From owner-freebsd-questions@FreeBSD.ORG Wed Aug 9 23:09:46 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8681F16A4DE for ; Wed, 9 Aug 2006 23:09:46 +0000 (UTC) (envelope-from chris.m@ebit.com.au) Received: from mailhub.linkpro.com.au (phoebe.linkpro.com.au [203.34.3.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 6183943D72 for ; Wed, 9 Aug 2006 23:09:42 +0000 (GMT) (envelope-from chris.m@ebit.com.au) Received: (qmail 24255 invoked by uid 1002); 9 Aug 2006 23:09:37 -0000 Received: from chris.m@ebit.com.au by phoebe by uid 64011 with qmail-scanner-1.20rc3 (uvscan: v4.2.40/v4294. spamassassin: 2.55. Clear:RC:1:. Processed in 1.324138 secs); 09 Aug 2006 23:09:37 -0000 Received: from unknown (HELO ebit43010167) (10.3.2.137) by phoebe.linkpro.com.au with SMTP; 9 Aug 2006 23:09:35 -0000 From: "Christopher Martin" To: "'FreeBSD Questions Mailing List \(E-mail\)'" Date: Thu, 10 Aug 2006 09:09:38 +1000 Message-ID: <00d101c6bc08$e3eb80a0$8902030a@ebit.com.au> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00D2_01C6BC5C.B59790A0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <00c801c6bc04$f9be09b0$8902030a@ebit.com.au> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807 X-MS-TNEF-Correlator: 00000000AEE2885245E9FC4AB91DF453F27A12BBA4002900 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: RE: FreeBSD as a VPN Server/Router X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: chris.m@ebit.com.au List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2006 23:09:46 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_00D2_01C6BC5C.B59790A0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit If OpenVPN seems like a bit much to tackle you could establish the link with an easy protocol like PPTP (PPTP can be added to pppd with the port /usr/ports/net/poptop) and then IPSec traffic traversing the link. Some even argue that this is a good idea because it's two layers of encryption (not to suggest that the PPTP encryption methods are a particular challenge to break), but they'll be a performance penalty to pay as well. Also, the load IPSec (or any encryption method for that matter) places on the encapsulating router is non-trivial, so be aware that if your hardware is a bit old you may get disappointing performance. I would suggest making the hardware at least current low end, or high end from a couple of years ago, to get the best performance. On side note, has anyone heard about the crypto lib for fast_ipsec and the Intel IPSec accelerated network cards (like the Pro 100/S)? I remember reading some time ago that there were, at the time, still issues getting the required info out of Intel to get the processor offloading working right. Is Intel still withholding the information? > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Christopher > Martin > Sent: Thursday, 10 August 2006 8:42 AM > To: FreeBSD Questions Mailing List (E-mail) > Subject: RE: FreeBSD as a VPN Server/Router > > > > > > > The FreeBSD Handbook has a chapter on this: > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > > > > HTH. > > > > The only problem with IPSec is you need static IP addresses for the > tunnelling mode (unless somebody knows something I don't, at > which point I'd > really like to hear about it!). > > OpenVPN is about as good as it gets stability wise, and can > customised, > hacked, and altered in any way you need. It can also use public key > authentication. > > ------=_NextPart_000_00D2_01C6BC5C.B59790A0--