Date: Thu, 12 Sep 2002 14:10:27 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Creating an IPSEC tunnel between a netopia 910 and FreeBSD (FAQ submission) Message-ID: <5.1.1.6.0.20020912114230.01f2aba0@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Again, I saw this question asked in my searches through google and mention
of it on the vendor website, but I had not seen the answer.
Question: How do I setup a netopia 910R router to do an IPSEC ESP tunnel to
a FreeBSD box.
An Answer:
I was a little disappointed with the throughput results, but never the less
it does work.
My setup was as follows
workstation------910R----........---FreeBSDIPSec----workstation
172.16.0.1/24 96.0.0.1 1.1.1.1 10.0.0.2/24
172.16.0.2/24 10.0.0.1/24
Note, with this setup, I was only able to get 180Kbps using DES and under
100Kbps using 3des as the netopia maxed out its little CPU. I called
netopia support and spoke with a Ben. He tried 2 units back to back and
got roughly the same numbers, so that does seem to be the limiting factor.
Anyways, the setup
On the netopia,
Go to the quick menus
Ike Phase 1 config
Add IKE profile
Call it FreeBSDIKE
Mode=main
Auth method, Shared Sec. with the key faqdemo, enc = des, Hash=md5, Group 2.
Under Advanced, Negotiation = normal, SA=Newest, Allow Dangling=Yes, Phase
1 SA Lifetime=28000,Send Initial Contact Message:Yes, Include Vendor ID
Payload:Yes,Independent Phase 2 Re-keys: Yes,Strict Port Policy:No
Back up to quick menu
Add Connection Profile
Profile name = FreeBSD
Prof enabable=Yes
Encaps= IPSEC
Go to Encaps options
Key management = IKE
IKE Phase 1 Profile, choose the one you created before (FreeBSDIKE)
Encapse = ESP
ESP Transform = DES
ESP Authtransform = HMAC-MD5-96
Up one level and down to IP Profile Params.
Remote Tunnel Endpoint: 1.1.1.1
Remote Member Format... Subnet
Remote Member Address: 10.0.0.0
Remote Member Mask: 255.255.255.0
Local Member Format... Subnet
Local Member Address: 172.16.0.0
Local Member Mask: 255.255.255.0
Address Translation Enabled: No
Filter Set... <<None>>
Remove Filter Set
NetBIOS Proxy Enabled No
On the FreeBSD side of things,
setkey -F
setkey -FP
setkey -c <<EOF
spdadd 10.0.0.0/24 172.16.0.0/24 any -P out ipsec
esp/tunnel/1.1.1.1-96.0.0.1/use ;
spdadd 172.16.0.0/24 10.0.0.0/24 any -P in ipsec
esp/tunnel/96.0.0.1-1.1.1.1/use ;
EOF
And the racoon.conf entry.
remote 96.0.0.1
{
exchange_mode main;
doi ipsec_doi;
#situation identity_only;
my_identifier address 1.1.1.1;
#generate_policy off;
nonce_size 16;
lifetime time 28000 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 60 sec;
encryption_algorithm des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20020912114230.01f2aba0>