From owner-freebsd-questions Sun Jan 12 16:29:13 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E620037B401 for ; Sun, 12 Jan 2003 16:29:10 -0800 (PST) Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id F187943EB2 for ; Sun, 12 Jan 2003 16:29:04 -0800 (PST) (envelope-from leblanc@keyslapper.org) Received: from keyslapper.org ([68.160.2.29]) by out003.verizon.net (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with ESMTP id <20030113002859.PTBE3094.out003.verizon.net@keyslapper.org> for ; Sun, 12 Jan 2003 18:28:59 -0600 Received: from keyslapper.org (localhost [127.0.0.1]) by keyslapper.org (8.12.3/8.12.3) with ESMTP id h0D0T2sP011882 for ; Sun, 12 Jan 2003 19:29:02 -0500 (EST) (envelope-from leblanc@keyslapper.org) Received: (from leblanc@localhost) by keyslapper.org (8.12.3/8.12.3/Submit) id h0D0T24Z011881 for freebsd-questions@FreeBSD.ORG; Sun, 12 Jan 2003 19:29:02 -0500 (EST) Date: Sun, 12 Jan 2003 19:29:02 -0500 From: Louis LeBlanc To: FreeBSD Questions Subject: Re: VPN Newbie has a silly question Message-ID: <20030113002901.GI33785@keyslapper.org> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: FreeBSD Questions References: <20030112223203.GB33785@keyslapper.org> <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca> User-Agent: Mutt/1.5.3i X-Authentication-Info: Submitted using SMTP AUTH LOGIN at out003.verizon.net from [68.160.2.29] at Sun, 12 Jan 2003 18:28:58 -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > Here's a complicated VPN question: > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > only way thru is via VPN - unfortunately, the VPN in use is an old > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > but with the dns name served thru Zoneedit.com - so anytime the IP > > changes, there's maybe an hour or two of lag time while the auto > > update scripts get the dns back on track. > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > here's where I show my VPN ignorance, connect thru that VPN connection > > from HOME to WORK. Basically I want to work from home on a secure > > connection rather than just getting my work machine to pop a terminal > > up on the home display over an insecure connection. > > > > I suspect this won't work this way, but I figure what the hell. The > > worst that can happen is someone tells me I'm a dope and it don't work > > that way. > > > > So will it, or not? > > > It should be doable. You may have less hair than you started out with and > learn more than you ever cared to about IPSec on the way to getting it to work, > but it should work. Ok, then no deadlines . . . Thanks! > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > difference) Do you have the flexibility of getting its admin to create the > necessary IPSec policy and access lists to allow you through? Is your new > IP address always within the same network range? (that will make access > lists much easier) No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, but has like 2 general passwords - in addition to the user password. There was supposed to be some promotion from Cisco to upgrade it last year, with free hardware, but our sysadmins were swamped at the time and decided against it. Had they had the time, it would have become IPSEC compliant. > These will get you started: > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guides_books_list.html > > you want SC: Part 4: IP Security and Encryption > > Make sure you create a "dynamic" crypto map in addition to the regular > crypto map. Authentication may prove interesting due to the dynamic IP; > you'll want to read up carefully on your possibilities. > > As a side note, it may prove easier to just configure ssh on the > destination computer and create the necessary rule to allow the > connection on the access list on the Cisco thingie. Just a thought. > > Good luck, > > Dru I'll start on that. What I'll do is look out for a connection failure hook of sorts, and just write a script to reinitialize the connection when the IP changes. Shouldn't be too hard to monitor that and write a catch script to fix the configs and reestablish the connection. Thanks a bunch. Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ nolo contendere: A legal term meaning: "I didn't do it, judge, and I'll never do it again." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message