From owner-freebsd-questions Tue Jan 22 3:24:19 2002 Delivered-To: freebsd-questions@freebsd.org Received: from web20008.mail.yahoo.com (web20008.mail.yahoo.com [216.136.225.71]) by hub.freebsd.org (Postfix) with SMTP id 7B28837B417 for ; Tue, 22 Jan 2002 03:24:13 -0800 (PST) Message-ID: <20020122112412.21323.qmail@web20008.mail.yahoo.com> Received: from [193.123.204.66] by web20008.mail.yahoo.com via HTTP; Tue, 22 Jan 2002 11:24:12 GMT Date: Tue, 22 Jan 2002 11:24:12 +0000 (GMT) From: =?iso-8859-1?q?Gavin=20Kenny?= Subject: Re: VPN with dynamic IP's To: questions@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: Wayne Pascoe [mailto:freebsd@molemanarmy.com] > Sent: 21 January 2002 19:12 > To: freebsd-questions@freebsd.org > Subject: VPN with dynamic IP's > > > Hi all, > > Quick question about building a VPN. We have the > following > situation. Our office machine (and firewall) have > fixed IP > addresses. We also have several staff who have ADSL > connections at > home with dynamic IP's. > > Our current corporate firewall (Raptor) is > apparantly unable to > provide VPN services with dynamic IP addresses. This > is what our ops > people tell me. > > Can IPSEC provide this kind of solution ? Shouldn't > this be doable > using the private keys to authenticate ? I don't think it is doable just with IPSec as IPSec uses IP addresses to identify packets and therefore know what processing to do to them (encrypt/decrypt)IPSec does not even think about keys until it has identified a packet by it's IP address. IKE the IPSec key management deamon (called racoon on FreeBSD) does pass keys between hosts but I seem to remember that it again uses IP addresses as the initial means of working out if you are worth talking to. If you used a FreeBSD machine as your VPN gateway it could be concievable to write a little script, where your machine with a dynamic address could find out it's IP address and then send this to the firewall as a PGP protected email or something (ssh I guess, I've no experience of this) the firewall would then decrypt the new IP address using PGP and could then alter its SA/SP tables accordingly, racoon would then be automatically called when you first tried to connect and a key exchange would happen and hey presto secure comms. hope this is usefull cheers Gavin __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message