On 01/12/03 06:22 PM, Dru sat at the `puter and typed:
> On Sun, 12 Jan 2003, Louis LeBlanc wrote:
> > Here's a complicated VPN question:
> >
> > I have one FreeBSD machine behind a firewall (let's call it WORK),
> > only way thru is via VPN - unfortunately, the VPN in use is an old
> > proprietary Cisco deal that has no client ported to FreeBSD.
> >
> > The other machine (also FreeBSD, call it HOME), is on a dynamic IP,
> > but with the dns name served thru Zoneedit.com - so anytime the IP
> > changes, there's maybe an hour or two of lag time while the auto
> > update scripts get the dns back on track.
> >
> > What I want to do is initiate a VPN connection from WORK to HOME, and
> > here's where I show my VPN ignorance, connect thru that VPN connection
> > from HOME to WORK.  Basically I want to work from home on a secure
> > connection rather than just getting my work machine to pop a terminal
> > up on the home display over an insecure connection.
> >
> > I suspect this won't work this way, but I figure what the hell.  The
> > worst that can happen is someone tells me I'm a dope and it don't work
> > that way.
> >
> > So will it, or not?
> It should be doable. You may have less hair than you started out with and
> learn more than you ever cared to about IPSec on the way to getting it to work,
> but it should work.

Ok, then no deadlines . . .  Thanks!

> Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a
> difference) Do you have the flexibility of getting its admin to create the
> necessary IPSec policy and access lists to allow you through? Is your new
> IP address always within the same network range? (that will make access
> lists much easier)

No, it's a Cisco 5000, or some such thing.  It isn't IPSEC compliant,
but has like 2 general passwords - in addition to the user password.
There was supposed to be some promotion from Cisco to upgrade it last
year, with free hardware, but our sysadmins were swamped at the time
and decided against it.  Had they had the time, it would have become
IPSEC compliant.

> These will get you started:
> klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm
> you want SC: Part 4: IP Security and Encryption
> Make sure you create a "dynamic" crypto map in addition to the regular
> crypto map. Authentication may prove interesting due to the dynamic IP;
> you'll want to read up carefully on your possibilities.
> As a side note, it may prove easier to just configure ssh on the
> destination computer and create the necessary rule to allow the
> connection on the access list on the Cisco thingie. Just a thought.
> Good luck,
> Dru

I'll start on that.  What I'll do is look out for a connection failure
hook of sorts, and just write a script to reinitialize the connection
when the IP changes.  Shouldn't be too hard to monitor that and write
a catch script to fix the configs and reestablish the connection.

Thanks a bunch.
Louis LeBlanc               [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     ԿԬ

nolo contendere:
  A legal term meaning: "I didn't do it, judge, and I'll never do it again."

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to