From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 27 08:38:08 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C7DE616A4CE
	for <questions@freebsd.org>; Wed, 27 Oct 2004 08:38:08 +0000 (GMT)
Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es
	[62.174.254.182])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D4F4F43D49
	for <questions@freebsd.org>; Wed, 27 Oct 2004 08:38:07 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32])
	by top.daemonsecurity.com (Postfix) with ESMTP id B5448A1470
	for <questions@freebsd.org>; Wed, 27 Oct 2004 10:38:05 +0200 (CEST)
Message-ID: <417F5E6B.2080100@locolomo.org>
Date: Wed, 27 Oct 2004 10:38:03 +0200
From: Erik Norgaard <norgaard@locolomo.org>
Organization: Loco Lomography
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20040918
X-Accept-Language: en, en-us, da, it, es
MIME-Version: 1.0
To: questions@freebsd.org
X-Enigmail-Version: 0.84.2.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: VPN questions
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2004 08:38:09 -0000

Hi,

I am looking at how to implement VPN but I'm getting confused as to how
IPSec, IKE, OpenSSL, FreeSWAN, racoon etc. all fit into the picture. I
am looking at two scenarios, and I have two questions.

1) Standard IPSec tunnel:

             +----+ IPSec/VPN +----+
       LAN---| FW |-----------| FW |---LAN
             +----+           +----+

In this scenario: Can CARP/pf handle VPN/IPSec connections incase the
master unit fails? (I am assuming that both ends have fixed public
routable ip's).

2) VPN for mobile users

            +----+    VPN    +-----+
      LAN---| FW |-----------| FW? |---[mobile unit]
            +----+           +-----+

For mobile users I can't be sure where they are, their ip, or if they
are behind NAT/firewall, nor can I trust the network until the mobile unit.

IPSec breaks behind NAT, are there other altertives than ssh-tunnels I
should take a look at? (which? :-)

Thanks, Erik
--
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2