Menu
▾
▴
Re: [Ipsec-tools-devel] Advice on a somewhat complicated setup.
|
From: Aidas K. <a.k...@gm...> - 2005-10-26 14:34:14
|
Emmanuel Dreyfus wrote: > On Tue, Oct 25, 2005 at 09:25:12PM +0200, F. Senault wrote: > >>What would be the most effective way to handle this setup ? I'm >>thinking more and more to use two instances of racoon on the main >>machine, one for the roadwarriors, and one for the branch offices, but >>even at that point, I'm not terribly sure on the way to do it... > > > Why can't you have remote sections for each gateway, and a remote > anonymous section for the roadwarriors? > Because he doesn't know public addresses of sites which are behind dynamic IPs. But that does not mean two instances of racoon are needed. Fred, you simply configure anonymous remote to have ph1 parameters which are acceptable to both -- your nomad users and remote offices ( => more proposals). Ph2 can be configured separately, because in sainfo you'll use local networks like sainfo address 192.168.1.0/24 address 192.168.2.0/24 ... and you'll most likely give your nomad users addresses from another subnet, say 192.168._4_.0/24, therefore you'll need lot of sainfo address 192.168.1.0/24 address 192.168.4.1 ... sainfo address 192.168.1.0/24 address 192.168.4.2 ... sainfo address 192.168.1.0/24 address 192.168.4.3 ... sainfo address 192.168.1.0/24 address 192.168.4.4 ... You'll not need to setup any policies in main office, but allow policy generation. Then, when remote office will setup connection, it will start script which sets up policies on remote side (using IP address assigned to them); when there will be traffic to the main office, remote office will start negotiations and policies in central office will be generated. But, you should make them shortlived, because no new policy will be generated while one is valid when public IP address of remote office will change. For nomad users principle is the same, but on the client side Cisco VPN client will know how to work out of the box. I do have such setup actually working. So, if some part is unclear, ask. Nuisances: - initiative to setup connection should start at remote office => central office can not initiate secure tunnels; - for determination what is IP address of remote office I setup cron job running every 5 minutes which wget http://my-web-server/office-id. When in need I check error.log on that server. More elegant ways appreciated. -- Aidas Kasparas IT administrator GM Consult Group, UAB |