From owner-freebsd-net  Tue Apr  9  3:26:46 2002
Delivered-To: freebsd-net@freebsd.org
Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79])
	by hub.freebsd.org (Postfix) with ESMTP id 1D4AB37B41A
	for <freebsd-net@FreeBSD.ORG>; Tue,  9 Apr 2002 03:26:43 -0700 (PDT)
Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230])
	by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g39AQ0x96890
	(using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO);
	Tue, 9 Apr 2002 06:26:02 -0400 (EDT)
	(envelope-from drwilco@drwilco.net)
Message-Id: <5.1.0.14.0.20020409123453.01d16880@mail.drwilco.net>
X-Sender: lists@mail.drwilco.net
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Tue, 09 Apr 2002 12:38:35 +0200
To: "Dennis Pedersen" <trm@daydreamer.dk>, <freebsd-net@FreeBSD.ORG>
From: "Rogier R. Mulhuijzen" <drwilco@drwilco.net>
Subject: Re: IPsec tunnel mode
Cc: "Lars Eggert" <larse@ISI.EDU>
In-Reply-To: <00a801c1dfaf$925aa750$0301a8c0@dpws>
References: <MPENKFCCIIDAJKJJOLBHMEAJCNAA.tariq@inty.net>
 <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net>
 <007501c1df3f$326d92a0$0301a8c0@dpws>
 <3CB20A6D.3040704@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

At 12:16 9-4-2002 +0200, Dennis Pedersen wrote:
>But uhm is there a 'simple' way of doing this? (as in just adding the IP of
>the other ends gif interface as destinatio in my routes?
>The setup today i an exact copy of (other IP's of course)
>www.freebsddiary.org/ipsec-tunnel.php
>This works just fine besides til problem with my routes, arcording to the
>draft IPIP is the solution. My Question is now how do i set up with an IPIP
>tunnel?
>On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my
>point of view it looks kind of complicated. Can it be made any simpler?
>If this is the way to do it,  can i run mutible natd on both my external
>interface and the virtual gif interface (the howto creates the gif tunnel
>and diverts all trafic into this tunnel with natd on both ends) and how?
>(because i can't really se how the ipfw add divert natd can tell the
>difference between te 2 sessions of natd)

That 2nd example is actually quite straightforward. It's just rather extensive.

And yes you can use 2 nat daemons. The 'natd' in the ipfw divert rule is 
just a port number. You can start a second nat on a different divert port, 
and use that other portnumber in the ipfw divert rule.

Good luck,

         Doc


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message