Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 May 2002 12:22:32 +0200
From:      Barry Irwin <bvi@itouchlabs.com>
To:        Matthew Zahorik <matt@hottub.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPsec and dynamically assigned IPs
Message-ID:  <20020517122232.A28402@itouchlabs.com>
In-Reply-To: <Pine.GSO.4.40.0205160858030.10618-100000@hottub>; from matt@hottub.org on Thu, May 16, 2002 at 09:30:58AM -0700
References:  <Pine.GSO.4.40.0205160858030.10618-100000@hottub>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu 2002-05-16 (09:30), Matthew Zahorik wrote:
>   I am unclear regarding spdadd arguments and my VPN setup.
> 
>   I'm attempting to replace Nortel's Contivity Extranet Client on Windows
> with a racoon/ipsec solution.
> 
>   I'm unsure if this is a "tunnel" or "transport" connection.
> 
>   I contact a fixed server at 205.173.93.x.  This is a contivity switch.
> My client is an IP address assigned by RoadRunner.
> 
>   During IKE (user w/ SecureID hard token, aggressive mode) another IP
> address is assigned (3.179.89.x) by the contivity.
> 
>   How do I express this in spdadd so that I can fire off racoon?
> 
> 
>   [client] 66.67.157.x (RoadRunner IP, dynamic, known at spdadd time)
>                |
>   [tunnel? endpoint] 3.179.89.x (dynamic, assigned during/after IKE)
>                |
>          { Internet }
>                |
>   [tunnel? endpoint] ?.?.?.? (fixed, traceroute shows 3.179.68.x 1st hop)
>                |
>   [server] 205.173.93.x (fixed, known at spdadd time)


If it is two endpoints talking directly then its transport mode

Tunnel would be somethign along the lines of:

A [client] -[vpn gw] - {internet} - [vpngw] - [server]

or

B [client] - {internet} - [vpngw] - [server]

In case A, the client and server are completely unaware of the fact there is
IPSEC involved, as all the work is performed by the gateways.

in case B the client tunnels traffic destined for server to the vpngw where
it is decapsulated adn passed onto the server.


On the case of dynamic IP's  have a look at the "generate policy on;"
statement in racoon.conf.  However you either need to authenticte using
aggressive mode ( in which case you can provide a username or somethign else
to look up against the password) or main mode using certificates.


On another point, I spent a couple of days hacking around with the Nortel
Client and didnt have much success :< would be great to hear if you do


Barry

--
Barry Irwin		bvi@itouchlabs.com			+27214875177
Systems Administrator: Networks And Security
Itouch Labs 		http://www.itouchlabs.com		South Africa


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020517122232.A28402>