From owner-freebsd-questions@FreeBSD.ORG Mon Jul 14 10:59:17 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8699C37B401 for ; Mon, 14 Jul 2003 10:59:17 -0700 (PDT) Received: from parmenides.zen.co.uk (parmenides.zen.co.uk [212.23.8.69]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C64943F75 for ; Mon, 14 Jul 2003 10:59:14 -0700 (PDT) (envelope-from stacey@vickiandstacey.com) Received: (qmail 4524 invoked from network); 14 Jul 2003 17:57:26 -0000 Received: from protagoras.zen.co.uk (212.23.8.61) by parmenides.zen.co.uk with QMQP; 14 Jul 2003 17:57:26 -0000 Received: from 82-68-31-177.dsl.in-addr.zen.co.uk (HELO ?192.168.1.8?) (82.68.31.177) by protagoras.zen.co.uk with SMTP; 14 Jul 2003 17:57:25 -0000 X-Zen-Trace: 82.68.31.177 From: Stacey Roberts To: Mike Tancsa In-Reply-To: <5.2.0.9.0.20030714134903.02374238@209.112.4.2> References: <5.2.0.9.0.20030714134903.02374238@209.112.4.2> Content-Type: text/plain Message-Id: <1058205447.64468.38.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.3 Date: 14 Jul 2003 18:57:28 +0100 Content-Transfer-Encoding: 7bit cc: FreeBSD Questions Subject: Re: IPSEC with Dynamic IP addresses X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stacey@vickiandstacey.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 17:59:17 -0000 Hello, On Mon, 2003-07-14 at 18:51, Mike Tancsa wrote: > Does anyone know of any documentation on how to do this ? I have searched > through google and I find lots of references to people saying, "use > certificates" but beyond that I havent found any actual documentation on > how to do it. > > The setup is 30 client sites with dynamic IP addresses connecting to one > headoffice that has a static IP address. The 30 client sites all have > unique RFC 1918 based subnets behind them. The problem is how to do all > the setkey business. The client end can find out the ip address its > dynamically assigned and then do the appropriate setkey. But the > headoffice cannot do the same thing as it has not built in way of knowing > what the client endpoint is. I dont want to implement some additional > protocol to send the HQ saying, "Hi, I am IP address xxx, please contruct > your setkey accordingly" as it would be a security issue if not thought out > correctly. These are all very remote sites, so analog dialup is the only > connection available. > > Any pointers would be great. Currently we are using mpd to dialup and then > tunnel across the mpd tunnel, but there is a resource leak somewhere in > doing this. There are other problems with this method as well so we would > like to avoid it. > Try this link for a starter: http://www.wiretapped.net/~fyre/ipsec/ Hope this helps somewhat.., Regards, Stacey > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com