From owner-freebsd-net@FreeBSD.ORG Thu Jan 12 10:15:13 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E436F1065678 for ; Thu, 12 Jan 2012 10:15:13 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 931708FC08 for ; Thu, 12 Jan 2012 10:15:13 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id B767A2798BF for ; Thu, 12 Jan 2012 10:55:59 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id ACBEE17034; Thu, 12 Jan 2012 10:55:59 +0100 (CET) Date: Thu, 12 Jan 2012 10:55:59 +0100 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20120112095559.GA54843@zeninc.net> References: <4F0DD127.4040205@FreeBSD.org> <20120112021423.GG7008@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120112021423.GG7008@verio.net> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Filtering on IPSEC X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 10:15:14 -0000 Hi. On Wed, Jan 11, 2012 at 08:14:24PM -0600, David DeSimone wrote: > Alex Dupre wrote: > > > > I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint > > VPN-1. I've used a gif interface for the tunnel, setkey for security > > policies and racoon for ikev1. > > I've peered with Checkpoint VPN's using FreeBSD but I never needed to > use gif interfaces to make it happen. FreeBSD's tunnel-mode IPSEC seems > to interoperate quite well with Checkpoint's implementation. > > You should be able to match tunneled traffic using SPD's like so: > > spdadd 10.27.37.0/24 172.30.101.0/24 any -P in ipsec esp/tunnel/192.250.40.23-238.55.55.15/unique; > spdadd 172.30.101.0/24 10.27.37.0/24 any -P out ipsec esp/tunnel/238.55.55.15-192.250.40.23/unique; > > With the matching 'sainfo' sections in racoon's config: > > sainfo address 10.27.37.0/24 any address 172.30.101.0/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } Just for information, since ipsec-tools 0.7.0, the sainfo for "incoming SA" is not needed anymore: you just need a sainfo for "local->peer" traffic. > sainfo address 172.30.101.0/24 any address 10.27.37.0/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } So this one will be enough. Yvan.