Date: Wed, 24 Oct 2001 17:13:54 +0100 From: tariq_rashid@lineone.net To: freebsd-security@freebsd.org Subject: 2-channel isakmpd on freebsd4.4R? Message-ID: <E15wQfC-00031t-00@mk-smarthost-2.mail.uk.worldonline.com>
next in thread | raw e-mail | index | archive | help
first: let me apologise for thanking those who gave useful advice and help last week - i was away unexpectedly.
ok - consider the following:
[ isakmpd ] 192.168.1.1 ------- 192.168.1.2 [ isakmpd ]
[ vpn H ] [ vpn A ]
| |
| 10.0.7.2 10.8.0.1 |
| |
| |
{ 10.0.0.0/16 subnet } { 10.8.0.0/16 subnet }
*- in fact there are more than one subnets connected to "H"
these are A, B, C etc ... these all have dynamic public IPs
(so 192.168.1.2 may change) - only "H" 192.168.1.1 is static
*- configuration uses pre-shared secrets, aggresive mode USER_FQDN etc etc
this is fine (thanks to people on this list)
Communication from any subnet to any subnet works fine. This is done
by using multiple Connections= (spoke) and Passive-connections= (hub) tags...
eg spoke: Connections= IPsec-A-H IPsec-A-B
eg hub: Passive-Connections= IPsec-H-A IPsec-H-B IPsec-A-B IPsec-B-A
However, comminication initiated from the vpn-endpoint boxes themselves does not work.
( I suspect that despite the packets being formed with source=external-ip, the ipsec "trap"
doesn't catch them).
Solution tried: MORE Connections were tried. In addition to the IPV4_ADDR_SUBNET endpoints,
non-subnet IPV4_ADDR was tried. This failed. (This fails on its own too???)
The UGLY solution which works is to use NATd: something like ...
ipfw delete 50; ipfw add 50 divert natd all from any to 10.8.0.0/16 via rl0; natd -v -n fxp0
Keep in mind that isakmpd.conf can't be over-specified due to the need for the spoke-nets requiring
dynamic public IPs.
Any better ideas? much appreciated!
tariq
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E15wQfC-00031t-00>