Date: Sun, 12 Jan 2003 19:29:02 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: VPN Newbie has a silly question Message-ID: <20030113002901.GI33785@keyslapper.org> In-Reply-To: <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca> References: <20030112223203.GB33785@keyslapper.org> <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > Here's a complicated VPN question: > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > only way thru is via VPN - unfortunately, the VPN in use is an old > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > but with the dns name served thru Zoneedit.com - so anytime the IP > > changes, there's maybe an hour or two of lag time while the auto > > update scripts get the dns back on track. > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > here's where I show my VPN ignorance, connect thru that VPN connection > > from HOME to WORK. Basically I want to work from home on a secure > > connection rather than just getting my work machine to pop a terminal > > up on the home display over an insecure connection. > > > > I suspect this won't work this way, but I figure what the hell. The > > worst that can happen is someone tells me I'm a dope and it don't work > > that way. > > > > So will it, or not? > > > It should be doable. You may have less hair than you started out with and > learn more than you ever cared to about IPSec on the way to getting it to work, > but it should work. Ok, then no deadlines . . . Thanks! > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > difference) Do you have the flexibility of getting its admin to create the > necessary IPSec policy and access lists to allow you through? Is your new > IP address always within the same network range? (that will make access > lists much easier) No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, but has like 2 general passwords - in addition to the user password. There was supposed to be some promotion from Cisco to upgrade it last year, with free hardware, but our sysadmins were swamped at the time and decided against it. Had they had the time, it would have become IPSEC compliant. > These will get you started: > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guides_books_list.html > > you want SC: Part 4: IP Security and Encryption > > Make sure you create a "dynamic" crypto map in addition to the regular > crypto map. Authentication may prove interesting due to the dynamic IP; > you'll want to read up carefully on your possibilities. > > As a side note, it may prove easier to just configure ssh on the > destination computer and create the necessary rule to allow the > connection on the access list on the Cisco thingie. Just a thought. > > Good luck, > > Dru I'll start on that. What I'll do is look out for a connection failure hook of sorts, and just write a script to reinitialize the connection when the IP changes. Shouldn't be too hard to monitor that and write a catch script to fix the configs and reestablish the connection. Thanks a bunch. Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ nolo contendere: A legal term meaning: "I didn't do it, judge, and I'll never do it again." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113002901.GI33785>