> Having read some about FreeS/WAN, I am still confused on what it takes to > connect from a roaming laptop --- with a varying IP. Most of the instructions > tend to be focused on gateway-to-gateway connections, not laptop-to-gateway -- > and almost all doc uses non-routable IPs in the examples. Any pointers to > configuring a single-address client to FreeS/WAN on LRP would be helpful.
This is really simple, especially if you're using RSA keying. On the VPN Gateway, simply create a connection with the ID and RSA sig. of your roadwarrior (roaming laptop) system. Set the IP address to %any. On the roadwarrior, set interfaces=%defaultroute and [left|right]=%defaultroute (as appropriate) Make sure you enter consistent ID's for [left|right]id...I like to use 'non-resolving' domain names (put an @ in front of the name so FreeS/WAN doesn't do a DNS lookup and turn the ID into an IP address) such as "@cruzin.core.newtek.com" I actually setup subnet-subnet tunnels this way, but you do it exactly the same way for a host-host or host-subnet connection. Just include or exclude the [left|right]subnet paramter(s), as required. The main thing to verify is that your id's, rsasigkey's, and connection details (ie [left|right]subnet) match on both ends. If not, you won't connect, and your logs will list something like "no valid connection description for ..." To make my semi-mesh network a bit easier to maintain, I have also somewhat standardized my ipsec.conf files. The local system is always 'left', with the remote end being 'right'. I create a "conn %default" section with all the left parameters, and have an /etc/ipsec directory with individual files for each of my VPN gateways. To create a link from the local system to the remote gateway, I simply add an "include ipsec/<filename>" to the ipsec.conf file, and the link gets created. This allows me to rsync my /etc/ipsec directory between all my remote systems as gateways are added or connection details change. There are many other (and probably better) ways to manage your VPN links...this is just what works OK for me. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
