Re: ipsec.conf ,routers and endpoints - third try
firewall dual homed network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) virgin media router facing static nic address = 3.3.3.2 (rfc1918/rfc6598) virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) virgin media dynamic wan address = 1.1.1.1 (internet-routable) firewall default route = 3.3.3.3 network_a default route = 5.5.5.4 your local_gw address would be the router-facing rfc1918 address and remote_gw would be the dynamic internet-routable address of the other gateway. hi stuart thanks for your answer and advice, i am working on a modified ddns update script to signal a restart of isakmpd when the dynamic ip changes, will implement isakmpd else will follow your suggestion and use openvpn for my net to net link, i had already planned to use openvpn for my roadwarriors. shadrock The problem is that when the address of one side changes, it's the *other* side that yo uneed to restart. so you might want a regularly-run script to do a lookup to work out when this needs doing, although in practice I don't think VM change addresses all that often so it might be good enough to have the update script email/text you to tell you to update the other side... hi stuart having reread your first post on the subject, i now realize when the address of one side changes it's the*other* side that needs to update remote_gw in ipsec.conf and restart. i was considering each end running a script which used ping to check connectivity to the remote gateway like openvpn's method, if ping timed out then a dns hostname lookup would be used to resolve the ip, ipsec.conf would then be updated and restarted and an email sent to the manager of the network informing of the remote address change. this would be all scripted so there would be no need for me to get involved. shadrock
Re: ipsec.conf ,routers and endpoints - third try
On 2012-05-08, shadrock shadr...@ntlworld.com wrote: hi stuart thanks for your answer and advice, i am working on a modified ddns update script to signal a restart of isakmpd when the dynamic ip changes, will implement isakmpd else will follow your suggestion and use openvpn for my net to net link, i had already planned to use openvpn for my roadwarriors. shadrock The problem is that when the address of one side changes, it's the *other* side that you need to restart. so you might want a regularly-run script to do a lookup to work out when this needs doing, although in practice I don't think VM change addresses all that often so it might be good enough to have the update script email/text you to tell you to update the other side... (there is a 'static IP' option on VM business services but afaict they are just about as likely to change addresses on you as the standard service, just that they try and tell you about it beforehand).
Re: ipsec.conf ,routers and endpoints - third try
hi stuart thanks for your answer and advice, i am working on a modified ddns update script to signal a restart of isakmpd when the dynamic ip changes, will implement isakmpd else will follow your suggestion and use openvpn for my net to net link, i had already planned to use openvpn for my roadwarriors. shadrock
Re: ipsec.conf ,routers and endpoints - third try
On 2012-05-04, shadrock shadr...@ntlworld.com wrote: firewall dual homed network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) virgin media router facing static nic address = 3.3.3.2 (rfc1918/rfc6598) virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) virgin media dynamic wan address = 1.1.1.1 (internet-routable) firewall default route = 3.3.3.3 network_a default route = 5.5.5.4 So you have no static routable address on either side. This isn't going to work well with isakmpd, you really need a static address on at least one side to use it. DNS lookups are only done when the config is loaded so there's no way to automatically track changed addresses in isakmpd. If you can live with restarting things when the address changes then your local_gw address would be the router-facing rfc1918 address and remote_gw would be the dynamic internet-routable address of the other gateway. OpenVPN might be better in this situation, see the 'float' option and/or http://openvpn.net/index.php/open-source/faq/77-server/299-can-openvpn-handle-the-situation-where-both-ends-of-the-connection-are-dynamic.html
ipsec.conf ,routers and endpoints - third try
my apologies for my first post network topology home network remote network 3.3.3.3 1.1.1.12.2.2.2 4.4.4.4 -- router_a internet router_b - | | | | | | | | | 3.3.3.2 4.4.4.2| firewall_a firewall_b | 5.5.5.4 7.7.7.4| | | | | | | network_a network_b 5.5.5.0/24 7.7.7.0/24 --- network_a home network = 5.5.5.0/24 firewall dual homed network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) virgin media router facing static nic address = 3.3.3.2 (rfc1918/rfc6598) virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) virgin media dynamic wan address = 1.1.1.1 (internet-routable) firewall default route = 3.3.3.3 network_a default route = 5.5.5.4 network_b home network = 7.7.7.0/24 firewall dual homed network facing static nic address = 7.7.7.4 (rfc1918/rfc6598) virgin media router facing static nic address = 4.4.4.2 (rfc1918/rfc6598) virgin media router static address = 4.4.4.4 (rfc1918/rfc6598) virgin media dynamic wan address = 2.2.2.2(internet-routable) firewall default route = 4.4.4.4 network_a default route = 7.7.7.4 both firewalls run ipsec both firewalls run NAT both will have ddns for the internet-routable address both routers configured for vpn passthrough network_a connects to firewall_a via a switch firewall_a connects to router_a via a switch router_a connects to virgin media cable -- network_a ipsec.conf # Macros local_gw= local_addr # External interface local_net = 5.5.5.0/24 # Local private network remote_gw = remote_addr # Remote IPsec gateway remote_nets = 7.7.7.0/24 # Remote private networks # Set up the VPN between the gateway machines ike esp from $local_gw to $remote_gw # Between local gateway and remote networks ike esp from $local_gw to $remote_nets peer $remote_gw # Between the networks ike esp from $local_net to $remote_nets peer $remote_gw --- Q1: for my local_gw is local_addr 3.3.3.2 or 3.3.3.3 or 1.1.1.1 Q2: for my remote_gw is remote_addr 2.2.2.2 or 4.4.4.4 or 4.4.4.2
