eww.... That is definitely a hack, but if it works for the way you have to work.... the script is not bad in a pinch. :) Obviously it would be recommended to use static IP's.
On Tue, 24 Jun 2003 15:06:56 -0300 "Federico Voges" <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > On Tue, 24 Jun 2003 10:28:03 -0400, Matthew Carpenter wrote: > > >First off, please describe your testing in depth. FreeS/WAN gateways do > >not use the tunnel by default so pinging through the tunnel from one of the > >gateways won't work. If you wish to test the tunnel you need to ping > >through the tunnel using appropriately addressed hosts on either side of > >the gateways. > > > > Searching the freeswan site again, I found that piece of info. BTW it > should be mentioned in the quick start page and in the configuration > page of the documentation ;) > > After doing some ugly scripting to deal with my sub-optimal setup > (dynamic IP on both ends), the VPN is now working. > > Let me describe the situation: > > 192.168.10.0/24 192.168.10.1 - dyn. IP > BUE-NET ------------- BUE-GW (postgres server) [ADSL modem] ---------+ > | > INET > 192.168.11.0/24 192.168.11.1 - dyn. IP | > NQN-NET ------------- NQN-GW [ADSL modem] ---------------------------+ > > I have 3 tunnels: net-net and net-gw (one for each end so ping works as > expected). > > The hack I'm using right know is this: > > * Every morning (about 6:00am) I force NET-GW to reconnect (adsl-stop, > wait, adsl-start) > * ip-up.local (both ends) has some really ugly stuff(tm) in it: > > #!/bin/bash > > # Test connection status. Thanks Telefonica for a great service (not!) > # Sometimes we connect but we don't get a default gateway.... > route -n|grep -q "^0\.0\.0\.0" > if [ $? -ne 0 ]; then > echo "No default route. Dropping connection..." > killall -HUP pppd > exit 1 > fi > > # Test connection status. Thanks Telefonica for a great service (not!) > # Sometimes we get a connection to a black hole..... > ping -c 5 -w 5 200.69.192.31 >& /dev/null > if [ $? -ne 0 ]; then > echo "Can't ping to a known internet host. Dropping connection..." > killall -HUP pppd > exit 1 > fi > > # Stop FreeS/WAN > /usr/sbin/rcipsec stop >& /dev/null > sleep 3 > # make sure ipsec is dead otherwise it won't start again > /usr/bin/killall pluto >& /dev/null > rm /var/run/pluto.pid >& /dev/null > rmmod -r ipsec >& /dev/null > > # Update DDNS > echo "Updating DDNS..." > /usr/bin/lynx -dump "SOME-SECRET-URL-:)" > if [ $? != 0 ]; then > # Danger! This could cause an endless loop ;) > echo "Ooops! Couldn't update DDNS! Dropping connection..." > /usr/bin/killall -HUP pppd > exit 1 > fi > > # The TTL for the dynamic DNS A record is 6secs, let's wait 7secs > sleep 7 > > # Let's restart IP Sec on the other GW (so it uses the new IP address) > ssh OTHER-GW /usr/local/sbin/ipsec_hack.sh > > # We restart IP Sec in our side > /usr/sbin/rcipsec start > - ---EOF--- > > /usr/local/sbin/ipsec_hack.sh > #!/bin/bash > > /bin/logger -i -t "ipsec_hack" "Start" > /bin/logger -i -t "ipsec_hack" "Stopping ipsec" > /etc/init.d/ipsec stop >& /dev/null > /bin/sleep 3 > /sbin/rmmod -r ipsec >& /dev/null > /bin/rm /var/run/pluto.pid >& /dev/null > /bin/sleep 3 > /bin/logger -i -t "ipsec_hack" "Sarting ipsec" > /etc/init.d/ipsec start >& /dev/null > - ---EOF--- > > The trick is restarting FreeS/WAN on the other side after updating the > dynamic DNS but before restarting FreeS/WAN on this side. If IP Sec is > running on this side all traffic to the other gw will go thorugh the > NET-GW tunnel which is down. > > I know, it's a mess. But it's working ;) > > Thinking agin, I've realized that I'll probably need just one tunnel. > > BUE-GW is the router/firewall and is running the PostgreSQL server. The > desktops on both LANs (BUE-NET & NQN-NET) run the ERP software that > connects to BUE-GW. > > So, I think I'd only need a net-gw tunnel from NQN-NET to BUE-GW. > > As I said, both ends have dynamic IP (ADSL). I hope to switch to static > IP (still using ADSL) as soon as the telco start offering the service. > That will be just on BUE-GW (different telcos on each end and only one > plans to offer static IP). > > I have no other choice for the inet conection (except a leased line > that are waaay too expensive here). > > Is my current setup too ugly?? Do you have any sugestion to improve > it?? > > Once I get a static IP, what changes would I have to make? > > TIA! > > >Secondly, if you are interested in a fairly decent Web-GUI for FreeS/WAN, > >there is a pretty good WebMin module available. Install WebMIN if you > >haven't already (www.webmin.com) and then install the FreeS/WAN module. > > > > I have it installed, it comes with SCO Linux 4.0 (yup, first and only > license sold in Argentina). But it's incomplete (ie: no tunnel status > page), and it's not being developed (last version si about 2 years > old). > Federico Voges > Socio gerente > > Intrasoft > Malabia 2137 14 A > (1425) Buenos Aires > Argentina > > Te/Fax: 54-11-4833-5182 > e-mail: [EMAIL PROTECTED] > Web: http://www.intrasoft.com.ar > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.0 > > iQA/AwUBPviTQBRcJRaVKt4XEQKpSgCgh+rpanmJOO55rZIfV3A7/NntinwAoNT2 > HV9ijaxRie3YIq1rRJ13IKKt > =jErK > -----END PGP SIGNATURE----- > > > > _______________________________________________ > Linux-users mailing list > [EMAIL PROTECTED] > Unsubscribe/Suspend/Etc -> > http://www.linux-sxs.org/mailman/listinfo/linux-users -- Matthew Carpenter [EMAIL PROTECTED] http://www.e-i-s.cc/ Enterprise Information Systems *Network Consulting, Integration & Support *Web Development and E-Business _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
