keeping people off the net

Brett Lymn blymn at baesystems.com.au
Tue Feb 4 10:59:41 EST 2003


On Tue, Feb 04, 2003 at 02:24:07AM +1100, Alex Satrapa wrote:
> 
> Okay, no stunned silence, but unstunned noise...  the main reasons I 
> couldn't get FreeS/WAN to work for me in the past include:

OK - NetBSD pimp mode is enabled... be warned.

>  - trying to get firewall box to do NAT *and* IPSec

Errrr - do you mean NAT your IPSec traffic or just have IPSec on the
wireless and NAT the traffic out to the internet connection (either
ppp or ethernet...whatever).  If it is the latter then, yes, NetBSD
can do that - I do that with my set up now.

>  - setting up routes dynamically (OpenVPN allows VPN to be reconfigured
>    when the remote end disappears)

Dunno about this one - never tried.

>  - lack of knowledge of the workings fo IPSec and FreeS/WAN.
> 

Ahhhh that is always the tough one - especially FreeS/WAN.  Mind you
the IPSec RFC's are not an easy read...

> 
> Configuring the firewall should be possible by processing all protocol 
> 50 (IPSec) packets separately to normal IP packets.  Once again, there 
> are problems with dynamic configuration here - when the remote end gets 
> assigned a new IP address, I've yet to figure out how to update the 
> firewall rules automagically.
> 

I get the feeling that you should be able to script that regardless of
what OS you are using but I cannot see any obvious way to do it right
now...

-- 
Brett Lymn


More information about the wireless mailing list