Re: [pfSense Support] ipsec

[jonathan gonzalez]

i'm working also in the openvpn implementation in my box so if either 
each one obtain good result would be grateful to post the good news in 
the list, don't you think? ;)

Regards,
jonathan



alan walters wrote:
Yep I use an email address as the cn.
Open vpn would be great but this seems to still not be available.
Even a gre tunnel would do what I require but again not built into pfsense.

So I persevere this way. The only security concern that I can see is the the vpn hub. This is a concern but pfsense seems to be reasonably well locked down. 

The whole point of the hub is to be able to get a central public block to a 
large number of remote sites that I cannot route blocks to.

I might take you advise though and try with openvpn if I can get the devel 
options to work and enable it.


-----Original Message-----
From: jonathan gonzalez [mailto:[EMAIL PROTECTED]
Sent: 22 October 2005 17:57
To: support@pfsense.com
Subject: Re: [pfSense Support] ipsec

Hi guys,

i know that this question may seem to be silly but, if what you want is
to establish an ipsec tunnel in a roadwarrior-fashion why don't you use
any other type of CN?

i mean, use a dyndns name, an email address, etc...

In contrary case you can use OpenVPN, that is not ipsec but will enable
you easily achieve what i think you need.

Just to finnish, 0.0.0.0 is not a good idea because you use ipsec to
setup net-to-net tunnel... Using 0.0.0.0 you likely be a vpn hub that is
something 'weird' from the security point of view.

That's my 0.02€ ;)

Regards,

jonathan





alan walters wrote:

This must have got overwritten when we sync'd to m0n0wall for their
certificate support.  Do a update_file.sh
/usr/local/www/vpn_ipsec_edit.php and all should be well again (I
hope).

Scott


[alan walters]

I copyed that file from the releng branch of the cvs but stillthe same.
The box is isolated from the internet so no way to update it apart from
manually. This still produced the same error. Remote subnet bits cannot
be zero.



On 10/21/05, alan walters <[EMAIL PROTECTED]> wrote:



I know some time ago we looked at ipsec tunnels with 0.0.0.0/0

subnets.


I


upgraded to 0.86.4 and again to 0.88.0

Neither seem to support the following configuration in gui any more.



The will not work:



Localnet            192.168.1.1/24               remotegateway:

public


address

Remotenet        0.0.0.0/0



But this works :



Localnet            0.0.0.0/0                       remotegateway:

public


address

Remotenet        192.168.1.1/24



Regards.



Hope you can help me with this.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]