I have an IPsec conundrum I'm trying to solve. Yes, the scenario
is somewhat absurd; it's also the problem I've been taksed with
solving, so spare the peanut gallery comments, okay?
NET-P <x> GW-Q <-> internet <-> GW-H <x> GW-V <x> NET-V
NET-P is 10.0.2.0/24
NET-V is 10.0.11.0/24
GW-Q is an OpenBSD host with fixed addresses 10.0.2.1 (inside) and
1.2.3.4 (internet).
GW-H is some random ISP cable/DSL modem that NATs everything behind
it, with a random external address. (I.e., assume DHCP on the
"internet" side.)
GW-V is an OpenBSD host. It has a variable upstream address obtained
from the back end of GW-H (DHCP). On the other side, GW-V presents
10.0.11.1 to NET-V.
The goal here is to establish an IPsec tunnel that links NET-P and
NET-V together, in the face of all the other nonsense in between.
In the schematic above, '<x>' represents a NAT translation point.
'<->' is a regular router interconnect.
I have tried setting up an IKEv2 passive connection from GW-V to
GW-Q (connections in the other direction are impossible), but I'll
be damned if I can figure out how to specify the SA associations
and ESP flows on GW-V, given the lack of fixed addresses on the
upstream sides of GW-V and GW-H. (Or in the other direction, for
that matter.)
Is there any hope this can possibly work?
--lyndon
No comments:
Post a Comment