Date: Fri, 17 May 2002 12:22:32 +0200 From: Barry Irwin <bvi@itouchlabs.com> To: Matthew Zahorik <matt@hottub.org> Cc: freebsd-net@freebsd.org Subject: Re: IPsec and dynamically assigned IPs Message-ID: <20020517122232.A28402@itouchlabs.com> In-Reply-To: <Pine.GSO.4.40.0205160858030.10618-100000@hottub>; from matt@hottub.org on Thu, May 16, 2002 at 09:30:58AM -0700 References: <Pine.GSO.4.40.0205160858030.10618-100000@hottub>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu 2002-05-16 (09:30), Matthew Zahorik wrote: > I am unclear regarding spdadd arguments and my VPN setup. > > I'm attempting to replace Nortel's Contivity Extranet Client on Windows > with a racoon/ipsec solution. > > I'm unsure if this is a "tunnel" or "transport" connection. > > I contact a fixed server at 205.173.93.x. This is a contivity switch. > My client is an IP address assigned by RoadRunner. > > During IKE (user w/ SecureID hard token, aggressive mode) another IP > address is assigned (3.179.89.x) by the contivity. > > How do I express this in spdadd so that I can fire off racoon? > > > [client] 66.67.157.x (RoadRunner IP, dynamic, known at spdadd time) > | > [tunnel? endpoint] 3.179.89.x (dynamic, assigned during/after IKE) > | > { Internet } > | > [tunnel? endpoint] ?.?.?.? (fixed, traceroute shows 3.179.68.x 1st hop) > | > [server] 205.173.93.x (fixed, known at spdadd time) If it is two endpoints talking directly then its transport mode Tunnel would be somethign along the lines of: A [client] -[vpn gw] - {internet} - [vpngw] - [server] or B [client] - {internet} - [vpngw] - [server] In case A, the client and server are completely unaware of the fact there is IPSEC involved, as all the work is performed by the gateways. in case B the client tunnels traffic destined for server to the vpngw where it is decapsulated adn passed onto the server. On the case of dynamic IP's have a look at the "generate policy on;" statement in racoon.conf. However you either need to authenticte using aggressive mode ( in which case you can provide a username or somethign else to look up against the password) or main mode using certificates. On another point, I spent a couple of days hacking around with the Nortel Client and didnt have much success :< would be great to hear if you do Barry -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020517122232.A28402>