Copyright © 2005 jsd
FreeS/WAN and DHCP |
Suppose you want to run IPsec (FreeS/WAN in particular) on a box whose wild-side address is assigned by DHCP. This is very common for laptops, and fairly common for gateways, such as in telecommuter situations. This raises a number of difficulties, which can be dealt with as follows:
1) Run the ISI dhcp client software, as opposed to the N other possible choices, because it allows you to easily add your own code in places like /etc/dhclient-exit-hooks.
2) Your code rewrites the .conf files in /etc/ipsec.conf.d/ whenever a new address is assigned by DHCP. It does this by reading in a template file and filling in certain variables with information provided by the DHCP client daemon. It then writes the actual .conf files and tells IPsec to --replace and --up he connection.
I can’t send you the code for the usual unreasonable reasons.
IMHO the off-the-shelf FreeS/WAN package ought to support this.
3) There are other tricky issues, such as the following: Suppose the DHCP grant is delayed or denied. Then you can’t possibly bring up the IPsec connection at boot time; you want to do it later, if/when the grant eventually comes true. On the other hand, if turn off the IPsec system, you don’t want it to automagically restart itself every time the DHCP lease is renewed. Therefore the init.d/ipsec script needs more than the usual binary up/down choice; it needs to know about at least three states:
IMHO the off-the-shelf FreeS/WAN package ought to support this, too.
4) To provide better service, you can write an _updown script that runs on the non-mobile end and keeps track of the last-known-address of each mobile unit. This allows you to reboot the nonmobile end without causing a super-huge disaster. I call this "address inertia".
IMHO the off-the-shelf FreeS/WAN package ought to support this, too.
Copyright © 2005 jsd