From owner-freebsd-security@FreeBSD.ORG  Wed Jan 25 14:21:44 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 13F5B16A41F
	for <freebsd-security@freebsd.org>;
	Wed, 25 Jan 2006 14:21:44 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from caine.easynet.fr (smarthost167.mail.easynet.fr [212.180.1.167])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 86A7143D46
	for <freebsd-security@freebsd.org>;
	Wed, 25 Jan 2006 14:21:38 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233]
	helo=smtp.zeninc.net) by caine.easynet.fr with esmtp (Exim 4.50)
	id 1F1lWm-0002BT-D1
	for freebsd-security@freebsd.org; Wed, 25 Jan 2006 15:21:40 +0100
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id C60D33F17; Wed, 25 Jan 2006 15:21:08 +0100 (CET)
Date: Wed, 25 Jan 2006 15:21:08 +0100
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-security@freebsd.org
Message-ID: <20060125142108.GB682@zen.inc>
References: <43D6D1CD.5060504@elischer.org>
	<20060125021915.59670.qmail@web52102.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060125021915.59670.qmail@web52102.mail.yahoo.com>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re:  IPsec, VPN and FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2006 14:21:44 -0000

On Tue, Jan 24, 2006 at 06:19:15PM -0800, gahn wrote:
[....]
> As to the roaming users, very unlikely there will be
> dial-up line, but those users could be on road and
> using ISPs to connect the internal lab. both sites are
> labs.
> 
> I will try the roaming clients<--->freebsd vpn server
> first.

IPsec with dynamic remote IPs is not as difficult, especially with
racoon's generate_policy option, but you'll need to know what you are
doing: Aggressive mode + PSK is known to be less secure than other
modes, Main mode + PSK can't be done with remote dynamic IPs, and Main
mode + X509 certificates need to have some X509 certificates
knowledge...


But it CAN be done, it is probably NOT the most easy way of doing
things, but it is probably the most secure, the most interoperable and
the most "easy" to administrate when it's in production...


Yvan.

-- 
NETASQ - Secure Internet Connectivity
http://www.netasq.com