On 24/11/06, Albert Chin <[EMAIL PROTECTED]> wrote:
On Thu, Oct 12, 2006 at 10:07:27AM +0200, viq wrote:
> Say, VPN-A is the VPN box, VPN-B is the roadwarrior. On VPN-A you need
> to enable packet forwarding, and pf as you will need NAT:
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> This is because packets from VPN-B will leave VPN-A with VPN-B's
> source address, which most of the time no computer on VPN-A's network
> will know how to reach.
> I didn't play with certificates yet, I just copied the keys to
> appropriate UFQDN.
> Now VPN-A has this in ipsec.conf:
> ike passive esp from any to any srcid [EMAIL PROTECTED] dstid
> [EMAIL PROTECTED]
>
> And VPN-B's ipsec.conf:
> ike dynamic esp from vpn-b.my.domain to any peer vpn-a.my.domain srcid
> [EMAIL PROTECTED] dstid [EMAIL PROTECTED]
So every roadwarrior has one key, [EMAIL PROTECTED]
That's the idea, if you want to have control over who is allowed to
connect and who's not. Besides, of you would want to have them all use
one key, you would have to replace the automatically generated private
key each box has.
I want to play with certificates, tinyCA makes that easier, but I
didn't get to that yet.
--
albert chin ([EMAIL PROTECTED])
--
viq
