IPSec, Racoon, and roaming clients

Brent Wiese brently at bjwcs.com
Fri May 9 11:53:01 PDT 2003 

Forgot to mention one more thing... If you do decide to use mpd, make sure
you have "gateway_enable=yes" in your rc.conf. I'm guessing you do since
you're using it as a gateway already, but this obvious thing threw me for a
long time because you tend to not read the readme files when installing
ports... :)

Oh, and don't forget to set up the correct firewall rules so that gateway is
secure, but you probably knew that too.

> This is a tricky setup.
> 
> If your roaming users are Windows, I'd suggest checking out 
> mpd instead. Then your windows clients can use the built in 
> PPTP stuff, which is much easier to support than ipsec. Just 
> make sure you use MSCHAP-V2 for auth, not chap or mschap-v1.
> 
> PPTP uses the GRE protocol so make sure you're not blocking that.
> 
> Actually, even using mpd as a client on unix boxes can make 
> roaming users much easier to deal with.
> 
> Something you may want to consider is replacing your freebsd 
> gateway w/ a Snapgear (www.snapgear.com). Has all the VPN 
> stuff you want, its cheap, powerful (full firewalling 
> capabilities) and really easy to use. Pays for itself in 
> saved time, plus, since there are no moving parts, less 
> chances of breakage and downtime...
> 
> Brent
> 
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of 
> Paul Lathrop
> > Sent: Saturday, April 26, 2003 12:59 PM
> > To: freebsd-questions at freebsd.org
> > Subject: IPSec, Racoon, and roaming clients
> > 
> > 
> > I have recently been asked to implement VPN access for some of our
> > roaming employees. Our gateway is a FreeBSD 4.7 box that I 
> > administer. 
> > Our employees are all on cablemodem connections when they 
> are out and 
> > about. I have discovered IPSec and racoon, of course, and 
> dug through 
> > their documentation. I have also read several very good 
> tutorials on 
> > the web. The trouble I am having is that all the information 
> > I can find 
> > is for setting up a VPN tunnel between two gateways. What I 
> need is a 
> > VPN connection between a roaming host (with a dynamic IP) 
> and our VPN 
> > gateway (static IP) which will allow access to the internal network 
> > behind that gateway (private IP addresses). I have successfully 
> > established the VPN connection between a roaming host and the 
> > gateway, 
> > but without access to the internal network. I can't seem to 
> > figure out 
> > how to tell setkey to configure a tunnel into the network without 
> > knowing ahead of time what the client's IP will be.
> > 
> > Can anybody give me some pointers?
> > 
> > Thanks,
> > Paul D. Lathrop
> > 
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-> questions
> > 
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> > 
> > 
>

More information about the freebsd-questions mailing list