Date: Mon, 11 Aug 2003 00:11:58 -1000 From: Kent Hauser <kent.hauser@verizon.net> To: Mike Tancsa <mike@sentex.net> Cc: security@freebsd.org Subject: dynamic IPSEC Message-ID: <200308110011.58180.kent.hauser@verizon.net>
next in thread | raw e-mail | index | archive | help
Hi Mike, Had any progress? I've also by stymied for a clean solution. Previously, I used a simple SED script from executed from "/etc/ppp/ppp.linkup" to edit a "setkeys" script which then negotiated with the office ascend router/gw & all was VPN heaven. However, I now need to negotiate mobile(FreeBSD) to static(FreeBSD) & that is proving problematic. Executing a SED script after DHCP of mobile is easy, but it seems I also need to SED the static host's SPD -- ie no wildcards allowed as in the ascend router situtation. Needless to say, allowing "unauthenticated" hosts (read anyone) to modify the SPD on a machine so that it can be authenticated strikes me as putting the cart before the horse. When I install a "wildcard" host (0.0.0.0) on the static side, racoon only negotiates the mobile->static SAD...which is useless & expires. Seems to me that racoon needs to update kernel SPDs with wildcards to support mobile VPNs. At least that's all I've been able to come up with. Have you found a silver bullet? Cheers, Kent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308110011.58180.kent.hauser>