[ previous ] [ next ] [ threads ]
 
 From:  David W. Hess <dwhess at banishedsouls dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Netgear FVS318 and a few killer features that we could use in M0n0wall
 Date:  Mon, 02 Apr 2007 11:39:39 -0500
I have some D-Link DI-804HVs which support using a domain name for the IPSEC
gateway addresses instead of a fixed IP address when using static IPSEC tunnels.
I bought them before I was familiar enough with BSD to make use of it or was
aware of m0n0wall which was in alpha testing at the time.

Originally they required a static IP addresses so I used the dynamic IPSEC
tunnel feature to allow one side to have a dynamic address.  Later they added
using a domain name for the gateway addresses in a firmware revision.  Of
course, static tunnels still have fixed local and remote subnets making the
dynamic IPSEC tunnel function still useful when the remote subnet can not be
known in advance.

If I had known then what I know now of course I would never have bought them and
just used BSD on a WRAP or something similar before switching to m0n0wall or
pfsense when they became available.  To be fair to D-Link though, the DI-804HVs
have actually worked out very well.  The backup dial up modem functionality has
been very handy.

On Sat, 31 Mar 2007 10:37:19 -0500, Michael Brown <knightmb at knightmb dot dyndns dot org>
wrote:

>I think he was referring to the PPTP, at least that's the way looked to 
>me. In that case, I already have a customer system that does exactly 
>this. Uses dynamic dns for VPN clients. You can also limit the VPN 
>client access based on the firewall rules.
>
>The next section talked about static tunnels, which I think he means the 
>IPSEC. Since the definition of static tunnels would be both ends have a 
>static IP address, maybe it wasn't the right terminology for it. I think 
>he wanted something that would allow dynamic tunnels instead. I have not 
>tried this myself, so you are saying that instead of using the IP 
>address of the other remote gateway, you throw in a dns name (like 
>vpn2.mycorpwebsite.com) and it only resolves the address once? If the IP 
>of the other end changes, the tunnel would collapse. Would m0n0wall not 
>try to establish another connection and thus cause another DNS lookup? 
>Do you mean it looks up the address only once while booted?
>
>I haven't tried any of that myself, but I take it you have and this was 
>the result?
>
>Thanks for the info,
>Michael
>
>Lee Sharp wrote:
>> Michael Brown wrote:
>>> Are you saying m0n0wall doesn't already do this?
>>
>> m0n0wall requires IP addresses for IPsec VPN.  It would be very nice 
>> to use domain names.  However, the mechanics of implementing this make 
>> it very unlikely.  The system will cache the ipaddress it finds when 
>> it does the lookup, and it will not look it up again, which is why it 
>> requires a domain name.