From owner-freebsd-questions Wed Nov 20 10:59:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D86637B401 for ; Wed, 20 Nov 2002 10:59:43 -0800 (PST) Received: from pgh.nepinc.com (pgh.nepinc.com [66.207.129.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id E68C543E4A for ; Wed, 20 Nov 2002 10:59:41 -0800 (PST) (envelope-from durham@jcdurham.com) Received: from jimslaptop.pitt.nepinc.com (jimslaptop.pitt.nepinc.com [192.100.100.107]) by pgh.nepinc.com (8.11.4/8.11.3) with ESMTP id gAKIxZF41630; Wed, 20 Nov 2002 13:59:35 -0500 (EST) (envelope-from durham@jcdurham.com) Content-Type: text/plain; charset="iso-8859-1" From: Jim Durham Reply-To: durham@jcdurham.com Organization: James Durham Consulting To: Bill Moran Subject: Re: VPN and roaming Windows 2K users Date: Wed, 20 Nov 2002 13:59:29 -0500 User-Agent: KMail/1.4.3 References: <20021120100754.GB68431@yazzy.org> <200211201001.47980.durham@jcdurham.com> <3DDBAC4E.5040104@potentialtech.com> In-Reply-To: <3DDBAC4E.5040104@potentialtech.com> Cc: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200211201359.29955.durham@jcdurham.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wednesday 20 November 2002 10:37 am, Bill Moran wrote: > Jim Durham wrote: > > On Wednesday 20 November 2002 05:07 am, Marcin M. Jessa wrote: > >>Do you know how to make a FreeBSD firewall a VPN server for roaming W= in2K > >>boxes (Win2k users without static IP's)? I've been playing with racoo= n > >> for a few days but it seems that the only way it can authenticate > >> roaming Windows VLAN users is with preshared certificates. > >>This again excludes usage of manual keying (pre_shared_keys) which is > >>nessesary for accepting connections from dynamic IP's. > >> The preshared keys method can be configured to accept connectio= ns > >>from specified hostnames and that could work with windows boxes that = run > >> a dyndns client. Again Windows and racoon can only communicate usin= g > >> certificates and not manual keying....an evil circle. Windows can sp= eak > >> with racoon if one makes racoon to automatically exchange keys but t= his > >> works only if Windows clients have static IP's... > >>Have any of you guys an idea about what to do to combine these method= s? > >> > >>Or maybe there is a workaround? Please squeeze your brains and let me > >> know about whatever you think may be of interest in this metter. > > > > I use mpd to serve 95,98, 2000 and XP boxes using their "VPN' connect= ion. > > This seems to work well and you can coach a remote user through the > > Windows setup over the phone with minimal trouble. > > > > I use racoon and IPSEC between offices with FreeBSD boxes on each end= =2E > > Have you ever tried using vtun between the FreeBSD machines? I've neve= r > used racoon/IPsec between FreeBSD machines, but I was overjoyed at the > simplicity and workability of vtun. > Just curious if anyone has used both that could compare them. Yes, I used vtun for about a year. It worked fine as long as the network stayed up between here and the West Coast, but, when it went down for any length of time, which happens quite regularly in the middle of the ni= ght, it wouldn't reestablish. I find that IPSEC is more robust and you don't n= eed to run PPP over it (although technically, you don't have to with vtun). IPSEC stays up and reestablishes itself. I've also tunnelled with SSH and found that maintaining the "connection" was a little troublesome. -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message