[ previous ] [ next ] [ threads ]
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  "Manuel Kasper" <mk at neon1 dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPsec with dynamic IP address
 Date:  Sun, 31 Aug 2003 17:52:40 -0400



----- Original Message ----- 
From: "Manuel Kasper" <mk at neon1 dot net>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, August 31, 2003 10:24 AM
Subject: [m0n0wall] IPsec with dynamic IP address

> There is now a m0n0wall image available that should support IPsec tunnels
> on a system with a dynamically configured WAN IP address (DHCP, PPPoE or
> PPTP). You can get it at
> http://m0n0.ch/wall/downloads/net45xx-pb14r461.img
> http://m0n0.ch/wall/downloads/generic-pc-pb14r461.img
> It works by invoking PHP as soon as dhclient or mpd report an IP address
> change, which responds by regenerating the racoon/SPD configuration and
> restarting racoon.
> Other changes:
> - PPTP client + server enabled at the same time should work now
> - the PPTP server will now assign the DNS server address to clients just
> like the DHCP server does (m0n0wall LAN IP if DNS forwarder is on, DNS
> servers from system configuration otherwise)
> - racoon has been updated to 20030711a
> - DynDNS user name syntax check has been relaxed to allow for dynamic DNS
> services which use e-mail addresses as the user name
> What does not work at the moment, though, is setting m0n0wall up to
> establish tunnels with IPsec clients that have dynamic IP addresses. If
> somebody wants that feature, I suggest (s)he spend some time with racoon,
> trying to find a way to specify multiple remote {} sections without remote
> IP addresses in such a way that racoon uses some other identifier (FQDN,
> for example) to find the corresponding phase 1 configuration for the
> connecting client. I wonder what happens if we have multiple remote
> anonymous {} sections with different values for peers_identifier? If that
> fails, we'll have to resort to providing some "default tunnel"
> configuration in the webGUI that gets applied to all unknown (i.e. no
> static IP address)  clients, and use "generate_policy on;" with it. It
> should be possible to use identifiers in the pre-shared key file, so at
> least all the dynamic IP clients wouldn't need to use the same pre-shared
> key.
> I wonder if some day somebody will write a well-documented, reliable and
> straightforward IKE daemon... To me neither racoon nor isakmpd seem to
> fulfill these requirements at the moment.
> - Manuel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003