Re: [m0n0wall] M0n0wall and IPSEC with dynamic WAN interface address

From:	Manuel Kasper <mk at neon1 dot net>
To:	Jukka Tainio <Jukka dot Tainio at Kase dot fi>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] M0n0wall and IPSEC with dynamic WAN interface address
Date:	Tue, 26 Aug 2003 15:50:08 +0200 (CEST)

On Tue, 26 Aug 2003, Jukka Tainio wrote:

> Manuel, have you had any more plans on implementing the support for
> dynamic (DHCP) address on WAN interface when using IPSEC.  One of the
> VPN endpoints, I'm going to use will be placed on a network that has
> only dynamic ip:s available, it would spare me a lot of hassle if the
> m0n0wall-vpn would work with dhcp...

I'll look into it... Will probably require ugly kludges (a script that
regenerates the SPD and Racoon configuration on-the-fly if the WAN IP
address changes) that I don't really like to see in m0n0wall, but if
there's no other way, I'll consider that. Maybe this weekend, but I won't
make any promises.

> 1) How would one set up VPN tunnel with dynamic host on the other end?
> What should I use as "Remote gateway" on the static-ip -host? 0.0.0.0? I
> understand, that it is only possible to establish connection from the
> dynamic host side.

That's right. We'll have to introduce another means of identification (not
the remote address) for this scenario; preferably something that is
supported by most commercial firewalls (pseudo host name?). Otherwise
there's no way for racoon to tell which tunnel configuration the
connecting dynamic endpoint belongs to.

> 2) Does the m0n0wall have ipsec keepalive? It would be nice to have both
> keepalive and autoconnect for the dynamic host. Otherwise people on the
> lan of the static endpoint can't communicate to the dynamic endpoint. Or
> is it just me getting this all wrong....

Mmmmh, I'll have to check out the peculiarities of Racoon's configuration
file (and upgrade Racoon to the latest version while I'm at it) and see if
there's support for it.

Greets,

Manuel