On Sun, 12 Jan 2003, Louis LeBlanc wrote:

> Here's a complicated VPN question:
>
> I have one FreeBSD machine behind a firewall (let's call it WORK),
> only way thru is via VPN - unfortunately, the VPN in use is an old
> proprietary Cisco deal that has no client ported to FreeBSD.
>
> The other machine (also FreeBSD, call it HOME), is on a dynamic IP,
> but with the dns name served thru Zoneedit.com - so anytime the IP
> changes, there's maybe an hour or two of lag time while the auto
> update scripts get the dns back on track.
>
> What I want to do is initiate a VPN connection from WORK to HOME, and
> here's where I show my VPN ignorance, connect thru that VPN connection
> from HOME to WORK.  Basically I want to work from home on a secure
> connection rather than just getting my work machine to pop a terminal
> up on the home display over an insecure connection.
>
> I suspect this won't work this way, but I figure what the hell.  The
> worst that can happen is someone tells me I'm a dope and it don't work
> that way.
>
> So will it, or not?


It should be doable. You may have less hair than you started out with and
learn more than you ever cared to about IPSec on the way to getting it to work,
but it should work.

Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a
difference) Do you have the flexibility of getting its admin to create the
necessary IPSec policy and access lists to allow you through? Is your new
IP address always within the same network range? (that will make access
lists much easier)

These will get you started:

klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm

www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guides_books_list.html

you want SC: Part 4: IP Security and Encryption

Make sure you create a "dynamic" crypto map in addition to the regular
crypto map. Authentication may prove interesting due to the dynamic IP;
you'll want to read up carefully on your possibilities.

As a side note, it may prove easier to just configure ssh on the
destination computer and create the necessary rule to allow the
connection on the access list on the Cisco thingie. Just a thought.

Good luck,

Dru

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to