From owner-freebsd-questions@FreeBSD.ORG Fri May 9 11:53:01 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F274137B401 for ; Fri, 9 May 2003 11:53:00 -0700 (PDT) Received: from bjwcs.com (swing.bjwcs.com [208.185.25.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2EA43FAF for ; Fri, 9 May 2003 11:52:58 -0700 (PDT) (envelope-from brently@bjwcs.com) Received: from samba [68.98.5.134] by bjwcs.com with ESMTP (SMTPD32-7.07) id A907207F00FA; Fri, 09 May 2003 14:52:55 -0400 From: "Brent Wiese" To: "'Paul Lathrop'" , Date: Fri, 9 May 2003 11:52:55 -0700 Message-ID: <015401c3165c$344ed610$0a0114ac@home.bjwcs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Importance: Normal Subject: RE: IPSec, Racoon, and roaming clients X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 18:53:01 -0000 Forgot to mention one more thing... If you do decide to use mpd, make = sure you have "gateway_enable=3Dyes" in your rc.conf. I'm guessing you do = since you're using it as a gateway already, but this obvious thing threw me = for a long time because you tend to not read the readme files when installing ports... :) Oh, and don't forget to set up the correct firewall rules so that = gateway is secure, but you probably knew that too. > This is a tricky setup. >=20 > If your roaming users are Windows, I'd suggest checking out=20 > mpd instead. Then your windows clients can use the built in=20 > PPTP stuff, which is much easier to support than ipsec. Just=20 > make sure you use MSCHAP-V2 for auth, not chap or mschap-v1. >=20 > PPTP uses the GRE protocol so make sure you're not blocking that. >=20 > Actually, even using mpd as a client on unix boxes can make=20 > roaming users much easier to deal with. >=20 > Something you may want to consider is replacing your freebsd=20 > gateway w/ a Snapgear (www.snapgear.com). Has all the VPN=20 > stuff you want, its cheap, powerful (full firewalling=20 > capabilities) and really easy to use. Pays for itself in=20 > saved time, plus, since there are no moving parts, less=20 > chances of breakage and downtime... >=20 > Brent >=20 > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of=20 > Paul Lathrop > > Sent: Saturday, April 26, 2003 12:59 PM > > To: freebsd-questions@freebsd.org > > Subject: IPSec, Racoon, and roaming clients > >=20 > >=20 > > I have recently been asked to implement VPN access for some of our > > roaming employees. Our gateway is a FreeBSD 4.7 box that I=20 > > administer.=20 > > Our employees are all on cablemodem connections when they=20 > are out and=20 > > about. I have discovered IPSec and racoon, of course, and=20 > dug through=20 > > their documentation. I have also read several very good=20 > tutorials on=20 > > the web. The trouble I am having is that all the information=20 > > I can find=20 > > is for setting up a VPN tunnel between two gateways. What I=20 > need is a=20 > > VPN connection between a roaming host (with a dynamic IP)=20 > and our VPN=20 > > gateway (static IP) which will allow access to the internal network=20 > > behind that gateway (private IP addresses). I have successfully=20 > > established the VPN connection between a roaming host and the=20 > > gateway,=20 > > but without access to the internal network. I can't seem to=20 > > figure out=20 > > how to tell setkey to configure a tunnel into the network without=20 > > knowing ahead of time what the client's IP will be. > >=20 > > Can anybody give me some pointers? > >=20 > > Thanks, > > Paul D. Lathrop > >=20 > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-> questions > >=20 > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > >=20 > >=20 >=20