Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Bill Talcott on June 07, 2002, 12:34:19 AM

Title: Server to Server VPN with dynamic IP?
Post by: Bill Talcott on June 07, 2002, 12:34:19 AM

Is it possible to set up a server to server VPN if one of the servers has a dynamic IP? Everything I've read so far says you have to have a static IP...

We have a (very) remote office. The only option is dialup. We have a few PCs there, and it would be nice if we could set up some sort of server-based VPN so they could access the network here behind the SME. It'd still be insanely slow anyway so I'm not too concerned, but it would be nice to know if it's possible to do this.

Title: Re: Server to Server VPN with dynamic IP?
Post by: james douglas on June 07, 2002, 05:17:58 AM

can you set up the vpn using domain names ? I havent tried yet but was planning too. If so you could use a dynamic dns services to maintain your domain names and use the domain names to establish the vpns between sites...

Title: Re: Server to Server VPN with dynamic IP?
Post by: Todd Pearsall on June 07, 2002, 09:18:38 PM

Yes, with FreeS/WAN you can have one side static and the other dynamic, it just means the dynamic side must ititiate the connection and the static is set to wait for a connection from any IP.  It can be done with a shared key but is best accomplished with RSA signatures. In FreeS/WAN terms that looks like:

#Static Side Connection File ipsec.conf
conn DynSide-StaticSide
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   authby=rsasig
   # Left security gateway, subnet behind it, next hop toward right.
   left=%any
   leftsubnet=192.168.3.0/24
        leftid=@DynSide
   leftrsasigkey=0x0103df3d...
   leftfirewall=yes
   # Right security gateway, subnet behind it, next hop toward left.
   right=55.55.55.55
   rightsubnet=172.30.85.0/24
   rightnexthop=55.55.55.51
   rightid=@StaticSide
   rightrsasigkey=0x0103779...
   rightfirewall=yes
   # Authorize this connection, but don't actually start it, at startup.
   #
   auto=add



#Dynamic Side Connection File ipsec.conf
conn DynSide-StaticSide
   # How persistent to be in (re)keying negotiations (0 means very).
   keyingtries=0
   authby=rsasig
   # Left security gateway, subnet behind it, next hop toward right.
   left=%defaultroute
   leftsubnet=192.168.3.0/24
        leftid=@DynSide
   leftrsasigkey=0x0103d...
   leftfirewall=yes
   # Right security gateway, subnet behind it, next hop toward left.
   right=55.55.55.55
   rightsubnet=172.30.85.0/24
   rightnexthop=55.55.55.51
   rightid=@StaticSide
   rightrsasigkey=0x0103779...
   rightfirewall=yes
   # Authorize this connection and start it at startup.
   auto=start

Check the FreeS/WAN docs for any parameter definitions you need.

- Todd