Date: Thu, 26 Apr 2001 03:12:59 +0100 From: Brian Somers <brian@Awfulhak.org> To: "Matthew Emmerton" <matt@gsicomp.on.ca> Cc: "Gunther Schadow" <gunther@aurora.regenstrief.org>, freebsd-net@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: VPN tunnel with DHCP ... Message-ID: <200104260212.f3Q2CxM08889@hak.lan.Awfulhak.org> In-Reply-To: Message from "Matthew Emmerton" <matt@gsicomp.on.ca> of "Wed, 25 Apr 2001 16:43:32 EDT." <003101c0cdc8$64f8bcb0$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hi,
> >
> > about my SOHO router project, I came accross a tough problem, may
> > be I overlook that there is a solution already? The VPN gateway
> > at the small office / home office (SOHO) has an IPsec tunnel
> > connecting it to its headquarter:
> >
> > setkey -c <<END
> > spdadd ${sohonet} ${homenet} -P out ipsec
> > esp/tunnel/${sohoip}-${homeip}/require;
> > spdadd ${homenet} ${sohonet} -P in ipsec
> > esp/tunnel/${homeip}-${sohoip}/require;
> > END
> >
> > now, the problem is that the ${sohoip} is dynamically assigned
> > with DHCP. How can the gateway at the headquarter know that
> > ${sohoip} address?
>
> I had a similar situation which I had to work with a while ago, although I
> used ssh tunnels instead of IPSec. I'm not sure if my method will work, but
> it's worth an try.
>
> Here's what I did:
> 1) Set the headquarters machine up with static IP and DNS.
> 2) Configure headquarters machine to allow PPP over TCP
> 3) Have remote hosts (with dynamic addresses) connect to headquarters
> machine (static address) using PPP over TCP. The endpoints of this PPP
> connection use "private" IPs, say 10.x.x.x or 192.168.x.x. Note that once
> the connection is established, the addresses of both endpoints are known.
> 4) Create SSH tunnels in each direction
> 5) Forward all traffic over the SSH tunnel
>
> In your case, you could probably use IPsec over the PPP connection instead
> of SSH.
This is a good solution because (as you say) ppp will negotiate an
address with the other side and the setkey stuff can be done in
ppp.linkup.
Of course it's a bad solution because of the per-packet overhead and
the two layers of tcp you'll get with any tcp connection through your
tunnel (I really must write a udp mux program for ppp).
You need to be careful however. The ppp.linkup on the side with
the static IP number should blow away any other ppp sessions that are
active with the peer (it's ok to do this in ppp.linkup as you've
authenticated the client at that point). The problem is that ppp
will never bring the link fully up if there's a stale connection via
the previous dynamic IP if the negotiated IP numbers are the same.
So make sure that the side with the static IP has something like this
in it's config:
set ifaddr x.x.x.x a.a.a.a-b.b.b.b
where x.x.x.x doesn't matter much (it's what the other end will route
packets to) and a.a.a.a-b.b.b.b is a range of IP numbers that can be
used by the side with the dynamic IP (for the top-side of the tunnel).
> --
> matt Emmerton
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104260212.f3Q2CxM08889>