From owner-freebsd-questions Fri Apr 13 19:53:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wattres.Watt.COM (spare78.biz.net [208.177.80.78]) by hub.freebsd.org (Postfix) with ESMTP id D212037B423 for ; Fri, 13 Apr 2001 19:53:35 -0700 (PDT) (envelope-from steve@Watt.COM) Received: (from steve@localhost) by wattres.Watt.COM (8.11.3/8.11.2) id f3E2rU107619; Fri, 13 Apr 2001 19:53:30 -0700 (PDT) (envelope-from steve) Message-Id: <200104140253.f3E2rU107619@wattres.Watt.COM> From: steve@Watt.COM (Steve Watt) Date: Fri, 13 Apr 2001 19:53:29 -0700 In-Reply-To: Gunther Schadow "Re: IPsec painful setup..." (Apr 14, 2:09) X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Gunther Schadow Subject: Re: IPsec painful setup... Cc: questions@FreeBSD.ORG Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Apr 14, 2:09, Gunther Schadow wrote: } Steve Watt wrote: } > I have tried both transport and tunnel mode; it seemed clear to me that } > transport wouldn't work, but I had to try it anyhow. I'd dearly love to } > use the FreeBSD box directly as the NAT box, but it's a DSL installation } > where the DSL line comes into a port on the router. Unless there are } > PCI DSL cards that are likely to work in such a scenario, I think I get } > to wrestle with this. } } You have too many free variables in your equation :-) I would start } with two FreeBSD boxes on each end of the line and try to set up a } statically keyed IPsec tunnel. I don't trust racoon just yet, it } didn't work for me reliably so far. And of course I don't trust the } "other IPsec capable" router. Go step by step. If NAT is a problem } in the DSL box, turn NAT off and use it straight through as a bridge, } if that's possible... Actually, I've already got a setup working, with racoon, gif, and the non FreeBSD IPsec implementation, and it's fine roughly 80% of the time. The rest of the time, rebooting the non FreeBSD box (it's a Netscreen router) makes things work again. Unfortunately, I am trying to duplicate the configuration onto the above-mentioned ugly setup, so the only variable I'm adding is a NAT thingy in the way. } > You said "old gif tunnel method"; that implies that there's some new } > method? Where can I find info on that? I'm currently using gif tunnels, } > racoon for isakmp, and ipsec in tunnel mode. } } See my recent bug report on freebsd-net. On how to set this up. You can } use the first half of the bug report as a cookbook recipe. if you } don't try the second half, you'll be fine :-). Thanks! I'll take a peek at that. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message