From owner-freebsd-net@FreeBSD.ORG Thu May 26 01:57:33 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82B711065677 for ; Thu, 26 May 2011 01:57:33 +0000 (UTC) (envelope-from jhall@socket.net) Received: from mf1.socket.net (mf1.socket.net [216.106.88.38]) by mx1.freebsd.org (Postfix) with ESMTP id 61F628FC13 for ; Thu, 26 May 2011 01:57:33 +0000 (UTC) Received: from localhost (unknown [216.106.88.17]) by mf1.socket.net (Postfix) with SMTP id 722A540421; Wed, 25 May 2011 20:57:32 -0500 (CDT) To: remko@elvandar.org From: jhall@socket.net X-Apparently-from: jhall@mail.socket.net X-Remote-Host: 216.106.31.249 User-Agent: Socket WebMail References: <20110522120030.4B70510656D2@hub.freebsd.org> <20110522143107.7520F106566C@hub.freebsd.org> Date: Wed, 25 May 2011 20:57:32 -0500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-Id: <20110526015733.82B711065677@hub.freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Re: IPSec Routing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jhall@socket.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2011 01:57:34 -0000 ---------------------------------------------------- >From : Remko Lodder To : jhall@socket.net Subject : Re: IPSec Routing Date : Sun, 22 May 2011 21:12:24 +0200 > > Basically what happends is that an IPSEC tunnel looks like this > > > Internal_A -->> Internal FW A [ FW A] External FWA ---->>> [Internet] <<<---- External FWB [FW B] Internal FW B <<-- Internal_B > External FWA [ ------------ TUNNEL ---------] External FWB [also called Phase1] > Internal_A [------------------------------------------------------------------- TUNNEL ----------------------------------------------------------] Internal_B [Also called phase2] > > The external FW's talk to eachother and make a secure pipe. The internal networks / hosts, use the secure pipe to route traffic > between them. So basically the first TUNNEL line is a big pipe, and the second TUNNEL line is packets WITHIN that first tunnel line.. (complex?) > > Comment: > > A connection is setup between the external FWA and External FWB, so that you have a secure pipe between the firewalls > to exchange data. > > In some cases you talk to the external IP and it gets processed there and onwards. > > In other cases [more likely], you setup a secondary tunnel (phase2) which enables you to talk to internal hosts on the other end. > An IPSEC session is never established between internal IP ranges (if flowing over the internet, ofcourse within the network itself > it is entirely possible). > > The IPSEC session _does_ allow you to route and send traffic to an internal IP adres over the tunnel though. > > If you can shed some more light in what you mean I might be able to help. I have setup 1000's of tunnels between mostly commercial > grade firewalls but I might assist in getting a bit further. Thank you to everyone for their help. The connection is now up and running. Our vendor had an incorrect entry in their route table. Jay