From owner-freebsd-net Tue Jun 18 17: 0:48 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id E88B637B409 for ; Tue, 18 Jun 2002 17:00:17 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020619000017.LBWL2751.rwcrmhc52.attbi.com@InterJet.elischer.org>; Wed, 19 Jun 2002 00:00:17 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id QAA21936; Tue, 18 Jun 2002 16:41:25 -0700 (PDT) Date: Tue, 18 Jun 2002 16:41:23 -0700 (PDT) From: Julian Elischer To: Christophe Prevotaux Cc: net@freebsd.org Subject: Re: IPIP (kind of) with Payload Encryption only In-Reply-To: <20020618153956.2a9352fa.c.prevotaux@hexanet.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you can set up pseudo interfaces using netgraph iface and ksocket nodes so that anything going into the interface is encapsulated in a UDP packet. The set up IPSEC to encrypt the packets tat aer sent to the virtual interface.. you get ESP inside normal UDP. (will that do?) It's all in setting up the routing so that the ESP packets get routed to the netgraph interfaces, which are attached to the ksocket nodes which are set to UDP and bound to addresses.. I use something similar here except that I then re-encrypt the final tunnel as well :-) On Tue, 18 Jun 2002, Christophe Prevotaux wrote: > Hi, >=20 > Could someone tell me if there is a way to build a VPN(like) tunnel from > a FreeBSD machine acting as a VPN gateway to another machine acting as > another VPN gateway using normal IP packets that have only their data > payload encrypted. Of course there would have to be a way to setup the > tunnel and still retain the network addressing of each side of the VPN >=20 > I thought about some kind of IPIP tunneling but with data payload > encryption and some kind of key exchange for authentication >=20 > has anyone made or seen such a system yet ?=20 >=20 > I do not want to use (I can't) AH and ESP for this because of some > technical contraints=20 >=20 > +-------------+ +---------+ > | VPN gateway |---| Router |--------+ > --Network A=3D=3D=3D|=3D=3DFreeBSD=3D=3D=3D=3D|=3D=3D=3D|=3D=3D=3D=3D=3D= =3D=3D=3D=3D|=3D=3D | > +-------------+ +---------+ || | =20 > VPN Internet =20 > || | =20 > +-------------+ +---------+ || | =20 > --Network B=3D=3D=3D|=3DVPN gateway=3D|=3D=3D=3D|=3DRouter=3D=3D|=3D=3D = | > | FreeBSD |---| |--------+ > +-------------+ +---------+ >=20 > -- > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Christophe Prevotaux Email: c.prevotaux@hexanet.fr > HEXANET SARL URL: http://www.hexanet.fr/ > Z.A.C Les Charmilles Tel: +33 (0)3 26 79 30 05=20 > 3 All=E9e Thierry Sabine Direct: +33 (0)3 26 61 77 72=20 > BP202 Fax: +33 (0)3 26 79 30 06 > 51686 Reims Cedex 2 =09=09 =20 > FRANCE HEXANET Network Operation Center =20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message