Re: [Users] VPN between two dynamic IPs

From: Sam Sgro (sam_at_freeswan.org)
Date: Thu Nov 28 2002 - 08:17:26 CET

• Next message: Sam Sgro: "Re: [Users] shared secrets in roadwarrior setup"
• Previous message: Sam Sgro: "Re: [Users] packets don't know how to leave the gw"
• In reply to: martin f krafft: "[Users] VPN between two dynamic IPs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 27 Nov 2002, martin f krafft wrote:

> how would one go about setting up a VPN between two machines with
> dynamic IPs? I know the IPs on both sides. is the way to success to go
> via a gateway that has a known IP, say 1.2.3.4?
>
>
> RoadWarrior 1 | 1.2.3.4 | |
> Dyn IP | -//----------- | Gateway |
> /
> /
> /
> RoadWarrior 2 | -//-------
> Dyn IP |
>
> Now I configure the gateway to auto=add two right=%any with the
> appropriate rsasigs, and then configure each road warrior with
> auto=start, so that each establishes a VPN tunnel with the gateway
> whenever they can. is this the way to do it?

Sort of yes, sort of no. This would be the first step in connecting these
roadwarriors in an indirect fashion; however, how would Roadwarrior 1 know how
to ask to speak with Roadwarrior 2, should it not know 2's IP?

In theory, virtual IPs would do the trick. You would create a non-routeable
subnet behind the 1.2.3.4 gateway, and assign the various roadwarriors IPs
behind it. AFAIK, the only IPSec solution that has this working easily on the
client side is the windows client, SSH Sentinel. (FreeS/WAN does support this
server-side.)

With FreeS/WAN, you would need to create a virtual interface, assign yourself
an IP address on that non-routeable subnet, and refer to it as the subnet
parameter in your FreeS/WAN-to-FreeS/WAN up the remainder accordingly. That
way, Roadwarrior 1 would always know that one particular IP refers to
Roadwarrior 2. It's actually easier to connect networks *behind* the
Roadwarriors, because you can refer to them statically.

You'll find a lot of this info in the X.509 Installation and Configuration
guide; Vanilla FreeS/WAN would allow this as well.

Dynamic DNS is another alternative - mimic a static IP on the Roadwarriors. In
any case, the only way this works is if you've got a predictable way for the
Roadwarriors to refer to one another - be it FQDNs, or staatic (non-routeable)
IPs.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPeXDB0OSC4btEQUtAQHMkwQA3VYjNP/dKlcfU+ZjzWxfEL1ePU3hV9if
mAPon/GXmX4TACtgD0SMoZ3wWuXwVWstnsCaD/LD6N8yfBQSRCUfN8+MX0LuEU5Q
eqJ4AIcmU7/DXZeZXS4wrnz3vepoBj8YpbRVD8hAAY0qKbenlqhZHwm2Cb4z34AU
muOlXQBGizg=
=vvEs
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sam Sgro: "Re: [Users] shared secrets in roadwarrior setup"
• Previous message: Sam Sgro: "Re: [Users] packets don't know how to leave the gw"
• In reply to: martin f krafft: "[Users] VPN between two dynamic IPs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 29 2002 - 05:21:11 CET