From: <ma...@ne...> - 2004-10-22 07:26:23
|
Aidas Kasparas <a.k...@gm...> wrote: > Situation: > roadwarrior has address 1.2.3.4 > ipsec-gw has address 100.100.100.100 And we have a esp/transport//require policy between roadwarrior and ipsec-gw, so that the IPsec SA get negociated. > subnet behind gateway 192.168.100.0/24 > roadwarrior is assigned address 192.168.1.1 > > then > > on road-warrior you do > > ifconfig lo:1 192.168.1.1 up > route add -net 192.168.100.0/24 dev lo:1 > setkey -c << EOSETKEY > spdadd 192.168.1.1 192.168.100.0/24 any -P out > esp/tunnel/1.2.3.4-100.100.100.100/require; > spdadd 192.168.100.0/24 192.168.1.1 any -P in > esp/tunnel/100.100.100.100-1.2.3.4/require; > EOSETKEY Except that we probably want to default all the traffic to the tunnel, so I guess that would do: ifconfig lo:1 192.168.1.1 up route delete default route add -host 100.100.100.100 gw $orig_default_route route add default gw 192.168.1.1 setkey -c << EOSETKEY spdadd 192.168.1.1 192.168.100.0/24 any -P out esp/tunnel/1.2.3.4-100.100.100.100/require; spdadd 192.168.100.0/24 192.168.1.1 any -P in esp/tunnel/100.100.100.100-1.2.3.4/require; EOSETKEY Should I delete the esp/transport//require policies before creating the tunnel policies? In fact part of the job this is probably more a job for a shell script than something that should be implemented into racoon. What about support for calling vpn-up.sh and vpn-down.sh scripts at IPsec SA creation and deletion time? The scripts whould take the data obtained through ISAKMP mode config. It would be just like pppd, which calls ppp-up.sh and ppp-down.sh when the link goes up or down. In vpn-up.sh and vpn-down.sh we would have $1 private IP $2 private netmask $3 DNS $4 WINS -- Emmanuel Dreyfus Il y a 10 sortes de personnes dans le monde: ceux qui comprennent le binaire et ceux qui ne le comprennent pas. ma...@ne... |