[ previous ] [ next ] [ threads ]
 From:  D Syde <m0n0wall at evermore dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSec Issues
 Date:  Sat, 27 Aug 2005 22:57:04 -0700
I am using m0n0wall on a soekris net4801 and have installed similar
configurations at several remote locations.  I would like to be able to
use VNC to provide remote support and, perhaps ssh in to intranet file
and application servers on the other LANs.

So, I thought I would give IPsec a go.  After a lot of reading
(including digging through the archives of this list) and several hours
of futzing, I got it mostly working using the open source front-end for
the Windows XP IPSec stuff (TauVPN/iVPN).

Unfortunately, there seem to be some pretty serious limitations.  First,
the shared secrets list seems to require that the client's IP address be
used as an identifier.  I don't see any way to change/specify that on
the client end (i.e. in TauVPN/iVPN).  That kind of defeats the purpose
of supporting mobile clients, who will have dynamically-assigned IP
addresses that vary on different connection attempts.

It also seems to be necessary to put a firewall rule on the client side
that allows all traffic from the public IP of the server side to pass
through the client-side firewall in order to have VNC work properly
through the tunnel.  Some other services (http, at least) don't seem to
require this.  Having the firewall open to all traffic, even from that
one Internet address, seems like a larger security risk than I would prefer.

Am I right about the limitations or, am I doing something wrong?

Would I be better off with different client software?  The FAQ has an
example using SafeNet SoftRemoteLT.  I would prefer to use open source
software but, would consider using it, if it will definitely do what I want.

Or is IPSec even the best choice for this?

Any suggestions or references would be appreciated.

- D. Syde