From owner-freebsd-security Mon Dec 9 15: 0:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0142A37B401 for ; Mon, 9 Dec 2002 15:00:48 -0800 (PST) Received: from proxy.centtech.com (moat.centtech.com [207.200.51.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C17FF43EC2 for ; Mon, 9 Dec 2002 15:00:46 -0800 (PST) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gB9N0Uc26892; Mon, 9 Dec 2002 17:00:30 -0600 (CST) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id gB9N0Uv05031; Mon, 9 Dec 2002 17:00:30 -0600 (CST) Received: from centtech.com (electron [204.177.173.173]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gB9N0Rp05024; Mon, 9 Dec 2002 17:00:27 -0600 (CST) Message-ID: <3DF52076.4020700@centtech.com> Date: Mon, 09 Dec 2002 17:00:06 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fernando Gleiser Cc: security@freebsd.org Subject: Re: (slightly OT) IPSec with dynamic IP References: <20021209195332.X5648-100000@cactus.fi.uba.ar> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fernando Gleiser wrote: > I'm sorry if this is OT for -security. I sent it to -questions but > got no answer. > > I need to set up a VPN between a corporate LAN and roaming users. The > firewall is a FreeBSD 4.7 box with ipf/ipnat and will act as a security > gateway for the tunnel. > > On the other side there are several Win2K/XP boxes connected to the > Internet via DSL/cable modem/dialup/carrier pigeon/whatever and they have > a different IP every time they connect. > > The problem is: every single doc/tutorial/man page/ I've read says how to > set up the SA with static IPs, but now one side is dynamic. > > So the questions are: > > 1. Is this posible? > 2. If it's posible, can I do it with IKE/ISAKMP? > 3. Does anybody have a pointer to a doc which says how to do it? I'll rtfm, > just tell me where the fm is :) 1. Yes, it is possible.. You'll have to do something with certificates probably, or use mpd on the server end. There are other solutions, those are just a few things.. 2. Maybe.. Are you trying to connect each individual windows box, or are you going to have a firewall/gateway that does this for all of them (the entire lan)? 3. I don't know .. maybe... I have this working, so maybe I should write one up.. :) Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Beware the fury of a patient man. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message