[ previous ] [ next ] [ threads ]
 
 From:  Robert Rich <rrich at gstisecurity dot com>
 To:  Jean-Francois Theroux <jftheroux at privalodc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPsec tunnels question
 Date:  Wed, 22 Dec 2004 11:23:33 -0500
Being a complete n00b, i don't know how much i can help, but i'll do 
what i can to put together a FAQ entry on this.  It's hard to find 
answers to this question, as there are vague references to a fix as far 
back as mid 2003.  Right now i don't know what the current state is, or 
if there is a generally accepted workaround.

This is going to be a big deal for us, so i'm probably going to try to 
hack something together if there isn't built in support for it.  My two 
m0n0 boxen are the only *bsd i have in the house, so i'm starting from 
scratch :)

My thought, for now, was to build an external service that can 
authenticate updates from roaming m0n0 boxes and push the config updates 
to a headend m0n0 using some scripted HTTP  client (i'm sure there's a 
better way).  The remote update event notification could come from the 
RFC dynamic dns updater (that we're not using) for now, with some better 
hook later on.

Here's hoping for a better answer. :P


Jean-Francois Theroux wrote:

> Hello,
>
>     Maybe its the lack of sleep, or might just be that m0n0wall can't 
> do this. I'm not sure, so I turn to you all knowledgeable people for 
> this.
>
>     Say that you have your central office, which has obviously a 
> static public IP. It will be the main hub for several IPsec tunnels to 
> remote offices. Problem is, those remote offices don't have static IPs.
>
>     When you configure a tunnel in m0n0wall, you don't have a choice, 
> you need to enter a static IP for the remote gateway. If I could enter 
> a FQDN, I could use a dyndns.org setup and it'd be fine. Which I 
> can't, as far as I can see.
>
>     So, is there a workaround for this with m0n0wall? Or, sadly, will 
> I have to use a different solution. Don't talk about OpenVPN. This was 
> already rejected, client wants a IPsec solution, or takes his business 
> elsewhere.
>
> Thanks,
>