice for IPSec
road warriors (I love this nickname :-)) isn't it supposed to work with other
clients?
Where can I find an updated list of compliant IPSec clients with configuration
instructions?
Will I find any free compliant clients for windowze?
BTW a dumb question: is the m0n0wall IPSec implementation any similar to
Micro$oft's L2TP?
Will the current embedded WinXP software client work with m0n0wall's IPSec when
set to L2TP? I guess not, huh?

I would be very much appreciatted for any help you can give me.
Regards to all,

Rui