[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPsec with dynamic IP address
 Date:  Sun, 31 Aug 2003 16:24:10 +0200 (CEST)
There is now a m0n0wall image available that should support IPsec tunnels
on a system with a dynamically configured WAN IP address (DHCP, PPPoE or
PPTP). You can get it at

http://m0n0.ch/wall/downloads/net45xx-pb14r461.img
http://m0n0.ch/wall/downloads/generic-pc-pb14r461.img

It works by invoking PHP as soon as dhclient or mpd report an IP address
change, which responds by regenerating the racoon/SPD configuration and
restarting racoon.

Other changes:

- PPTP client + server enabled at the same time should work now

- the PPTP server will now assign the DNS server address to clients just
like the DHCP server does (m0n0wall LAN IP if DNS forwarder is on, DNS
servers from system configuration otherwise)

- racoon has been updated to 20030711a

- DynDNS user name syntax check has been relaxed to allow for dynamic DNS
services which use e-mail addresses as the user name

What does not work at the moment, though, is setting m0n0wall up to
establish tunnels with IPsec clients that have dynamic IP addresses. If
somebody wants that feature, I suggest (s)he spend some time with racoon,
trying to find a way to specify multiple remote {} sections without remote
IP addresses in such a way that racoon uses some other identifier (FQDN,
for example) to find the corresponding phase 1 configuration for the
connecting client. I wonder what happens if we have multiple remote
anonymous {} sections with different values for peers_identifier? If that
fails, we'll have to resort to providing some "default tunnel"
configuration in the webGUI that gets applied to all unknown (i.e. no
static IP address)  clients, and use "generate_policy on;" with it. It
should be possible to use identifiers in the pre-shared key file, so at
least all the dynamic IP clients wouldn't need to use the same pre-shared
key.

I wonder if some day somebody will write a well-documented, reliable and
straightforward IKE daemon... To me neither racoon nor isakmpd seem to
fulfill these requirements at the moment.

- Manuel