News: This forum is now permanently frozen.
Pages: [1]
Topic: VPN tunnel to ASA 5510 using EzVPN  (Read 1480 times)
« on: March 28, 2014, 22:07:18 »
vrtigo1 *
Posts: 5

At work I have an ASA 5510 firewall at the HQ office which terminates VPN tunnels from many remote sites.  I am using Cisco EzVPN on the branch office Cisco routers.

I have a Cisco 800 series router at home that I am trying to replace with m0n0wall.  The problem I'm running into is that from what's exposed in the GUI, it looks like IPSec VPN requires static IPs on both ends and I don't have a static IP at home.

The way Cisco works around this is it treats the VPN tunnel like a remote-access VPN (i.e. a software VPN client but the router itself is the VPN client).  Is there something similar that I can do with m0n0wall to make this work without needing a static IP?  I want VPN to work, but it's not worth $180/year for a static IP to me.

Also, it looks like the VPN GUI only allows you to specify a single remote subnet.  Is it possible to specify multiple remote subnets?
« Reply #1 on: March 29, 2014, 20:03:54 »
Lee Sharp *****
Posts: 517

1) IPsec is based on IP.  You can use domain names, but it then translates them to IP and caches it.  We use DPD (Dead peer detection) to force a DNS refresh as a work around to the spec limitation.  If the Cisco can not do this, you will just need to manually bounce the tunnel.  You would also need dynamic DNS running somewhere.

2) M0n0wall supports mobile IPsec, which is an older standard, and is NOT L2TP over IPsec...  I wish we supported that, as it is taking over, but I have not had any time to look into what it would take to develop it.

3) Again, that is a limitation of the IPsec spec.  Each tunnel has a single route.  What you can do is summery routes.  That means if you had two adjacent /24 subnets you could refer to them both as a single /23.  I do this at most locations as I have wired and wireless on separate networks.
« Reply #2 on: March 29, 2014, 20:10:49 »
vrtigo1 *
Posts: 5

I've never seen domain names used in place of IP addresses for IPSec tunnels, but if it works it might be an option. 

As far as each tunnel having a single route, I know a single tunnel-group in Cisco land can have multiple routes associated, although each route does generate its own IPSec SA.  Are you saying that in order to support multiple routes I would need to create a "tunnel" in m0n0wall for each route?

Unfortunately summary routes are not helpful to me as the networks I need to tunnel are not adjacent (I am tunneling all RFC 1918 networks) plus a few public subnets.
« Reply #3 on: March 30, 2014, 22:49:14 »
Lee Sharp *****
Posts: 517

Yes, a "tunnel group" is just lots of tunnels.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines