Re: Is it possible: IPsec tunnel with no static addresses?
On 2011-01-01, Matt Evans m...@mattevans.org wrote: I've never seen an example where hostnames are used in place of static IP addresses in configuration files. Is it the case that anywhere I see an ip address (filenames, conf file values, etc), I could just as easily put in foo.dyndns.org? In many cases this works, though in some cases there are hidden problems (e.g. it is often not advisable to do this in pf.conf). With most configuration files in OpenBSD (including, particularly relevant here, ipsec.conf) the name is resolved _when the configuration file is read_ so you will need some way to monitor for address changes and reload the configuration. You might find that OpenVPN is better for this usage case as it has specific support for dynamic endpoints (i.e. it re-resolves the name when keepalives fail).
Re: Is it possible: IPsec tunnel with no static addresses?
Why do you think IPSec needs one fixed-IP endpoint? Certainly, things won't work if both of you change IP addresses before the DNS updates, but you seem to accept that. You can also get a fixed IP for free by contacting one of the IPv6 tunnel brokers. Yes, this will be IPv6-over-IPv4, which has its issues. I've never seen an example where hostnames are used in place of static IP addresses in configuration files. Is it the case that anywhere I see an ip address (filenames, conf file values, etc), I could just as easily put in foo.dyndns.org? I don't consider myself expert at this, but, yes, I think that is the case. At least for me, it has worked well. I have an ipsec tunnel set up between two residential cable internet connections. Both are DHCP, so there is no static endpoint. I use dDNS to keep the endpoint IP's up to date (I do own my own domain, but I suppose you don't have to). The tunnel goes down for a few minutes from time to time (I think mostly because of problems with my internet connections, not so much DNS name resolution issues), but it has not been an issue for me. As an example, my ipsec.conf looks something like: (this is openbsd 4.6 - yes, I know I should update, I'm working on it) One end: ike passive esp from 10.0.0.1 to ipsec2.mydomain.com srcid my.local.crt.com dstid my.remote.crt.com etc... The other end: ike dynamic esp from 192.168.1.1 to ipsec1.mydomain.com srcid my.remote.crt.com dstid my.local.crt.com etc... As I said, I'm no expert on this, but I was able to figure this out from the man pages. Bye - ted
Re: Is it possible: IPsec tunnel with no static addresses?
On Fri, Dec 31, 2010 at 04:19:53PM -0600, Matt Evans wrote: A friend and I are both on dynamic IP residential broadband connections. We both use OpenBSD boxes as edge devices. We were wondering if it were possible to create an ipsec tunnel between us, even though we both have dynamic public IPs. The documentation I've read seems to suggest that at least _somebody_ must have a static IP. I can understand that at some point, needing the public IPs is necessary for setting up the tunnel, but is it possible that dyndns or some other dynamic mechansim can be used to find the public IPs as needed? Isn't it the case that IPsec can mutually authenticate peers based on keys, and fixed public IPs aren't required as part of peer authentication? Why do you think IPSec needs one fixed-IP endpoint? Certainly, things won't work if both of you change IP addresses before the DNS updates, but you seem to accept that. You can also get a fixed IP for free by contacting one of the IPv6 tunnel brokers. Yes, this will be IPv6-over-IPv4, which has its issues. Joachim -- PotD: textproc/groff - gnu clone of nroff http://www.joachimschipper.nl/
Re: Is it possible: IPsec tunnel with no static addresses?
Why do you think IPSec needs one fixed-IP endpoint? Certainly, things won't work if both of you change IP addresses before the DNS updates, but you seem to accept that. You can also get a fixed IP for free by contacting one of the IPv6 tunnel brokers. Yes, this will be IPv6-over-IPv4, which has its issues. I've never seen an example where hostnames are used in place of static IP addresses in configuration files. Is it the case that anywhere I see an ip address (filenames, conf file values, etc), I could just as easily put in foo.dyndns.org? If my searching and/or comprehension skills are lacking, could you send a link this way? Thanks, Matt
Is it possible: IPsec tunnel with no static addresses?
A friend and I are both on dynamic IP residential broadband connections. We both use OpenBSD boxes as edge devices. We were wondering if it were possible to create an ipsec tunnel between us, even though we both have dynamic public IPs. The documentation I've read seems to suggest that at least _somebody_ must have a static IP. I can understand that at some point, needing the public IPs is necessary for setting up the tunnel, but is it possible that dyndns or some other dynamic mechansim can be used to find the public IPs as needed? Isn't it the case that IPsec can mutually authenticate peers based on keys, and fixed public IPs aren't required as part of peer authentication?