On Tuesday 05 October 2004 7:27 am, Florin wrote: > Bret Baptist <[EMAIL PROTECTED]> writes: > > On Monday 04 October 2004 4:54 am, Florin wrote: > > > I would like to have more details about the "manual modification". > > > Maybe it will be interresting for other people so I will integrate them > > > in the web interface. > > > > The areas I have to manually change are as follows: > > > > 1. DHCP for static addresses just like Randy. I need in addition to what > > he mentioned the ability to create at least two subnets and assign > > statics ip addresses out of each. > > I'll have a look at this. The two subnets are connected on two different > network cards, right ?
Correct, they are. > > > 2. I need to be able to create x.509 IPSEC certs without email addresses > > for Windows clients. > > Hum, while creating the certificates then, right ? Correct, while creating the certificate to be given to the client machine. > > > 3. I need to be able to do "virtual_private" with IPSEC. This allows > > hosts on private networks doing NAT to connect to VPN, while at the same > > time making sure they do not conflict with our private netblock. Here is > > an example of this setting, > > "virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12, > > %v4:169.254.0.0/16,%v4:192.168.0.0/16,%v4:!192.168.101.0/24". Docs here: > > http://www.openswan.org/docs/local/README.NAT-Traversal > > So, you simply need an extra entry virtual_private. It's feasable. Yep, just to make sure, what also need is the ability to define what is *our* virtual private and assign that to the "!192.168.101.0/24" entry. > > > 4. Multi-zone support for the VPN. We need to be able to have VPN > > connections to the LAN and PROT (protected) zones of our network, > > currently with MNF 8.2 you can only have a single zone used for the VPN. > > And why do you say that you can only have one single zone for vpn ? Why > can't you create two zones: vpn1 and vpn2 for that, may I ask ? > Well.. how would I create the "leftsubnet=192.168.222.0", and "leftsubnet=192.168.111.0" entries in the ipsec.conf for the two different zones (vpn1,vpn2)? This is for the MNF acting as a VPN server to these two zones as the left connection. Humm this is not too clear, here is the code I added to the ipsec.conf template to make it so if I add -prot to the common name of a connection it creates a rightside client VPN config for the PROT network. if ($CommonName =~ /-prot/) { $OUT .= "\tleftsubnet=192.168.222.0/24\n"; $CommonName =~ s/-prot//; $OUT .= "\t".$side."cert=".$CommonName.".crt\n"; } > > 5. Some kind of HA support would be nice... http://linux-ha.org/. I > > currently have two MNF 8.2 firewalls using HA. I just had to add it on > > by myself.. ;-) > > Can you send me your files and your modifications to see if I can add this > aswell ? Sure thing, I will send these direct to you. I have to warn you though, the configs are not complicated, the tricks with services are though. > > > Humm guess this is kinda late to be bringing all this up, hopefully some > > of this will be addressed though. > > I'll have a look at all that :o) > Thank you very much for all your amazing work on MNF Florin. > thx for your mail and have a nice day, -- Bret Baptist Systems and Technical Support Specialist [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 x17 Web Development-Web Marketing-ISP Services ------------------------------------------ Today is the tomorrow you worried about yesterday.
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
