[ previous ] [ next ] [ threads ]
 
 From:  "Daniele Guazzoni" <daniele dot guazzoni at gcomm dot ch>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Feature suggestion & VPN with dynamic IP
 Date:  Tue, 6 Jul 2004 01:08:54 +0200
Hi folks!
First of all gratulation to Manuel and the whole development team:
M0n0wall is the best open-source firewall by far.
As I work daily with firewalls like Cisco PIX, SecureComputing Sidewinder,
Astaro ASL, ...
i still something I'm missing in m0n0wall: service and host groups.
Grouping hosts and/or services keeps the firewall rules shorter and easier
to follow.
With this additional feature m0n0wall would keep up with the "bigs".

PS: regarding VPN and dynamic IP
Running VPN with a dynamic allocated IP on m0n0wall works fine.
The problem is build a VPN tunnel to a remote dynamic allocated destination.
Without rebuild racoon or the IPsec implementation I see following solution:
- monitor the VPN tunnel state (racoon logs to system log)
- if the tunnel goes down lookup DNS to get the IP address of the remote end
- set the new IP within racoon to rebuild the tunnel
This could be done with a script using already present features.

I did this on a Linux based firewall with the freeswan IPsec and worked very
well.
I would also doing it myself on m0n0wall but my knowledge of freeBSD are
very poor (I'm learning...)




regards


------------------------------------------------------------------
Daniele Guazzoni
Network & System Engineer
Cisco Certified Network Professional

E-Mail: daniele dot guazzoni at gcomm dot ch
Web:    http://www.gcomm.ch
------------------------------------------------------------------
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
                        William Jennings Bryan