|
8.5.2.1.
|
What if I have a Dynamic DNS name? |
|
Some users have an IP address that changes regularly, The
changing IP address can be on either the m0n0wall device or the
remote IPSec VPN client. For example a dialup account, DSL
Internet modem or simply moving a laptop computer from one
wireless hotspot to another all can cause IP addresses that
change. While the changing IP address does not affect normal
Internet usage, it will break IPSec tunnels that are configured
to use a specific DNS name or IP address.
A dynamic DNS name will allow you to keep the same name and
can be used with m0n0wall. M0n0wall version 1.2 supports dynamic
DNS for its own interface but does not support a domain name for
the remote user of the VPN connection. M0n0wall 1.3b supports
domain names on both sides.
|
|
8.5.2.2.
|
What happens when I change my IPSec configuration? |
|
Any changes to your IPSec configuration will cause all IPSec
tunnels to be closed when the changes are applied. |
|
8.5.2.3.
|
Can a single IPsec tunnel support non-contiguous
subnets? |
|
Not at this time. The only way to achieve this would be to
have multiple IPsec connections for each subnet. |
|
8.5.2.4.
|
Can I use NAT on a subnet that is on the other side of an
IPsec connection? |
|
Not at this time. This would be useful if 2 or more networks
use the same subnet and are trying to communicate with each
other over an IPsec connection. |
|
8.5.2.5.
|
Can fragmented packets pass through an IPsec
connection? |
|
By default, fragmented packets are not allowed to be
encrypted. This default can be changed in the System >
Advanced > Miscellaneous menu by checking the "Allow
fragmented IPsec packets" box. When activated, this will cause
m0n0wall to allow fragmented IP packets that are encapsulated in
IPsec ESP packets. |
|
8.5.2.6.
|
What happens when an IPsec connection is restarted with a
new IP address? |
|
By default, if several Security Associations (SAs) match,
the newest one is preferred if it's at least 30 seconds old.
This default can be changed in the System > Advanced >
Miscellaneous menu by checking the "Prefer old IPsec SAs" When
activated, this option always prefers old SAs over new
ones. |
|
8.5.2.7.
|
When are IPsec connections opened? |
|
When traffic is attempting to reach a network or IP address
that is configured to be on a remote IPsec connection, m0n0wall
will attempt to build the connection. |
|
8.5.2.8.
|
Can I use the Cisco IPsec client to connect to
m0n0wall? |
|
It won't work. It's not the same kind of IPsec client
required by m0n0wall. However some users have reported success
when using the NAT-T feature (i.. encapsulating encrypted
traffic in UDP packets.) FIXME - verify this. |
|
8.5.2.9.
|
Can I route any traffic over my IPsec connection? |
|
Part of the IPsec configuration identifies local and remote
networks. IP addresses that are outside of those networks are
not authorized to travel through an IPsec connection. This means
that if you have additional routed networks connected to your
LAN, they may not be able to travrse the IPsec connection
because they do not originate from the LAN itself.
If you have an additional network or subnet that you want to
travel through IPsec you can make additional tunnels or
optionally put a NAT device between the LAN network and the
other subnets so that traffic from the additional network will
appear to be coming from the authorized network.
|
|
8.5.2.10.
|
Can I forward IP broadcasts over an IPsec VPN? |
|
Not with IPsec. Broadcasts don't cross broadcast domains. In
the case of a VPN link, each network is its own broadcast
domain. Normally you don't want to connect broadcast domains
because most networks have more broadcast traffic than you
want to push over a VPN connection. |
