Hello;
The problem/situation is:
I have two LEAF routers with dynamic ip's, changing at least once a day.
Both are setup with latest Bering-uClibc 1.1.
I build a solution, but I'm not shure if that's the way to go.
Please review, esp regarding security (vpn/shorewall issues).
The network picture is simple:
192.168.10.0 <-> fixed ip/LEAF router/dynamic ip <-> internet <-> dynamic
ip/LEAF router/fixed ip <-> 192.168.20.0
The challenge has been how to keep up the tunnel between both net's alive.
First I decided that both routers has to have a DNS name, which is easy doable
with something like dyndns.org and ezipupd.lrp.
I generated the the rsa keys for both LEAF routers with:
ipsec rsasigkey --verbose --random /dev/urandom 2048 > localkey
ipsec rsasigkey --verbose --random /dev/urandom 2048 > remotekey
And made the according /etc/ipsec.secret's on the local router and the remote
router.
On the local router I've configured /etc/ipsec.conf as below:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
type=tunnel
keyexchange=ike
keylife=8h
disablearrivalcheck=no
conn net-net
left="local.dyndns.org"
leftsubnet=192.168.10.0/24
leftnexthop=%defaultroute
authby=rsasig
pfs=yes
[EMAIL PROTECTED]
leftrsasigkey="local-public-key"
right=remote.dyndns.org
rightsubnet=192.168.20.0/24
rightnexthop=%defaultroute
[EMAIL PROTECTED]
rightrsasigkey="remote-public-key"
auto=add
conn gate-gate
left="local.dyndns.org"
leftnexthop=%defaultroute
authby=rsasig
pfs=yes
leftid=@"local.dyndns.org"
leftrsasigkey="local-public-key"
right="remote.dyndns.org"
rightnexthop=%defaultroute
rightid=@"remote.dyndns.org"
rightrsasigkey="remote-public-key"
auto=add
Copied this one to the remote router (changing auto=add to auto=start)
As you can see, there will be two tunnels - one from net-to-net, and between
the LEAF routers.
Then I made the following changes in shorewall:
a) zones file
added two new zones:
vpn VPN Remote Subnet
vgw VPNGW vpn gateway
b) interfaces file
added interfaces for the new zones
vpn ipsec0
vgw ipsec1
added option noping to net/ppp0, removed routefilter
c) policy file
added
loc vpn ACCEPT
vpn loc ACCEPT
(better writing rules I know)
d) rules
added ping accept from/to gateway and fw
ACCEPT vgw fw icmp 8
ACCEPT fw vgw icmp 8
e) tunnels
add the tunnels for net-net and gate-gate
ipsec net 0.0.0.0/0 vpn,vgw
Some changes to ppp
a) /etc/ppp/ip-up
Added
/sbin/ipsec restart
b) /etc/ppp/ip-down
added
/sbin/ipsec setup stop
So if the LEAF get's a new ip adress assigned, ip-down stops both tunnels and
ip-up restarts ipsec with both tunnels.
Last addition has been a script on both LEAF routers trying to ping (a few
packets) the other router (by dyndns name) and if that fails restart ipsec as
well.
This script is called by cron every few minutes.
My experience with that configuration is that the tunnels are stable and will
be rebuild with a short delay if one the LEAF routers has got a new ip.
My questions are:
Anyone with a better solution at hand?
Is this setup esp. shorewall changes secure or did I opened pandoras box?
Comments and hints are welcome.
Thanks for your patience.
kp
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
