|
|
On Wed, 19 Oct 2005, John wrote: > > "James Yonan" <jim@xxxxxxxxx> schreef in bericht > news:Pine.LNX.4.58.0510182257550.32723@xxxxxxxxxxxx > > On Wed, 19 Oct 2005, Cyber Dog wrote: > > > >> First, brief info about my topology: I've got two Linux (Debian) > >> firewalls at separate locations connected via the internet. > >> Previously, I had used PPTP to connect to either firewall while > >> roaming, and IPSec connected the two firewalls directly. Hosts on both > >> LANs could communicate (routed, not bridged). > >> > >> Several folks have recommended OpenVPN, so I took the plunge. My > >> first attempt was replacing PPTP and using OVPN to connect to the > >> firewalls while roaming. I accomplished this successfully using the > >> howto. > >> > > > > Yes, OpenVPN supports peer-to-peer operation via the "mode p2p" directive > > (which is actually the default). In peer-to-peer mode, the peers are > > configured symmetrically, and each can have a "remote" option pointing to > > the other peer, so each peer can both initiate or listen for connections. > > Peer-to-peer configurations can be set up using TLS or static/preshared > > keys. > > > > The peer-to-peer mode was in fact the only mode supported in OpenVPN 1.x. > > OpenVPN 2.0 still supports peer-to-peer mode as well as the new > > client/server mode. > > > > Here are some docs to check out: > > > > http://openvpn.net/1xhowto.html > > > > http://openvpn.net/static.html > > > > James > > > > James, > > I think, that's not what he ment. Because I feel the same thing. > > We have 2 remote sites which are always connected and 5 "roadwarriors" When > Switching back to "old" peer (1.x mode) for remote sites, you also loose all > the "good" things from the server mode. > > Specially 1 tun device / 1 udp port number for all connections and one main > configuration file It would be nice have same sort of in between mode. > > I will try to describe the idea. > > In the ccd/client options specify a "persistent peer" mode. The client > remembers this (pushed) "persistent peer" mode and will listen for the > server to reconnect. > > The server on the other hand, knows with "persistent peer" directive that it > should try to establisch the tunnel itself. In that way you can have both. > If remember correctly, ipsec also works with one ipsec0 device for all > connections. In that prepective it should also be possible for the tun > device used by OpenVPN > > I don't want to be rude or so, but the "every OpenVPN tunnel has his own tun > device en port number", as it was in pre 2.0 time, was a major drawback, and > showstopper for a lot of people. And most people don't want to go back that > way. The setup I use, gave me a lot of iptables firewall headage in 1.5-1.6 > time.... Why can't a persistent peer connect the same way as the roadwarriers, i.e. with the persistent peer being the initiator and the server being the responder? What is the functional benefit of creating a new "persistent peer" mode over simply having the persistent peer act as a client? James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |