[ previous ] [ next ] [ threads ]
 From:  =?iso-8859-1?Q?Fr=E9d=E9ric_Lebel?= <flebel at interplex dot ca>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  TR : [m0n0wall] m0n0wall to m0n0wall
 Date:  Tue, 22 Jun 2004 17:29:02 -0400
Frédéric Lebel
flebel at interplex dot ca

-----Message d'origine-----
De : Frédéric Lebel [mailto:flebel at interplex dot ca] 
Envoyé : 22 juin, 2004 17:22
À : 'Darren Hammond'
Objet : RE : [m0n0wall] m0n0wall to m0n0wall

Few days ago, I coded something to use VPN IPSEC with n dynamic
addresses. But there is a problem, if you have 2 m0n0walls with dynamic
IP addresses and two static IP addresses and for each one you created a
VPN tunnel, when you apply the procedure (restart racoon) you lost all
vpn connection. I think racoon doesn’t implement VPN with dynamic IP

So, I coded a daemon in php to ping each domain (dynamic IP addresses
with dyndns or whatever) and if there are some IP which have changed, I
reconfigure the racoon.conf, and restart the service.

This feature will be useful if you only have one tunnel with dynamic IP.

If you have better idea, just tell him.

Sorry for my English.

Frédéric Lebel
flebel at interplex dot ca

-----Message d'origine-----
De : Darren Hammond [mailto:darren at hammond dot uklinux dot net] 
Envoyé : 22 juin, 2004 17:09
À : mono at ricerage dot org
Cc : m0n0wall at lists dot m0n0 dot ch
Objet : Re: [m0n0wall] m0n0wall to m0n0wall

Brian wrote:

> Remember that tunnels will be brought down when their SAs expire and
> there's no immediate traffic to bring it back up. Tunnel creation is
> usually pretty quick (a second or two) so usually theres no issue with
> rebuilding it after a drop. I wonder if it would be possible in the
> to add a "persistant" option that would cause each endpoint to ping
> other across the tunnel at predefined intervals. Honestly, I don't
> how useful that is, but its something to ponder. I guess.

A persistent option would be very useful. I have a Watchguard SOHO at a 
remote site and it has an option to ping a specified address. I use this

to ping a local address and hence keep the tunnel up.

Does anyone have any further tips for using Monowall/IPSEC with DHCP on 
the WAN? I have a such a beast at home linked into my Watchguard Firebox

at work. It works great, set up was a breeze, docs are great. Much 
easier than the SOHO.

Trouble is, everytime my DHCP lease with my ISP expires, I lose the 
tunnel. Trying to reconnect from home doesn't re-establish the link and 
  under Diagnostics/IPSEC I get multiple SAD/SPD entries. I tried this 
on v1.0 and v1.1b14 - same result.

The only way I get the link back is to reboot Monowall. I guess just 
restarting IPSEC would probably do it. Is there a way to restart the 
tunnel when the WAN address changes? Does this happen anyway?


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch