From owner-freebsd-questions@FreeBSD.ORG Mon Aug 11 05:23:39 2003 Return-Path: <owner-freebsd-questions@FreeBSD.ORG> Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F41B637B401; Mon, 11 Aug 2003 05:23:38 -0700 (PDT) Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id D186D43F93; Mon, 11 Aug 2003 05:23:37 -0700 (PDT) (envelope-from ck@cksoft.de) Received: from majakka.cksoft.de (p508A88E2.dip0.t-ipconnect.de [80.138.136.226]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by ns1.cksoft.de (Postfix) with ESMTP id 496AB15C00A; Mon, 11 Aug 2003 14:23:35 +0200 (CEST) Received: from majakka.cksoft.de (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 4F42D44C7E; Mon, 11 Aug 2003 14:23:34 +0200 (CEST) Received: by majakka.cksoft.de (Postfix, from userid 1000) id 78AE344C7C; Mon, 11 Aug 2003 14:23:33 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 746E944C78; Mon, 11 Aug 2003 14:23:33 +0200 (CEST) Date: Mon, 11 Aug 2003 14:23:33 +0200 (CEST) From: Christian Kratzer <ck@cksoft.de> To: Kent Hauser <kent.hauser@verizon.net> In-Reply-To: <200308110011.58180.kent.hauser@verizon.net> Message-ID: <20030811141505.M85450@majakka.cksoft.de> References: <200308110011.58180.kent.hauser@verizon.net> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on majakka.cksoft.de cc: security@freebsd.org cc: questions@freebsd.org cc: Mike Tancsa <mike@sentex.net> Subject: Re: dynamic IPSEC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 11 Aug 2003 12:23:39 -0000 Hi, On Mon, 11 Aug 2003, Kent Hauser wrote: > Hi Mike, > > Had any progress? I've also by stymied for a clean solution. Previously, I > used a simple SED script from executed from "/etc/ppp/ppp.linkup" to edit a > "setkeys" script which then negotiated with the office ascend router/gw & all > was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to > static(FreeBSD) & that is proving problematic. Executing a SED script after > DHCP of mobile is easy, but it seems I also need to SED the static host's SPD > -- ie no wildcards allowed as in the ascend router situtation. Needless to > say, allowing "unauthenticated" hosts (read anyone) to modify the SPD on a > machine so that it can be authenticated strikes me as putting the cart before > the horse. > > When I install a "wildcard" host (0.0.0.0) on the static side, racoon only > negotiates the mobile->static SAD...which is useless & expires. Seems to me > that racoon needs to update kernel SPDs with wildcards to support mobile > VPNs. At least that's all I've been able to come up with. > > Have you found a silver bullet? Solution 1: the silver bullet to allow roaming clients with dynamic address to connect to your racoon is to have no policy at all defined for them and use an anonymous section your racoon.conf with generate_policy on; This way your clients connect and racoon sets up any policy they request. This is a bit ugly as you have to trust them not to screw up your policy but seems to be the only solution currently availale with racoon. You will also want to use certificates instead of preshared keys for authentication unless you are comfortable with having a single preshared key for all your roaming users. Solution 2: We have a setup where we have 3 offices each with dynamic ip's and freebsd boxes as their gateways. The boxes all run scripts to register their dynamic ip address at a colocated box with a static ip. The boxes also resolve each others ip addresses every 5 minutes and generate a new ipsec.conf and install it if it differs from the previous one. The system is now very stable and we have ispec tunnels between all 3 offices. If something changes they rewire themselves on the fly. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!