Subject: inside addresses and IPsec
To: None <tech-net@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 01/03/2001 13:45:01
>>>>> "Michael" == Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
Michael> Absolutely. I'd like to do something like:
Michael> ifconfig lo1 inet 192.168.1.xxx up (whatever was assigned by the
Michael> gateway)
Yes, this is the problem.
Once I realized that my own firewall hadn't had the new rules I wrote to
let ESP out from my notebook, things flowed fine.
Scenario:
notebook<====Fx=====Internet====>Permit---->desktop
My firewall is now transparent to ESP and UDP 500. (I have real addresses)
I added an explicit route on desktop (with an SSH login...) pointing my IP
to the permit gateway. Things work fine.
Normally, the permit gate assigns an IP on its local wire and proxy-arps.
Problem 1:
racoon doesn't know how to receive that IP.
This is an ISAKMP, IPSRA WG problem. Let's ignore that for the moment.
Problem 2:
We can simply arrange to point an entire subnet at the permit gateway,
and can assign "static" IP addresses for the insides of tunnels. That way,
I don't need to know what IP address I will be assigned, I can simply
provision it.
The problem is how do I make sure that I pick the right source IP
address when talking to that network. Ideas? A new dummy interface, as
suggested above would do the trick using regular routing.
The only other problem is getting my /etc/resolv.conf munged appropriately
as the IPsec link goes up and down so that I can access the internal
nameserver. For now, I just secondary the internal DNS server.
] Train travel features AC outlets with no take-off restrictions|gigabit is no[
] Michael Richardson, Solidum Systems Oh where, oh where has|problem with[
] mcr@solidum.com www.solidum.com the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [