|
||||||||
There is now a m0n0wall image available that should support IPsec tunnels on a system with a dynamically configured WAN IP address (DHCP, PPPoE or PPTP). You can get it at http://m0n0.ch/wall/downloads/net45xx-pb14r461.img http://m0n0.ch/wall/downloads/generic-pc-pb14r461.img It works by invoking PHP as soon as dhclient or mpd report an IP address change, which responds by regenerating the racoon/SPD configuration and restarting racoon. Other changes: - PPTP client + server enabled at the same time should work now - the PPTP server will now assign the DNS server address to clients just like the DHCP server does (m0n0wall LAN IP if DNS forwarder is on, DNS servers from system configuration otherwise) - racoon has been updated to 20030711a - DynDNS user name syntax check has been relaxed to allow for dynamic DNS services which use e-mail addresses as the user name What does not work at the moment, though, is setting m0n0wall up to establish tunnels with IPsec clients that have dynamic IP addresses. If somebody wants that feature, I suggest (s)he spend some time with racoon, trying to find a way to specify multiple remote {} sections without remote IP addresses in such a way that racoon uses some other identifier (FQDN, for example) to find the corresponding phase 1 configuration for the connecting client. I wonder what happens if we have multiple remote anonymous {} sections with different values for peers_identifier? If that fails, we'll have to resort to providing some "default tunnel" configuration in the webGUI that gets applied to all unknown (i.e. no static IP address) clients, and use "generate_policy on;" with it. It should be possible to use identifiers in the pre-shared key file, so at least all the dynamic IP clients wouldn't need to use the same pre-shared key. I wonder if some day somebody will write a well-documented, reliable and straightforward IKE daemon... To me neither racoon nor isakmpd seem to fulfill these requirements at the moment. - Manuel |