Hello; The problem/situation is: I have two LEAF routers with dynamic ip's, changing at least once a day. Both are setup with latest Bering-uClibc 1.1.
I build a solution, but I'm not shure if that's the way to go. Please review, esp regarding security (vpn/shorewall issues). The network picture is simple: 192.168.10.0 <-> fixed ip/LEAF router/dynamic ip <-> internet <-> dynamic ip/LEAF router/fixed ip <-> 192.168.20.0 The challenge has been how to keep up the tunnel between both net's alive. First I decided that both routers has to have a DNS name, which is easy doable with something like dyndns.org and ezipupd.lrp. I generated the the rsa keys for both LEAF routers with: ipsec rsasigkey --verbose --random /dev/urandom 2048 > localkey ipsec rsasigkey --verbose --random /dev/urandom 2048 > remotekey And made the according /etc/ipsec.secret's on the local router and the remote router. On the local router I've configured /etc/ipsec.conf as below: config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default type=tunnel keyexchange=ike keylife=8h disablearrivalcheck=no conn net-net left="local.dyndns.org" leftsubnet=192.168.10.0/24 leftnexthop=%defaultroute authby=rsasig pfs=yes [EMAIL PROTECTED] leftrsasigkey="local-public-key" right=remote.dyndns.org rightsubnet=192.168.20.0/24 rightnexthop=%defaultroute [EMAIL PROTECTED] rightrsasigkey="remote-public-key" auto=add conn gate-gate left="local.dyndns.org" leftnexthop=%defaultroute authby=rsasig pfs=yes leftid=@"local.dyndns.org" leftrsasigkey="local-public-key" right="remote.dyndns.org" rightnexthop=%defaultroute rightid=@"remote.dyndns.org" rightrsasigkey="remote-public-key" auto=add Copied this one to the remote router (changing auto=add to auto=start) As you can see, there will be two tunnels - one from net-to-net, and between the LEAF routers. Then I made the following changes in shorewall: a) zones file added two new zones: vpn VPN Remote Subnet vgw VPNGW vpn gateway b) interfaces file added interfaces for the new zones vpn ipsec0 vgw ipsec1 added option noping to net/ppp0, removed routefilter c) policy file added loc vpn ACCEPT vpn loc ACCEPT (better writing rules I know) d) rules added ping accept from/to gateway and fw ACCEPT vgw fw icmp 8 ACCEPT fw vgw icmp 8 e) tunnels add the tunnels for net-net and gate-gate ipsec net 0.0.0.0/0 vpn,vgw Some changes to ppp a) /etc/ppp/ip-up Added /sbin/ipsec restart b) /etc/ppp/ip-down added /sbin/ipsec setup stop So if the LEAF get's a new ip adress assigned, ip-down stops both tunnels and ip-up restarts ipsec with both tunnels. Last addition has been a script on both LEAF routers trying to ping (a few packets) the other router (by dyndns name) and if that fails restart ipsec as well. This script is called by cron every few minutes. My experience with that configuration is that the tunnels are stable and will be rebuild with a short delay if one the LEAF routers has got a new ip. My questions are: Anyone with a better solution at hand? Is this setup esp. shorewall changes secure or did I opened pandoras box? Comments and hints are welcome. Thanks for your patience. kp ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html