Koozali.org: home of the SME Server

How smart is Freeswan

Tom Veitch

How smart is Freeswan
« on: August 06, 2002, 12:33:49 AM »
Want to setup a vpn between to SME servers
server one has fix ip address \

server two does not have fixed ip but have setup Dynamic IP with Dyndns.org can we put a a domain name eg server.dyndns.com as the ip address and then have it resolve to the current ip address,

any thoughts please

i have tested this and it will not resolve

Regards

Tom

steve

Re: How smart is Freeswan
« Reply #1 on: August 06, 2002, 03:02:44 AM »
afaik, you have to have 2 static ips for it to work
search the posts again, I believe there is a way to make it work with dynamic ips. looked too intensive for me tho, lots of editing of config files and stuff like that

hth

steve

Peter Schubert

Re: How smart is Freeswan
« Reply #2 on: August 06, 2002, 10:16:28 AM »
Hi Tom,

have a look at this message:
http://forums.contribs.org/index.php?topic=14029.msg53340#msg53340

Maybe it works ?

Peter

Peter Schubert

Re: How smart is Freeswan
« Reply #3 on: August 06, 2002, 10:16:36 AM »
Hi Tom,

have a look at this message:
http://forums.contribs.org/index.php?topic=14029.msg53340#msg53340

Maybe it works ?

PeterTom Veitch wrote:
>
> Want to setup a vpn between to SME servers
> server one has fix ip address \
>
> server two does not have fixed ip but have setup Dynamic IP
> with Dyndns.org can we put a a domain name eg
> server.dyndns.com as the ip address and then have it resolve
> to the current ip address,
>
> any thoughts please
>
> i have tested this and it will not resolve
>
> Regards
>
> Tom

Bill Talcott

Re: How smart is Freeswan
« Reply #4 on: August 06, 2002, 06:12:55 PM »
Here is an old message I saved for my own future reference...

Author: Todd Pearsall (tpearsall_AT_softhome.net)
Date: 06-07-02 12:18

Yes, with FreeS/WAN you can have one side static and the other dynamic, it just means the dynamic side must ititiate the connection and the static is set to wait for a connection from any IP. It can be done with a shared key but is best accomplished with RSA signatures. In FreeS/WAN terms that looks like:

#Static Side Connection File ipsec.conf
conn DynSide-StaticSide
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
left=%any
leftsubnet=192.168.3.0/24
leftid=@DynSide
leftrsasigkey=0x0103df3d...
leftfirewall=yes
# Right security gateway, subnet behind it, next hop toward left.
right=55.55.55.55
rightsubnet=172.30.85.0/24
rightnexthop=55.55.55.51
rightid=@StaticSide
rightrsasigkey=0x0103779...
rightfirewall=yes
# Authorize this connection, but don't actually start it, at startup.
#
auto=add



#Dynamic Side Connection File ipsec.conf
conn DynSide-StaticSide
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=rsasig
# Left security gateway, subnet behind it, next hop toward right.
left=%defaultroute
leftsubnet=192.168.3.0/24
leftid=@DynSide
leftrsasigkey=0x0103d...
leftfirewall=yes
# Right security gateway, subnet behind it, next hop toward left.
right=55.55.55.55
rightsubnet=172.30.85.0/24
rightnexthop=55.55.55.51
rightid=@StaticSide
rightrsasigkey=0x0103779...
rightfirewall=yes
# Authorize this connection and start it at startup.
auto=start

Check the FreeS/WAN docs for any parameter definitions you need.

- Todd