[oclug] FreeS/WAN question

Derek T. Murphy (Home) derekm at NightTiger.ca
Tue Apr 6 16:42:08 EDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 6 Apr 2004,  Jon Earle [ JE ] wrote:

JE > No, I'm using a generic roadwarrior type setup with each client assigned
JE > an x509 certificate.

You can still declare an updown script to be executed for accepted
connections. The updown script is passed several parameters, including the
remote end's IP address, whether the tunnel is coming up or going down,
etc. Just add a static route when it comes up, and delete same when it
goes down.

The sample _updown is primarily concerned with firewall rules, but routes
can be manipulated the same way...

JE > If a client, say a Win2k[1] laptop, connects to a dialup ISP, that ISP
JE > will assign a dynamic IP to the laptop.  If the user then brings up the
JE > VPN connection, the IP will be unique for that session only, as any
JE > subsequent calls to that ISP will usually result in a new IP being
JE > assigned.  If that user then goes home, plugs into the home DSL, we have
JE > yet another IP.  Our fearless user then goes on a trip and connects to a
JE > partner ISP in that city.  Bingo, all new IPs for the duration of the
JE > trip.
JE >
JE > Charly Baker was suggesting that I can permanently assign IPs to the VPN
JE > tunnel - can you point me to the docs that detail that configuration?

Is he talking about extruded subnets? Extruded subnets is in the FreeS/WAN
source docs tree...

JE >
JE > Cheers!
JE > Jon
JE >
JE > [1] The same can be said of a Linux laptop - IP assignments are typically
JE > always dynamic.

SHAME on you, listing That Other OS first. Shame! Shame! Shame! (Of
course, TOOS DOES need all the help it can get...)


- -- 
                 Derek T. Murphy <DerekM at NightTiger.ca>
    Night Tiger Inc.  Kanata,  Ontario,  Canada  (613) 266-NTSC (266-6872)
   System Administration/Network Security  PGP/GPG keys: www.NightTiger.ca
           "The answer is *computers*. What's your _question_?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAcxYlRVr2W6BTungRAtSeAKCU+dO7ir7sybXmdRvrjEfgbmKtEQCguYPd
xW/xA/sJoZzCeSgS8z6pAoo=
=tncc
-----END PGP SIGNATURE-----

More information about the OCLUG mailing list