From owner-freebsd-net Wed Apr 25 20:55: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id E825437B423; Wed, 25 Apr 2001 20:54:59 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f3Q53Ex44782; Thu, 26 Apr 2001 00:03:14 -0500 (CDT) (envelope-from nick@rogness.net) Date: Thu, 26 Apr 2001 00:03:14 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Gunther Schadow Cc: freebsd-net@FreeBSD.ORG, freebsd-small@FreeBSD.ORG, snap-users@kame.net Subject: Re: VPN tunnel with DHCP ... In-Reply-To: <3AE7303F.957DE6DC@aurora.regenstrief.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 25 Apr 2001, Gunther Schadow wrote: > Hi, > > about my SOHO router project, I came accross a tough problem, may > be I overlook that there is a solution already? The VPN gateway > at the small office / home office (SOHO) has an IPsec tunnel > connecting it to its headquarter: > > setkey -c < spdadd ${sohonet} ${homenet} -P out ipsec > esp/tunnel/${sohoip}-${homeip}/require; > spdadd ${homenet} ${sohonet} -P in ipsec > esp/tunnel/${homeip}-${sohoip}/require; > END > > now, the problem is that the ${sohoip} is dynamically assigned > with DHCP. How can the gateway at the headquarter know that > ${sohoip} address? > > Options I can see are: > > A DNS (provided that the SOHO endpoint has a reliable name assigned > by the ISP ... doesn't work for intermittent/dialup lines.) > > B an authenticated message from the SOHO endpoint to headquarter > stating that the network ${sohonet} is reachable through the > tunnel with endpoint ${sohoip}. > > Is there anything like B defined in IPsec / ISAKMP or something? I had a similar problem but I had 1 static server and the tunnels were between several DHCP machines...not between the DHCP machines and the server. I ended up writing a client/server perl program in which the server held information about the client interconnecting gif tunnels. The clients would login and receive tunnel endpoints, routing info, updates and such. I'm sure this won't suffice but I will send it to you for your own hacking pleasure if you wish. Or hell, I'll even modify it so it fits your needs. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message