I've managed to setup tunnels (X.509 auth) between the office network an
OpenBSD machine (both with dynamic IPs) by using:
/etc/ipsec.conf on the DMZ/LAN firewall:
ike passive esp from 10.17.18.0/24 to any \
srcid vpn.foobar.org dstid vpn-client.foobar.org
I also managed to use npppd for L2TP (iOS and OS X clients) by using:
ike passive esp transport proto udp \
from pppoe0 (10.17.19.0/24) to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "aes" group none \
psk "..."
on the office gateway's /etc/ipsec.conf (and the appropriate nppp.conf,
of course).
Again, I've managed to get both setups working perfectly, separately.
My question is: (how) can I setup both X.509 IPSec and L2TP/npppd
simultaneously? I can't have both entries on the same ipsec.conf file
since they both refer to the 'default peer', so I guess I should either
run two instances of isakmpd (different ports, different fifo), which
sounds messy, or use relayd, of which my current knowledge amounts to
the first paragraph of the man page.
Does anyone have such a setup?
TIA
Zé
