On 12/10/06, Albert Chin-A-Young <[EMAIL PROTECTED]> wrote:
On Sun, Sep 03, 2006 at 02:36:29PM +0200, viq wrote:
> Can't find the thread now, but few months ago there was a comment to
> question about that "hold on a while, this is being worked on". Seeing
> that the support for UFQDN in ipsecctl/ipsec.conf was just comminted
> into the tree - is that now possible to set up? And how to go about
> it? Can't really figure that out, being a complete newbie to IPSec :(
>
> Thanks in advance for the answer, and for any pointers as to
> configuring that - and kudos to the devs for the awesome work :)

Anyone reply to this?

Replying to list as I think someone may find it useful, and maybe also
give me some pointers as to what I'm doing wrong ;)

Not to this one, but I got some answers to some of my other questions
about the subject. And I was playing a bit with that, and I have it
mostly figured out, I think.

(In here I replaced my domain with my.domain. Though if you make your
DNS resolve my.domain to something useful that would work too ;)

Say, VPN-A is the VPN box, VPN-B is the roadwarrior. On VPN-A you need
to enable packet forwarding, and pf as you will need NAT:
nat on $ext_if from !($ext_if) -> ($ext_if:0)
This is because packets from VPN-B will leave VPN-A with VPN-B's
source address, which most of the time no computer on VPN-A's network
will know how to reach.
I didn't play with certificates yet, I just copied the keys to
appropriate UFQDN.
Now VPN-A has this in ipsec.conf:
ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
[EMAIL PROTECTED]

And VPN-B's ipsec.conf:
ike dynamic esp from vpn-b.my.domain to any peer vpn-a.my.domain srcid
[EMAIL PROTECTED] dstid [EMAIL PROTECTED]

And that way from a couple of tests I made it seems that all traffic
from VPN-B gets encapsulated and goes through VPN-A.

Now, there are two caveats to this I didn't yet figure out how to solve.
1) VPN-B must be able to resolve vpn-b.my.domain to the address of
it's egress interface, otherwise the traffic won't get encapsulated.
Right now I was doing that by editing /etc/hosts by hand, but there
must be a better way... (hmm, by dhclient-script ? Or maybe is there a
way to reference "self" in ipsec.conf ?)
2) As you see NAT comes into play, so VPN-B is not reachable from the
network you're connecting to. This could possibly be worked around by
creating some virtual interfaces on both boxes (say, tun ?) and
connecting them through VPN, but I'm not quite sure yet how to do
that.

HTH, and thanks for any comments to the above :)

--
viq

Reply via email to