From owner-freebsd-net Fri May 17 3:22:41 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 8B6EF37B404 for ; Fri, 17 May 2002 03:22:36 -0700 (PDT) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 178ex3-000IZr-00 for freebsd-net@freebsd.org; Fri, 17 May 2002 12:27:09 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 178ex1-000IZb-00; Fri, 17 May 2002 12:27:07 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 178esa-0007Sr-00; Fri, 17 May 2002 12:22:32 +0200 Date: Fri, 17 May 2002 12:22:32 +0200 From: Barry Irwin To: Matthew Zahorik Cc: freebsd-net@freebsd.org Subject: Re: IPsec and dynamically assigned IPs Message-ID: <20020517122232.A28402@itouchlabs.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from matt@hottub.org on Thu, May 16, 2002 at 09:30:58AM -0700 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 71411-1021631228-21120@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu 2002-05-16 (09:30), Matthew Zahorik wrote: > I am unclear regarding spdadd arguments and my VPN setup. > > I'm attempting to replace Nortel's Contivity Extranet Client on Windows > with a racoon/ipsec solution. > > I'm unsure if this is a "tunnel" or "transport" connection. > > I contact a fixed server at 205.173.93.x. This is a contivity switch. > My client is an IP address assigned by RoadRunner. > > During IKE (user w/ SecureID hard token, aggressive mode) another IP > address is assigned (3.179.89.x) by the contivity. > > How do I express this in spdadd so that I can fire off racoon? > > > [client] 66.67.157.x (RoadRunner IP, dynamic, known at spdadd time) > | > [tunnel? endpoint] 3.179.89.x (dynamic, assigned during/after IKE) > | > { Internet } > | > [tunnel? endpoint] ?.?.?.? (fixed, traceroute shows 3.179.68.x 1st hop) > | > [server] 205.173.93.x (fixed, known at spdadd time) If it is two endpoints talking directly then its transport mode Tunnel would be somethign along the lines of: A [client] -[vpn gw] - {internet} - [vpngw] - [server] or B [client] - {internet} - [vpngw] - [server] In case A, the client and server are completely unaware of the fact there is IPSEC involved, as all the work is performed by the gateways. in case B the client tunnels traffic destined for server to the vpngw where it is decapsulated adn passed onto the server. On the case of dynamic IP's have a look at the "generate policy on;" statement in racoon.conf. However you either need to authenticte using aggressive mode ( in which case you can provide a username or somethign else to look up against the password) or main mode using certificates. On another point, I spent a couple of days hacking around with the Nortel Client and didnt have much success :< would be great to hear if you do Barry -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message