IPSec, Racoon, and roaming clients
Brent Wiese
brently at bjwcs.com
Fri May 9 11:53:01 PDT 2003
Forgot to mention one more thing... If you do decide to use mpd, make sure
you have "gateway_enable=yes" in your rc.conf. I'm guessing you do since
you're using it as a gateway already, but this obvious thing threw me for a
long time because you tend to not read the readme files when installing
ports... :)
Oh, and don't forget to set up the correct firewall rules so that gateway is
secure, but you probably knew that too.
> This is a tricky setup.
>
> If your roaming users are Windows, I'd suggest checking out
> mpd instead. Then your windows clients can use the built in
> PPTP stuff, which is much easier to support than ipsec. Just
> make sure you use MSCHAP-V2 for auth, not chap or mschap-v1.
>
> PPTP uses the GRE protocol so make sure you're not blocking that.
>
> Actually, even using mpd as a client on unix boxes can make
> roaming users much easier to deal with.
>
> Something you may want to consider is replacing your freebsd
> gateway w/ a Snapgear (www.snapgear.com). Has all the VPN
> stuff you want, its cheap, powerful (full firewalling
> capabilities) and really easy to use. Pays for itself in
> saved time, plus, since there are no moving parts, less
> chances of breakage and downtime...
>
> Brent
>
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of
> Paul Lathrop
> > Sent: Saturday, April 26, 2003 12:59 PM
> > To: freebsd-questions at freebsd.org
> > Subject: IPSec, Racoon, and roaming clients
> >
> >
> > I have recently been asked to implement VPN access for some of our
> > roaming employees. Our gateway is a FreeBSD 4.7 box that I
> > administer.
> > Our employees are all on cablemodem connections when they
> are out and
> > about. I have discovered IPSec and racoon, of course, and
> dug through
> > their documentation. I have also read several very good
> tutorials on
> > the web. The trouble I am having is that all the information
> > I can find
> > is for setting up a VPN tunnel between two gateways. What I
> need is a
> > VPN connection between a roaming host (with a dynamic IP)
> and our VPN
> > gateway (static IP) which will allow access to the internal network
> > behind that gateway (private IP addresses). I have successfully
> > established the VPN connection between a roaming host and the
> > gateway,
> > but without access to the internal network. I can't seem to
> > figure out
> > how to tell setkey to configure a tunnel into the network without
> > knowing ahead of time what the client's IP will be.
> >
> > Can anybody give me some pointers?
> >
> > Thanks,
> > Paul D. Lathrop
> >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-> questions
> >
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> >
> >
>
More information about the freebsd-questions
mailing list