From: John A. Sullivan III (John.Sullivan_at_nexusmgmt.com)
Date: Wed Oct 16 2002 - 12:16:09 CEST
We're working on an integrated management console for Free S/WAN,
iptables and some other Open Source security products right now. We've
not turned our attention to this issue but it is on the drawing board
for our next phase.
Our initial thoughts are something like this:
We haven't yet written a policy communication protocol like COPS for
this console so we are using OpenSSH as sort of poor man's out-of-band
policy communication protocol to provide a poor man's registration
service. The central console is available to the world via SSH.
The central console keeps a database of all Policy Enforcement
Devices. When a PEP boots, it writes a small file containing its
DER_ASN.1_DN id and IP address and any other information needed to
establish a tunnel, opens an SSH session with the central console
authenticated via a key and drops the file off in a safe directory.
We are speculating that we can then run a cron job on the console that
scans that directory. When it finds a file, it parses the information
and compares it against what it finds in the database. If it has
changed, it writes a new connection record file and scp's it to all
PEP's in the VPN (we keep all connections in a separate directory and
add them via an include statement in the ipsec.conf file), and ssh's a
command ipsec auto commands to tear down the old connections and bring
up the new ones.
We don't know yet if it will work and hope that when we get around to
writing a policy communication protocol, it will be much cleaner but
perhaps this will give you some ideas for now. A similar approach has
proved successful for remotely adding, deleting and changing PEP's from
a central management console. Let me know how you fare! Good luck -
John
On Wed, 2002-10-16 at 03:49, Thomas Will wrote:
> hello
>
> i 'm seeking a solution (example) to make a tunnel
> with 2 freeswan gateways with 2 dynamic ips
> i have registrated both sites on dyndns.org
> conn sux-tux
> left=sux.suxer.net
> leftsubnet=192.168.1.0/24
> leftnexthop=217.5.98.35
> right=tux.suxer.net
> rightnexthop=217.5.98.34
> rightsubnet=192.168.254.0/24
> auto=add
> this configuration works fine
> but i must patch on every reconnect ipsec.conf
> with the nexthop values
> i can't use on both ends left=%defaultroute
> right=%defaultroute
> is there a solution for a symetric update of both sites
> without patching ipsec.conf
>
> regards
> --
> - thomas will -
> - xinux - networking - security - consulting - training -
> - fon 06332 44040 - fax 06332 44041 - mobil 0171 8054788 -
> - 66482 zweibruecken - etzelweg 65 - http://www.xinux.de -
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 17 2002 - 05:20:27 CEST