As long as you have a static IP on one side of the tunnel, you can do
When setting up the two monowall boxes on either side, one of them will be
using the "tunnels" tab of the ipsec configuration. The other side will be
using the "mobile clients" and "pre-shared key" tab.
In your case, you would want the central office with the static IP to be
setup with the "mobile clients" and "pre-shared key" tabs. Notice that
this part of the configuration does not require a static IP to be input
anywhere. This side of the tunnel authenticates using an identifier and
pre-shared key. As an identifier, use something other than the IP
address. I suggest using the 'domain name' option and using a random
domain name. This domain name does NOT need to resolve to a particular IP
address, it is simply an identifer used for the connection. You can use
monowallisgreat.com as long as it is consistant on both ends.
On the remote side(s) you want to setup the "tunnels" part of the ipsec
configuration. In this part you need to enter an IP for the remote
gateway, which will be the static IP of the central office monowall. Make
sure the pre-shared keys are the same on either end.
That's it, let me know if you need more help.
From: jftheroux at privalodc dot com [mailto:jftheroux at privalodc dot com]
Sent: Wednesday, December 22, 2004 10:53 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPsec tunnels question
Maybe its the lack of sleep, or might just be that m0n0wall can't
do this. I'm not sure, so I turn to you all knowledgeable people for this.
Say that you have your central office, which has obviously a
static public IP. It will be the main hub for several IPsec tunnels to
remote offices. Problem is, those remote offices don't have static IPs.
When you configure a tunnel in m0n0wall, you don't have a choice,
you need to enter a static IP for the remote gateway. If I could enter a
FQDN, I could use a dyndns.org setup and it'd be fine. Which I can't, as
far as I can see.
So, is there a workaround for this with m0n0wall? Or, sadly, will
I have to use a different solution. Don't talk about OpenVPN. This was
already rejected, client wants a IPsec solution, or takes his business
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch