[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSec, dynamic IPv4 addresses and FreeBSD?
Hi,
This may be a simple queston but I have spent some time failing to find the
answer - The short form of the question is can I tunnel from a machine with
a dynamic IP address to a FreeBSD machine using IPSec?
Longer form with diagram (ASCII art I'm afraid):
Home m/c 1 Home m/c 2
| |
|------------------|
| 10.2.0.0/16
|
OpenBSD firewall+NAT m/c
|
| ?.?.?.?/32 (not under my control and
| will change from time to time)
|
Cable modem with DHCP
|
|
"The internet"
|
|
ADSL modem
|
| (some fixed addresses 1.2.3.0/29)
|
Firewall
|
| 10.1.0.0/16
|------------------------------------------------
| | |
FreeBSD tunnel m/c Work m/c 1 .........
I want to create a secure tunnel between my home network and my work network
whilst allowing the home m/cs to access the general internet via NAT (hardly
a novel idea I'm sure). The obvious method seemed to be to set up IPSec
with X509 certificates as proof of Id. I thought I could work out how to do
that using racoon (and indeed iskmpd in OpenBSD) but the FreeBSD policy
database (SPD) seems to only accept endpoints that have a fixed IP address.
Is there any way round this using FreeBSD? I am aware that NAT & IPSec
don't get on together but given I was intending to the the IPSec tunnel on
the firewall/NAT machine it doesn't have to go via NAT.
Pointers of the form "look at this FAQ you idiot" welcome.
Thank you
John Cox