The charity uses Office 365, which for charities a great deal, Microsoft charges them $1US per user per month up to 75 users, but a result, Microsoft control their DNS.
I also expect that they will be NATed and given a 10/8 address. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Steve Williams Sent: Monday, January 2, 2017 6:57 PM To: Peter Fraser <[email protected]>; '[email protected]' <[email protected]> Subject: Re: isakmpd set up Hi, I have been using OpenBSD on a dynamic IP address for 10+ years. I have an account with dynamic dns provider Zoneedit and use the ddclient package. I run a SMTP daemon, HTTP, SSH and in those 10+ years, I have never had a situation where I could not reach my server. I access it from all over the world using putty (ssh), imap (dovecot), webmail (roundcubemail) and access my web server for various purposes. When I first got my server going, I was a paranoid & had a modem connected to the serial port of my server so I could get to my server in the case of loosing Internet access. I used the modem exactly 0 times and finally got rid of the landline. Since I am paranoid, I had a backup to the backup & received an email every 2 hours (initially) that had the IP address of the interface. I had a filter so the email just went into a folder. I never had to use it... If you feel tied to an ISP because of static IP, I would not hesitate to go the dynamic route. Cheers, Steve Williams On 02/01/2017 3:05 PM, Peter Fraser wrote: > A charity that I support has been having trouble with its internet > provider (Rogers). > The problem I have is that Roger is the only supplier that is > available that will give a fixed IP address. > > I want the fixed IP address so I don't have to drive there to fix problems. > > It occurred to me that if I could get a VPN set up automatically when > their OpenBSD firewall boots. > I could then use the VPN to reach back into their computer. > > Having never set up a VPN using OpenBSD I started by reading, and I > was left very confused. > > I came up with: > > On my firewall I have /etc/ipsec.conf > > ike passive from egress to 192.168.254/24 peer 192.168.254.1 srcid > thinkage.ca dstid kwaccessability.ca tag ipsec-kwa ike passive from > 192.102.11.0/24 to 192.168.254.0/24 peer 192.168.254.1 srcid > thinkage.ca dstid kwaccessability.ca tag ipsec-kwa > > on their firewall > > ike from egress to 192.102.11/24 peer 192.102.11.1 srcid > kwaccessability.ca dstid thinkage.ca tag ipsec-kwa ike from > 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid > kwaccessability.ca dstid thinkage.ca tag ipsec-kwa > > I also opened up the firewall to allow packed in from both networks > without restrictions, something I will have to clean up later > > On both system I have isakmpd_flags=-K -v -D A=10 > > because of some of the readings I also put on both systems into > /etc/hostname.enc0 > up > > when I try to start isakmpd on the remote system I get only a message > about privilege droping. > > on my local system I get > > Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event > ui_conn_reinit(0x0) added last, expiration in 5s Jan 2 16:23:55 > gateway isakmpd[71980]: timer_remove_event: removing event > ui_conn_reinit(0x0) > Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event > ui_conn_reinit(0x0) added last, expiration in 5s gateway:/etc # Jan 2 > 16:24:00 gateway isakmpd[71980]: > timer_handle_expirations: event ui_conn_reinit(0x0) Jan 2 16:24:00 > gateway isakmpd[71980]: ipsec_get_id: invalid section > to-192.168.254/24 network 192.168.254 > Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not > record passive connection "from-ste0-to-192.168.254/24" > Jan 2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section > from-192.102.11/24 network 192.102.11 > Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not > record passive connection "from-192.102.11/24-to-192.168.254/24" > JaJan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event > ui_conn_reinit(0x0) added last, expiration in 5s Jan 2 16:23:55 > gateway isakmpd[71980]: timer_remove_event: removing event > ui_conn_reinit(0x0) > Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event > ui_conn_reinit(0x0) added last, expiration in 5s gateway:/etc # Jan 2 > 16:24:00 gateway isakmpd[71980]: > timer_handle_expirations: event ui_conn_reinit(0x0) Jan 2 16:24:00 > gateway isakmpd[71980]: ipsec_get_id: invalid section > to-192.168.254/24 network 192.168.254 > Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not > record passive connection "from-ste0-to-192.168.254/24" > Jan 2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section > from-192.102.11/24 network 192.102.11 > Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not > record passive connection "from-192.102.11/24-to-192.168.254/24" > > > any hint as to what I am doing wrong?
