> This is really simple, especially if you're using RSA keying. On the VPN
> Gateway, simply create a connection with the ID and RSA sig. of your
> roadwarrior (roaming laptop) system. Set the IP address to %any.
>
> On the roadwarrior, set interfaces=%defaultroute and
> [left|right]=%defaultroute (as appropriate)
>
> Make sure you enter consistent ID's for [left|right]id...I like to use
> 'non-resolving' domain names (put an @ in front of the name so FreeS/WAN
> doesn't do a DNS lookup and turn the ID into an IP address) such as
> "@cruzin.core.newtek.com"
>
> I actually setup subnet-subnet tunnels this way, but you do it exactly the
> same way for a host-host or host-subnet connection. Just include
> or exclude
> the [left|right]subnet paramter(s), as required.
Did I understand right that you use the IDs with %any IPs for your gateway
to gateway connections? I currently have 2 users with home LANs that are on
dynamic IPs. Since the IPs change rarely I treat them as static, but when
they change I need update the ipsec.conf file.
Currently one of my configs looks like this(left is remote dynamic treated
as static, right is local static):
# VPN Between TSPHouse and BWI Office
conn TSPhouse-BWI
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
left=24.180.130.196
leftsubnet=192.168.1.0/24
leftnexthop=24.180.130.1
leftid=@TSPHouse
leftrsasigkey=0sAQN3BOhhNkqJZB...
leftfirewall=yes
# Right security gateway, subnet behind it, next hop toward left.
right=65.120.71.240
rightsubnet=172.30.85.0/24
rightnexthop=65.120.71.253
rightid=@BWI
rightrsasigkey=0x01037792d45de...
rightfirewall=yes
auto=start
Are you saying I could do something like this (left is remote dynamic, right
is local static):
# VPN Between TSPHouse and BWI Office
conn TSPhouse-BWI
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
>> left=%any
leftsubnet=192.168.1.0/24
>> #leftnexthop=24.180.130.1
leftid=@TSPHouse
leftrsasigkey=0sAQN3BOhhNkqJZB...
leftfirewall=yes
# Right security gateway, subnet behind it, next hop toward left.
right=65.120.71.240
rightsubnet=172.30.85.0/24
rightnexthop=65.120.71.253
rightid=@BWI
rightrsasigkey=0x01037792d45de...
rightfirewall=yes
auto=start
That would be a great solution to my dynamic gateways. Also, do you have
any experience with Windoze VPN clients? I did some testing with several
and SSH Sentinel seemed to be the easiest, but an Open Source and/or free
solution would be better.
Thanks,
Todd
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
