0 votes
Hi everyone,

I'm trying to set up a connection to a friends using IPsec, we both have clearos as our gateways. However he's still running 5.2 which I've seen become a bit problematic. I am aware we both have dynamic IPs but I've attached hostnames and have a dynamic updating client running on both networksto keep that information updated in case those change. My biggest question I haven't found an answer for yet is does IPsec have to run on the gateway? I'd like him to set up a clearos 7 server on his lan that can run ipsec if that's possible. All the guides I can find explain it as gateway to gateway rather than gateway to server on site B lan. Let me know if you think that's possible or not.

Thanks everyone! I appreciate the feedback
Saturday, January 02 2016, 01:54 AM

Location [ View Larger Map ],-122.23611&language=en&maptype=roadmap&zoom=5&size=450x300&sensor=true&markers=color:red|label:S|48.50389,-122.23611
Share this post:
Responses (1)
  • Accepted Answer

    Saturday, January 02 2016, 11:04 AM - #Permalink
    0 votes
    Yes it is possible. In config setup, set "nat_traversal = yes" at both ends. You will also need to play around with the left/rightid. The nat'd ClearOS (if it is left) will transmit a leftid of its LAN IP, so at the other end (your server) you'll probably want rightid=your_friends_LAN_IP, or perhaps it is better to override it at both ends with something like leftid=@myfriend and rightid=@Eli. I would assume you are using PSK's so make sure the ipsec.secrets file has a %any keyword as both WAN IP's are unreliable - or you have to read the secrets file each time one WAN IP changes.

    For your friend, port forward udp:4500 to the LAN ClearOS and open udp:4500 on your server.

    You'd do best to use your FQDN's as these generally update and propagate through the DNS system quicker than things like DtDNS.

    If either of your IP's change and you are running IPsec on the gateway you can try using dhclient-exit-hooks to detect an IP change (i.e not just a DHCP renewal) then fire off the command "ipsec whack" of, if you're using PPPoE there is another file, /etc/ppp/ip-up, which you can hook into instead - or, I believe, just create a file /etc/ppp/ip-up.local with your script in it.

    I forgot to add, on the 5.2 machine you'll need to add a static route to your own server via your friend's 7.x machine.
    The reply is currently minimized Show
Your Reply