From owner-freebsd-security  Thu Sep 12 11:10: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 23DF337B401
	for <security@freebsd.org>; Thu, 12 Sep 2002 11:09:47 -0700 (PDT)
Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9308D43E3B
	for <security@freebsd.org>; Thu, 12 Sep 2002 11:09:46 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18])
	by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g8CI9iVZ029866
	for <security@freebsd.org>; Thu, 12 Sep 2002 14:09:44 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <5.1.1.6.0.20020912114230.01f2aba0@marble.sentex.ca>
X-Sender: mdtpop@marble.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.1.1
Date: Thu, 12 Sep 2002 14:10:27 -0400
To: security@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Subject: Creating an IPSEC tunnel between a netopia 910 and FreeBSD
  (FAQ submission)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: By Sentex Communications (obsidian/20020517)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Again, I saw this question asked in my searches through google and mention 
of it on the vendor website, but I had not seen the answer.


Question: How do I setup a netopia 910R router to do an IPSEC ESP tunnel to 
a FreeBSD box.

An Answer:

I was a little disappointed with the throughput results, but never the less 
it does work.

My setup was as follows

workstation------910R----........---FreeBSDIPSec----workstation
172.16.0.1/24   96.0.0.1          1.1.1.1            10.0.0.2/24
             172.16.0.2/24            10.0.0.1/24



Note, with this setup, I was only able to get 180Kbps using DES and under 
100Kbps using 3des as the netopia maxed out its little CPU.  I called 
netopia support and spoke with a Ben.  He tried 2 units back to back and 
got roughly the same numbers, so that does seem to be the limiting factor.


Anyways, the setup

On the netopia,
Go to the quick menus
Ike Phase 1 config
Add IKE profile
Call it FreeBSDIKE
Mode=main
Auth method, Shared Sec. with the key faqdemo, enc = des, Hash=md5, Group 2.
Under Advanced, Negotiation = normal, SA=Newest, Allow Dangling=Yes, Phase 
1 SA Lifetime=28000,Send Initial Contact Message:Yes, Include Vendor ID 
Payload:Yes,Independent Phase 2 Re-keys: Yes,Strict Port Policy:No

Back up to quick menu
Add Connection Profile
Profile name = FreeBSD
Prof enabable=Yes
Encaps= IPSEC
Go to Encaps options
Key management = IKE
IKE Phase 1 Profile, choose the one you created before (FreeBSDIKE)
Encapse = ESP
ESP Transform = DES
ESP Authtransform = HMAC-MD5-96

Up one level and down to IP Profile Params.
          Remote Tunnel Endpoint:            1.1.1.1
          Remote Member Format...            Subnet
          Remote Member Address:             10.0.0.0
          Remote Member Mask:                255.255.255.0
          Local Member Format...             Subnet
          Local Member Address:              172.16.0.0
          Local Member Mask:                 255.255.255.0
          Address Translation Enabled:       No
          Filter Set...                      <<None>>
          Remove Filter Set
          NetBIOS Proxy Enabled              No



On the FreeBSD side of things,

         setkey -F
         setkey -FP
         setkey -c <<EOF
        spdadd 10.0.0.0/24 172.16.0.0/24 any -P out ipsec 
esp/tunnel/1.1.1.1-96.0.0.1/use ;
        spdadd 172.16.0.0/24 10.0.0.0/24 any -P in ipsec 
esp/tunnel/96.0.0.1-1.1.1.1/use ;

EOF

And the racoon.conf entry.

remote  96.0.0.1
{
         exchange_mode main;
         doi ipsec_doi;
         #situation identity_only;
         my_identifier address 1.1.1.1;
         #generate_policy off;
         nonce_size 16;
         lifetime time 28000 sec;   # sec,min,hour
         initial_contact on;
         support_mip6 on;
         proposal_check obey;    # obey, strict or claim

         proposal {
                 encryption_algorithm des;
                 hash_algorithm md5;
                 authentication_method pre_shared_key ;
                 dh_group 2 ;
         }
}




sainfo anonymous
{
         pfs_group 1;
         lifetime time 60 sec;
         encryption_algorithm des ;
         authentication_algorithm hmac_md5;
         compression_algorithm deflate;
}



	---Mike
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message