DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default Help with Home connection site to site vpn setup

So I am trying to setup a site to site vpn connection between two homes. I intend to get an openbsd box in both houses to do this. Both houses I do not have dedicated public IPs to use for the external IP addresses. Is there a way I can achieve my goal (set up a site – site vpn between the two homes) given the current scenario?

If I use the IP address I get when I lookup google for my public IP will this work? I am skeptical about using this since it is not static and usually dynamic given by the ISP.

Can someone recommend a better way to get the VPN up if I am not in the right
direction? Thanks guys
Reply With Quote
  #2   (View Single Post)  
Old 25th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Use fqdn or ufqdn methods to exchange isakmpd keys. Neither requires IP addresses.
Reply With Quote
  #3   (View Single Post)  
Old 25th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Thanks for the reply. If I understand you correctly, In that case i have to go with a solution like NO-IP (no-ip.com) as this is just home use and I don not have an fqdn that can be resolved across the internet.

If that was not what you implied can you please elaborate? Also is there any other method you know of. Just asking so I can weight every single option and see which is best. Thanks
Reply With Quote
  #4   (View Single Post)  
Old 25th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

ISAKMPD is a key management system. It does the sharing of keys for IPSec in four very different ways:
  1. Shared passphrases: useful for provisioning tests, not recommended for production use
  2. Host Keys: most common use between OpenBSD instances, and recommended in most of the Internet-based How-to documentation since the advent of ipsecctl.conf.
  3. X.509 Certificates: useful when a peer with non-OpenBSD ISAKMPD systems
  4. Keynote Authentification: used in complex trust management systems only
It is the Host Key option I was referring to, as I had assumed you had been reading the "Zero to IPSec in 4 Minutes" How-to document. It uses IPv4 Host Keys and static addressing, as do most others.

Host Keys allow for four different naming conventions. And that is all they are -- naming conventions. They make setting up SAs and Flows in ipsecctl.conf easier. They are:
  1. ipv4 - the keys are named by static IP address in IPv4 format
  2. ipv6 - the keys are named by static IP address in IPv6 format
  3. fqdn - the keys are named by fully qualified domain name
  4. ufqdn - the keys are named by user@fully qualified domain name
There is no difference between these other than file naming and storage location under /etc/isakmpd.

Yes, it is much easier if you use no-ip or dyndns or some other method of referring to dynamic IP addresses by domain name, and altering the reference when they change.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing between site-to-site tunnels docrice OpenBSD General 5 26th September 2008 09:21 AM
Posting to O'Reilly site Fritz_Katz Feedback and Suggestions 1 22nd July 2008 11:03 PM
Getting mentioned on the FreeBSD site scottro Feedback and Suggestions 6 1st June 2008 10:11 PM
Bare Minimum Site-to-Site VPN on OpenBSD ai-danno Guides 0 20th May 2008 12:45 AM
Transferring away from the other site... s2scott Feedback and Suggestions 2 5th May 2008 09:47 AM


All times are GMT. The time now is 11:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick