[oclug] FreeS/WAN question

Charly Baker cmb at fivefortyfour.com
Wed Apr 7 14:36:12 EDT 2004 

I should have reviewed my set up before I started to reply.  Now I have.  

What I have done in these cases is to set up a gre tunnel over the freeswan 
link.  The gre tunnel can have the same ip's at its endpoints regardless of 
the ip for the freeswan interfaces.  These tunnels are not very complicated, 
and once set up you get around some of the restrictions imposed by ipsec, for 
example, windows networking will work over a GRE tunnel, but not over ipsec 
very well.  You build it in the up-down script.

Charly Baker



On Wednesday 07 April 2004 2:12 pm, Jon Earle wrote:
> On Tue, 6 Apr 2004, Charly Baker wrote:
> > > Right... but that's my problem.  Unless I can assign an address from
> > > the private network to the remote client (clients will be mostly
> > > Windows 2000 boxen and one Linux client [me]), I'd be chasing all of
> > > the client IP addresses each time they connect.
> > >
> > > Can I do that - assign an address from the private network over the
> > > VPN?
> >
> > Not dynamically, but the tunnel that you set up to the client has to have
> > an address at each end.  At the client end, assign it to be whatever you
> > want, and it will be that no matter where the client is.  What do you
> > have in your config files for the tunnel to the client?
>
> The left side is set to the IP config of the gateway, the right side is
> set to accept any client IP.  Which is fine as this will allow me to set a
> single configuration that will serve all clients, without requiring me
> knowing from where they're connecting.
>
> The tunnel just gets an IP from the current network config, so I'm not
> sure what you're getting at when you suggest "At the client end, assign it
> to be whatever you want".  Thinking of a home PC that's just plugged into
> a DSL modem, it get's it IP from the ISP's DHCP server, which is most
> decidedly not on my private subnet nor within my control.
>
> Cheers!
> Jon
>
> --
> Jon Earle
> Software Developer / Network Manager
> Specializing in Open Source Software Solutions
> http://kronos.honk.org/~earlej/

More information about the OCLUG mailing list