Date: Mon, 02 Apr 2001 09:37:19 -0700 From: Erik Salander <erik@whistle.com> To: freebsd-security@freebsd.org Subject: IPSec and dynamic IP? Message-ID: <3AC8AABF.C2B52283@whistle.com>
next in thread | raw e-mail | index | archive | help
Is there a way to setup setkey and racoon.conf to accomodate dynamic IP on the security gateway of a LAN-to-LAN VPN? I have a reply from Soichi below, indicating this isn't part of the KAME distribution, perhaps a patch someplace? I see references like this (from the Borderware site): The BorderWare IPSec VPN supports the use of Main Mode and Aggressive Mode for IKE Phase-1 negotiation. Main Mode provides for increased security during Phase-1 by encrypting the initial IKE traffic at the expense performance. Aggressive Mode is used in cases where the initial traffic cannot be encrypted, as is the case for dynamic IP VPN clients, or when performance is an important factor. So I wonder if there's a combo of things like 0.0.0.0 as a peer IP address (on setkey), some my_identifier alternative other than "address" (in racoon.conf) and aggressive mode that will work. How about for a LAN-to-host configuration, can a FreeBSD-based security gateway accomodate a host with dynamic IP? Thanks again. Erik ======================= My original post to Kame mailing list: > I have a typical LAN-to-LAN IPSec VPN working with FreeBSD 4.2-STABLE > and the latest racoon (20010222a). Here's a policy on one end: > > spdadd 10.3.1.0/24 10.3.2.0/24 any -P in ipsec > esp/tunnel/206.77.205.83-206.77.205.115/require; > > What would I specify for setkey if one of the security gateways had a > dynamically assigned IP address on its public interface? Soichi's reply: KAME doesn't support a dynamically assinged ip address as the end point of the IPSec tunnel. I'm not sure someone may have a pactch which is be able to do that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AC8AABF.C2B52283>