Hello ! I am using IPsec to secure 802.11 wireless connections and it is working fine with pure IPsec. However, with Mac OS X as client, the simplest solution seems to be using l2tpd. From Mac OS X, if I try to establish the VPN, it negociates correctly the keys and tries to connect to the L2TP server which is not yet installed.
Clients are using fixed IP since we need to do some accounting. The
clients take their IP from plain DHCP, negociate the key with IKE and
establish the tunnel from the same IP (if they get x.y.z.w from DHCP,
the tunnel will cover this IP as well and the IPsec tunnel end will be
x.y.z.w as well; this works fine).
Client Gateway
x.y.z.w ---------------------- x.y.z.t
x.y.z.w ====================== x.y.z.t ---------------- x.y.u.v
=== is IPsec
--- is plain IP
Now, if I put l2tp on top of that, I will need to give some IP range
and the tunnel end will be an IP in this range. Two questions :
- is there a way the tunnel end to have the same IP as the one given
by DHCP (which is fixed), i.e that all traffic coming from this IP
will pass through L2TP, except the traffic concerning L2TP (which
should go over plain IPsec) and the one concerning IKE (which
should go unencrypted) ?
Client Gateway
x.y.z.w ---------------------- x.y.z.t
x.y.z.w ====================== x.y.z.t
C ~~~~~~~~~~~~~~~~~~~~~~ G ---------------- x.y.u.v
In this figure, I would like C = x.y.z.w and G = x.y.z.t
- if not, can I fix the client L2TP address from its IPsec address
(for example, if IPsec address from the DHCP is x.y.z.w, I want to
give the address 10.1.z.w) ? If such a thing is possible, I should
be able to use SNAT to give back the "correct" address and IP
accounting will be easy.
Thanks.
--
Make sure all variables are initialised before use.
- The Elements of Programming Style (Kernighan & Plaugher)
pgpClJL8Q6LpY.pgp
Description: PGP signature
