From owner-freebsd-net Thu Nov 15 14:14:15 2001 Delivered-To: freebsd-net@freebsd.org Received: from nic.vetx.com (nic.vetx.com [209.123.51.6]) by hub.freebsd.org (Postfix) with ESMTP id 0A89C37B416 for ; Thu, 15 Nov 2001 14:14:07 -0800 (PST) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: IPSEC / RAPTOR Firewall Interaction X-MIMEOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Thu, 15 Nov 2001 17:12:08 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPSEC / RAPTOR Firewall Interaction Thread-Index: AcFuIpDLyWIkBL1USiexs3rQK11uAg== From: "Smith, Rick" To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all; I'm attempting to figure out how to setup an IPv4 IPSEC tunnel between two of our other offices (running Symantec Raptor 6.50 for Windows NT) and my FreeBSD firewall here in my office (4.2-RELEASE) Here's a little network diagram of the situation: x.x.51.24 (my inside) <--> x.x.5.254 (my external address) <--- Internet ---> x.x.42.26 (Their External) <--> 172.16.11.0 (Their Internal) On their firewall (Raptor) they are connecting to me using SHA1 / 3DES with no data compression, also using pre-shared keys. I'd like to do this using gif0 tunnels, but I just can't figure out how to set it all up correctly. =20 I already compiled racoon - here's the conf file: # racoon.conf for use with Checkpoint VPN-1/Firewall-1 # # # Pre-shared key set on the VPN-1 server. # # WARNING: psk.txt must have mode 600 permission. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # log debug4; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main; # For Firewall-1 Aggressive mode #my_identifier address; #my_identifier user_fqdn ""; #my_identifier address ""; #peers_identifier address ""; #certificate_type x509 "" ""; nonce_size 16; lifetime time 10 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 10 min; lifetime byte 50000 KB; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } Any ideas from you seasoned pros would be appreciated. Thanks, Rick Smith Vertex Interactive, Inc. http://www.vertexinteractive.com (973) 777 - 3500 x382 rsmith@vetx.com ------------------------------------------------ rm -rf /bin/laden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message