IPSec, dynamic IPv4 addresses and FreeBSD?

["John S. Cox" <jc@sj.co.uk>]

Hi,

This may be a simple queston but I have spent some time failing to find the
answer - The short form of the question is can I tunnel from a machine with
a dynamic IP address to a FreeBSD machine using IPSec?

Longer form with diagram (ASCII art I'm afraid):

Home m/c 1         Home m/c 2
   |                  |
   |------------------|
   |   10.2.0.0/16
   |
OpenBSD firewall+NAT m/c
   |
   | ?.?.?.?/32 (not under my control and
   |             will change from time to time)
   |
Cable modem with DHCP
   |
   |
"The internet"
   |
   |
ADSL modem
   |
   | (some fixed addresses 1.2.3.0/29)
   |
Firewall
   |
   |    10.1.0.0/16
   |------------------------------------------------
   |                      |                 |
FreeBSD tunnel m/c    Work m/c 1        .........


I want to create a secure tunnel between my home network and my work network
whilst allowing the home m/cs to access the general internet via NAT (hardly
a novel idea I'm sure).  The obvious method seemed to be to set up IPSec
with X509 certificates as proof of Id.  I thought I could work out how to do
that using racoon (and indeed iskmpd in OpenBSD) but the FreeBSD policy
database (SPD) seems to only accept endpoints that have a fixed IP address.
Is there any way round this using FreeBSD?  I am aware that NAT & IPSec
don't get on together but given I was intending to the the IPSec tunnel on
the firewall/NAT machine it doesn't have to go via NAT.

Pointers of the form "look at this FAQ you idiot" welcome.

Thank you

John Cox

---

• Prev by Date: RE: ipsec and client
• Next by Date: application layer cross checking
• Prev by thread: RE: ipsec and client
• Next by thread: RE: IPSec, dynamic IPv4 addresses and FreeBSD?
• Index(es):
  • Main
  • Thread