From owner-freebsd-security Mon Mar 12 8: 8: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113]) by hub.freebsd.org (Postfix) with ESMTP id 6256937B719; Mon, 12 Mar 2001 08:08:01 -0800 (PST) (envelope-from Bob@Talarian.Com) Received: from Talarian.Com (NewStorm.whitebarn.com [216.0.13.77]) by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id KAA22877; Mon, 12 Mar 2001 10:07:58 -0600 (CST) (envelope-from Bob@Talarian.Com) Message-ID: <3AACF40D.4080504@Talarian.Com> Date: Mon, 12 Mar 2001 10:06:37 -0600 From: Bob Van Valzah User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215 X-Accept-Language: en MIME-Version: 1.0 To: pW Cc: FreeBSD-Security@FreeBSD.Org, FreeBSD-Questions@FreeBSD.Org Subject: Re: Racoon Problem & Cisco Tunnel References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes. The five DSL setups with which I'm familiar all grant at least one public address per house. I believe all are static, but one might be dynamic. Interference with protocols like IPSec is one of the reasons why I'd make a public address a requirement when choising a DSL provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all possible. Let's hasten the deployment of IPv6. Bob pW wrote: > Out of curiosity... > do your DSL users have public static IPs? I work at an ISP and almost all > of our DSL customers have static private IPs and use NAT for public > ones... just wondering because you may have to enable some sort of NAT > transparency otherwise it may break the VPN... > > just a thought... > > shawn > > On Sun, 11 Mar 2001, Bob Van Valzah wrote: > >> I have several remote FreeBSD users who want to connect their home LANs >> to my trusted network over an IPSec tunnel via a DSL connection. I'd >> like my end of the tunnel to terminate on a Cisco if possible. (Though I >> do have many FreeBSD boxes handy, I just feel better when layer-2 >> infrastructure doesn't depend on boxes with hard drives.) Any general >> advice on how to do this would be appreciated. >> >> As near as I can tell, I have to run racoon and configure it for >> pre-shared keys to talk to the cisco. But I don't think the racoon is >> even starting right. I get this message: "ERROR: >> pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or >> directory." Happens with the config files I've written and the stock >> ones. I'm running a freshly sup'd box with racoon-20010222a built from >> ports. >> >> All help and advice appreciated. >> >> Thanks, >> >> Bob >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message