[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Isakmpd and dynamic IPs configuration?

To: misc@openbsd.org
Subject: Re: Isakmpd and dynamic IPs configuration?
From: Anthony Schlemmer <aschlemm@comcast.net>
Date: Wed, 3 Sep 2003 07:26:34 -0700
Content-Disposition: inline
Organization: Comcast.Net
References: <DB6DE65412EE82448CDBA12B7205C017014C32@echo1.intern.echotech.ch>
User-Agent: KMail/1.5.1

I've have successfully gotten a VPN tunnel setup between "isakmpd" on my 
home firewall and my office's Netgear FVS318 firewall appliance. It was 
a bit of pain to get the Netgear box to recognize which tunnel was 
which until I started using FQDN for the tunnel setups in the office. 
On the home side we're using DynDNS.org and have some reserved FQDN 
names that map to our home systems which all have DHCP assigned IP 
addresses. For those people using OpenBSD firewalls we use "ddclient" 
to update the IP addresses associated with our DynDNS.org FQDN.

We have other users using Netgear FVS318 boxes at home and the appliance 
supports a number of DynDNS.org type services. Our office firewall has 
a static IP address at least which allows the home users to easily 
configure a VPN tunnel into work. As far as I've seen, "isakmpd" 
doesn't appear to support the use of FQDNs rather than an IP address 
unless I've overlooked something in the man pages. I recall trying to 
use FQDNs instead and getting errors.

With Comcast even though I have a DHCP assigned routable address, the 
address is for all intents and purposes static. The only time I've seen 
an IP address change has been if I had my firewall box offline for a 
long time or I changed the NIC I have connected to the modem (which 
changes the MAC address). I know other people with DSL and they get a 
different IP address quite often but with DynDNS it allows our office 
VPN setup to continue to work for them.

Certainly it would be a nice enhancement if "isakmpd" supported FQDNs 
since there are many users that only have DHCP assigned routable 
addresses.

Tony

On Tuesday 02 September 2003 09:31 am, Thierry TM. Michalowski wrote:
> Hi,
>
> I would like to use OpenBSD boxes to create an IPSec VPN in the
> following way:
>
> 192.168.10.x --Box A (IP1) ---------- (IP2) Box B -- 192.168.11.x
>
>                      |------------------------------------ (IP3) Box
>                      | C
>
> -- 192.168.12.x
>
> I'm using X509 certificates to authorize connections, and the various
> firewalls have port 500 open to the world.
>
> When Box A,B,C have a static IP address I managed to create the VPN
> tunnels.
> However, that required me to create my peers and connections in
> isakmpd.conf by assigning an explicit IP address for each of them.
>
> Now, what I would like to do is that Box A and Box B have a
> dynamically-assigned IP address.
> How should I do this with isakmpd?
> (I'm using OpenBSD 3.2).
>
> Best regards,
> Thierry Michalowski

-- 
Anthony Schlemmer
aschlemm@comcast.net

Follow-Ups:
- Re: Isakmpd and dynamic IPs configuration?
  - From: jared r r spiegel <jrrs@ice-nine.org>

References:
- Isakmpd and dynamic IPs configuration?
  - From: "Thierry TM. Michalowski" <Thierry.Michalowski@echotech.ch>

Prev by Date: Returned mail: User unknown
Next by Date: Undeliverable: Re: Approved
Prev by thread: Re: Isakmpd and dynamic IPs configuration?
Next by thread: Re: Isakmpd and dynamic IPs configuration?
Index(es):
- Date
- Thread