Page 1 of 1

Could I run ipsec-tools on "DDNS+NAT+Client with dynamic IP" environment?

Posted: 2007/03/11 18:08:30
by toomore
Hi all,
I've met trouble when I attempt to create a VPN between my PC and my lan in my home. The structure of my network structure is illustrated in the attachment.
First, I have no idea about how to configure the /etc/setkey.conf file. Because the two ports on the Internet are both with dynamic IP. How do I specify the "add" statements for sad and "spd" statements? I've try to add sad entry like this:
add anonymous ah 0x200 -A hmac-sha2-256 0x7d5555f0355edabbb2e6e9a9c2d0ece421adbfaf94e953fe807e34ab22501d7c;
But I got "Name or service not known at [ah]" error message after I run the command "/sbin/setkey -f /etc/setkey.conf".
I think maybe I can not using AH under this environment even I used the udp encapsulating. But for ESP, I still don't know how to set up the dynamic client IP address in "add" statements.
I doubt if it is possible to create a VPN with such network structure. I've read many articles about ipsec-tools over NAT-T, but all these articles assume that the ip address of the NAT gateway is static or the client is static IP. I can not find any document that illustrate the situation that both the client and server side are dynamic IPs.
Could anyone please help me for this?


Could I run ipsec-tools on "DDNS+NAT+Client with dynamic IP"

Posted: 2007/03/13 23:40:42
by Lenard
I use dyndns's service ($5.00USD/yr) to supply 'my home address'.
I just go to [ftp,http://][:port] and supply the required info/password/key(s). I keep my private keys with me on usb memory where needed. Then all one needs to do is simply open the DMZ ports for vpn/ssh/vnc/whatever on the D-Link DI-604 router to forward packets to the internal IP address.