From owner-freebsd-net@FreeBSD.ORG Thu Oct 30 15:30:04 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1AAF16A4CE for ; Thu, 30 Oct 2003 15:30:04 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88E1E43FBF for ; Thu, 30 Oct 2003 15:30:01 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc11) with ESMTP id <2003103023300001100k2lgce>; Thu, 30 Oct 2003 23:30:00 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id h9UNUJsb033542; Thu, 30 Oct 2003 15:30:19 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id h9UNUIwc033541; Thu, 30 Oct 2003 15:30:18 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 30 Oct 2003 15:30:18 -0800 From: "Crist J. Clark" To: Nucleo de Pesquisa e Desenvolvimento Message-ID: <20031030233018.GC32640@blossom.cjclark.org> References: <1545.172.72.12.252.1067458540.squirrel@intranet.el.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1545.172.72.12.252.1067458540.squirrel@intranet.el.com.br> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-net@freebsd.org Subject: Re: IPSEC in tunnel mode ( possible? ) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 23:30:04 -0000 On Wed, Oct 29, 2003 at 06:15:40PM -0200, Nucleo de Pesquisa e Desenvolvimento wrote: > Hi everyone, > > I know it is kind an off-topic question but maybe another network admin > have already faced the following: > > client--[__ipsec__]--gw--[__ip__]--internet > > I, trying to secure a wireless link, want to have my clients using > ipsec on the segment between the gateway gw and the machine itself even > when the traffic is to the internet and not only to the gateway ( what > works fine in transport mode anyway ). The clients are windows > machines. > Accordingly to Microsoft 252735 tunnel is possible when a windows is > acting as a gateway, not our scenario where machines are only > clients... Sometimes you read something and you just wanna pound someone so, so hard with a clue bat, "Windows 2000 IPSec tunneling is not supported for client remote access VPN use because the IETF IPSec RFCs do not currently provide a remote access solution in the Internet Key Exchange (IKE) protocol for client-to-gateway connections." First, IPsec is a peer-to-peer protocol. There are no clients and servers, only peers. Second, IKE is not part of IPsec. IKE is a nice standard for setting up IPsec SAs, but it is not required and is not the only way to set up SAs. Third, there are plenty of ways to do IKE authentication in a "cleint-to-server-like" fashion. A zillion other vendors have somehow managed to figure this out, M$. > Any one could point me to some url or send me keywords I should look > for please? If things won?t work with ipsec I?ll do it with MPD... but > I still should have ask it here. FWIW, I ended up using mpd for Windows machines this exact same scenario. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org