From owner-freebsd-security Thu Jan 24 11:30:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 15B8E37B400 for ; Thu, 24 Jan 2002 11:30:28 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OJUQK29156; Thu, 24 Jan 2002 13:30:26 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA21341; Thu, 24 Jan 2002 13:30:26 -0600 (CST) Message-ID: <3C5060A1.AEA49AB9@centtech.com> Date: Thu, 24 Jan 2002 13:29:37 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Kerin Millar Cc: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the real problem is he has a SEPARATE host in between his two IPSEC boxes. Eric Kerin Millar wrote: > > Haven't had much experience with IPSEC myself but maybe this document will help: http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html > > Of course it is Linux specific but it seems to cover the masquerading topic adequately, and presumably the parts about setting up the firewall should be easily adaptable to IPFW. Here is an interesting excerpt from the document: > > > If you are setting up a masqueraded VPN server, you will also have to obtain and install the following two packages: > > To redirect the inbound TCP/UDP traffic (the 1723/tcp PPTP control channel or the 500/udp ISAKMP channel), you need the appropriate ipportfw port-forwarding kernel patch and configuration tool from http://www.ox.compsoc.org.uk/~steve/portforwarding.html. Port forwarding has been incorporated into the 2.2.x kernel. See man ipmasqadm for configuration details. If ipmasqadm is not included with your distribution it can be obtained at http://juanjox.kernelnotes.org/. > > To redirect the initial inbound tunnel traffic (GRE for PPTP and ESP for IPsec), you need the ipfwd generic-IP redirector from http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/. > You do not need port forwarding or ipfwd if you are masquerading only clients." > > > Regards, > > Kerin Millar > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message