Could I run ipsec-tools on "DDNS+NAT+Client with dynamic IP" environment?

Issues related to configuring your network
Post Reply
toomore
Posts: 1
Joined: 2007/03/11 17:56:28
Contact:

Could I run ipsec-tools on "DDNS+NAT+Client with dynamic IP" environment?

Post by toomore » 2007/03/11 18:08:30

Hi all,
I've met trouble when I attempt to create a VPN between my PC and my lan in my home. The structure of my network structure is illustrated in the attachment.
First, I have no idea about how to configure the /etc/setkey.conf file. Because the two ports on the Internet are both with dynamic IP. How do I specify the "add" statements for sad and "spd" statements? I've try to add sad entry like this:
add 192.168.0.250 anonymous ah 0x200 -A hmac-sha2-256 0x7d5555f0355edabbb2e6e9a9c2d0ece421adbfaf94e953fe807e34ab22501d7c;
But I got "Name or service not known at [ah]" error message after I run the command "/sbin/setkey -f /etc/setkey.conf".
I think maybe I can not using AH under this environment even I used the udp encapsulating. But for ESP, I still don't know how to set up the dynamic client IP address in "add" statements.
I doubt if it is possible to create a VPN with such network structure. I've read many articles about ipsec-tools over NAT-T, but all these articles assume that the ip address of the NAT gateway is static or the client is static IP. I can not find any document that illustrate the situation that both the client and server side are dynamic IPs.
Could anyone please help me for this?

Thanks,
Enliang.
:-)

Lenard
Posts: 2283
Joined: 2005/11/29 02:35:25
Location: Indiana

Could I run ipsec-tools on "DDNS+NAT+Client with dynamic IP"

Post by Lenard » 2007/03/13 23:40:42

I use dyndns's service ($5.00USD/yr) to supply 'my home address'.
I just go to [ftp,http://]myacctname.homelinux.net[:port] and supply the required info/password/key(s). I keep my private keys with me on usb memory where needed. Then all one needs to do is simply open the DMZ ports for vpn/ssh/vnc/whatever on the D-Link DI-604 router to forward packets to the internal 192.168.0.50 IP address.


http://www.dyndns.com/

Post Reply

Return to “CentOS 4 - Networking Support”