Re: [Leaf-user] VPN Architecture Options

Tue, 18 Dec 2001 10:45:01 -0800 

> Did I understand right that you use the IDs with %any IPs for your gateway
> to gateway connections?  I currently have 2 users with home LANs that are
on
> dynamic IPs.  Since the IPs change rarely I treat them as static, but when
> they change I need update the ipsec.conf file.

Yes...this is possible, and how I have configured the couple of systems in
our VPN mesh that have dynamic connections.

> Currently one of my configs looks like this(left is remote dynamic treated
> as static, right is local static):
<snip>
> Are you saying I could do something like this (left is remote dynamic,
right
> is local static):
<snip>

Yes.  Some details of one of my configs (just the connection
specifications)...works with my IPSec V1.91 package & kernels.

Dynamic system:
<ipsec.conf>
conn %default
        type=tunnel
        auto=start
        [EMAIL PROTECTED]
        left=%defaultroute
        leftsubnet=10.31.32.0/24
        leftfirewall=yes
        keyexchange=ike
        authby=rsasig
        leftrsasigkey=0x0103b...
        keylife=8h
        keyingtries=0

include ipsec/SanAntonio.conf

<SanAntonio.conf>
conn SanAntonio
        [EMAIL PROTECTED]
        right=207.235.86.252
        rightnexthop=207.235.86.1
        rightsubnet=10.28.0.0/19
        rightrsasigkey=0x0103c...

Static system:
<ipsec.conf>
conn %default
        type=tunnel
        auto=start
        [EMAIL PROTECTED]
        left=207.235.86.252
        leftnexthop=207.235.86.254
        leftsubnet=10.28.0.0/19
        leftfirewall=yes
        keyexchange=ike
        authby=rsasig
        leftrsasigkey=0x0103c...
        keylife=8h
        keyingtries=1

include ipsec/Aptos.conf

<Aptos.conf>
conn Aptos
        [EMAIL PROTECTED]
        right=%any
        rightsubnet=10.31.32.0/24
        rightrsasigkey=0x0103b...

Remote dynamic connections are identified initially by their ID, then
authenticated using their RSA key.  AFAIK, the same can be done with
pre-shared secrets, but I'm not sure...

NOTE:  Reading over this, I should probably have auto=load instead of
auto=start on the static side...it's impossible to start a connection from
the static side, since the peer IP is unknown.

> That would be a great solution to my dynamic gateways.  Also, do you have
> any experience with Windoze VPN clients?  I did some testing with several
> and SSH Sentinel seemed to be the easiest, but an Open Source and/or free
> solution would be better.

Sorry, I haven't used any windows VPN clients.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to