Contributed by grey on from the I was beginning to wonder if SF would ever publish this dept.
This short article posted on Security Focus from Dragos Ruiu looks at how to get a fully functional IPSec VPN up and running between two fresh OpenBSD installations in about four minutes flat.
http://www.securityfocus.com/infocus/1859
This is a great exposition on how OpenBSD's improvements with the new ipsecctl(8) are even making the beast that is IPSec easy to use.
(Comments are closed)
By bentman78 (144.171.241.10) on
I am certainly no IPSEC expert.
Comments
By Anonymous Coward (69.70.207.240) on
Comments
By Chad Loder (69.224.48.175) on
Comments
By Anonymous Coward (84.188.233.108) on
Lets make ane xample:
You`ve a fix Server
- FIX IP, does not reboot
You`ve a DSL-Line with a reconnect every 23h59m
- Lets say you`ve 3 PCs in your LAN
So how would your OpenBSD-Router at home does a "reconnect" to the Server if it gets a new IP each reconnect (to the Server)?
Well I also thought about using DHCP but I`m not that IPSec-Expert so how do you solve this problem if you`ve no DHCP but a simple pppD for pppoe (or if you use the Kernel-ppp).
That would be interesting how you would solve this because I didn`t found any HowTos for multible Client with multible non-fixed IPs and a fix Server with a fix IP.
By grey (207.215.223.2) on
The reader should note that while this configuration uses numeric IP addresses, the configuration can also be done with fully qualified domain names. To use domain names, simply copy the keys into the /etc/isakmpd/pubkeys/fqdn directory, and use srcid and dstid keywords in you /etc/ipsec.conf flow specifications
So yes, I would imagine one could just specify a fqdn and then use a dynamic dns provider for the host that has a changing IP, there are several free ones even (e.g. dyndns.org).
I am actually wrestling with a parallel frustration at work at the moment, where I am using a soekris with an evdo card for internet access, and then am trying to get working an IPSec tunnel back to a Cisco 3020. The *nix side of things is fine, however the Cisco 3020 requires a static IP address for the LAN-to-LAN endpoint configuration, it throws an error when you attempt to specify via hostname. Getting an EVDO card with a static IP (through Verizon) I've been told costs $500 (!!!?). The headaches one deals with when using commercial vendors, when more flexible free solutions exist never cease to amaze.
By sng (12.18.141.172) on
Comments
By Anonymous Coward (70.238.245.86) on
Comments
By bentman78 (144.171.241.10) on
Comments
By Anonymous Coward (66.219.139.194) on
http://openbsd.cz/~pruzicka/vpn.html
The other appears to be a dead link now...
(http://wrath.grayskies.net/projects/openbsd-vpn/vpn-howto.html)
Here's the google cache:
http://64.233.179.104/search?q=cache:odYdpYCo9QAJ:www.grayskies.net/projects/openbsd-vpn/vpn-howto.html+%22OpenBSD/Windows+2000/XP+VPN+HOWTO%22+&hl=en&gl=us&ct=clnk&cd=1
Comments
By bentman78 (144.171.241.10) on
By Bryan Inderhees (67.39.209.1) bpi+deadly@case.edu on
Comments
By Anonymous Coward (66.219.139.194) on
By Anonymous Coward (202.45.99.138) on