From owner-freebsd-net Tue Apr 9 9:50: 5 2002 Delivered-To: freebsd-net@freebsd.org Received: from daydreamer.dk (213.237.14.128.adsl.ho.worldonline.dk [213.237.14.128]) by hub.freebsd.org (Postfix) with SMTP id 7F1C637B404 for ; Tue, 9 Apr 2002 09:49:52 -0700 (PDT) Received: (qmail 77334 invoked from network); 9 Apr 2002 16:49:47 -0000 Received: from unknown (HELO dpws) (192.168.1.3) by 0 with SMTP; 9 Apr 2002 16:49:47 -0000 Message-ID: <003c01c1dfe6$8460e7e0$0301a8c0@dpws> From: "Dennis Pedersen" To: "Lars Eggert" Cc: References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <00a801c1dfaf$925aa750$0301a8c0@dpws> <3CB3146A.7080906@isi.edu> Subject: Re: IPsec tunnel mode Date: Tue, 9 Apr 2002 18:49:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Lars Eggert" To: "Dennis Pedersen" Cc: Sent: Tuesday, April 09, 2002 6:18 PM Subject: Re: IPsec tunnel mode > Dennis Pedersen wrote: > > But uhm is there a 'simple' way of doing this? (as in just adding the IP of > > the other ends gif interface as destinatio in my routes? > > The setup today i an exact copy of (other IP's of course) > > www.freebsddiary.org/ipsec-tunnel.php > > This works just fine besides til problem with my routes, arcording to the > > draft IPIP is the solution. My Question is now how do i set up with an IPIP > > tunnel? > > On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my > > point of view it looks kind of complicated. Can it be made any simpler? > > If this is the way to do it, can i run mutible natd on both my external > > interface and the virtual gif interface (the howto creates the gif tunnel > > and diverts all trafic into this tunnel with natd on both ends) and how? > > (because i can't really se how the ipfw add divert natd can tell the > > difference between te 2 sessions of natd) > > Both setup instructions you gave URLs for are broken in the respect that > they tell you to set up IPIP tunnels and IPsec tunnel mode SAs in > parallel. IPsec tunnel mode under KAME does not use gif interfaces. This > works in some situations, because the interaction of side effects is > just right. > These instructions in fact set up a secure and a non-secure path between > the two security gateways, and work by intercepting packets sent over > the non-secure path and pushing them into the secure tunnel. This can > have all sorts of interesting failure modes. Oooh, bummer.. > Setting up the other approach (IPIP tunnel + IPsec transport mode) works > by first setting up the tunnels (see the gifconfig/ifconfig man pages) > and stringing the topology together with route (route man page). No > other commands are needed. Once this works (i.e. you see correctly > encapsulated packets flow between your machines) you can then manually > configure IPsec transport mode SAs (via setkey) or use IKE. Well the problem is that i have read the man pages a couple of times but im having some problems getting big picture (=as in lack of brain cells keeps me from comming up with a plan that should work..) But the last document where the auther creates some alias to lo0 and runs natd on the gif interface isnt that the right way of doing it (lets just forget ipsec for now and look stricktly on IPIP) or? According to what you are writing this isnt the way of doing it? (and there you seem to have lost me..) About the Kame Newsletters i belive to have read all of them that have relevance of ĪPsec, anything specifik im missing? Regards, Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message