From owner-freebsd-net Wed Apr 25 13:46:40 2001 Delivered-To: freebsd-net@freebsd.org Received: from skippyii.compar.com (mail.compar.com [216.208.38.130]) by hub.freebsd.org (Postfix) with ESMTP id D326C37B422 for ; Wed, 25 Apr 2001 13:46:36 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from hermes (cr677933-a.ktchnr1.on.wave.home.com [24.43.230.149]) by skippyii.compar.com (8.11.3/8.11.3) with SMTP id f3PKoH035861; Wed, 25 Apr 2001 16:50:17 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <003101c0cdc8$64f8bcb0$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Gunther Schadow" , References: <3AE7303F.957DE6DC@aurora.regenstrief.org> Subject: Re: VPN tunnel with DHCP ... Date: Wed, 25 Apr 2001 16:43:32 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi, > > about my SOHO router project, I came accross a tough problem, may > be I overlook that there is a solution already? The VPN gateway > at the small office / home office (SOHO) has an IPsec tunnel > connecting it to its headquarter: > > setkey -c < spdadd ${sohonet} ${homenet} -P out ipsec > esp/tunnel/${sohoip}-${homeip}/require; > spdadd ${homenet} ${sohonet} -P in ipsec > esp/tunnel/${homeip}-${sohoip}/require; > END > > now, the problem is that the ${sohoip} is dynamically assigned > with DHCP. How can the gateway at the headquarter know that > ${sohoip} address? I had a similar situation which I had to work with a while ago, although I used ssh tunnels instead of IPSec. I'm not sure if my method will work, but it's worth an try. Here's what I did: 1) Set the headquarters machine up with static IP and DNS. 2) Configure headquarters machine to allow PPP over TCP 3) Have remote hosts (with dynamic addresses) connect to headquarters machine (static address) using PPP over TCP. The endpoints of this PPP connection use "private" IPs, say 10.x.x.x or 192.168.x.x. Note that once the connection is established, the addresses of both endpoints are known. 4) Create SSH tunnels in each direction 5) Forward all traffic over the SSH tunnel In your case, you could probably use IPsec over the PPP connection instead of SSH. -- matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message