Date: Thu, 12 Jan 2012 10:55:59 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: Filtering on IPSEC Message-ID: <20120112095559.GA54843@zeninc.net> In-Reply-To: <20120112021423.GG7008@verio.net> References: <4F0DD127.4040205@FreeBSD.org> <20120112021423.GG7008@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi.
On Wed, Jan 11, 2012 at 08:14:24PM -0600, David DeSimone wrote:
> Alex Dupre <ale@FreeBSD.org> wrote:
> >
> > I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint
> > VPN-1. I've used a gif interface for the tunnel, setkey for security
> > policies and racoon for ikev1.
>
> I've peered with Checkpoint VPN's using FreeBSD but I never needed to
> use gif interfaces to make it happen. FreeBSD's tunnel-mode IPSEC seems
> to interoperate quite well with Checkpoint's implementation.
>
> You should be able to match tunneled traffic using SPD's like so:
>
> spdadd 10.27.37.0/24 172.30.101.0/24 any -P in ipsec esp/tunnel/192.250.40.23-238.55.55.15/unique;
> spdadd 172.30.101.0/24 10.27.37.0/24 any -P out ipsec esp/tunnel/238.55.55.15-192.250.40.23/unique;
>
> With the matching 'sainfo' sections in racoon's config:
>
> sainfo address 10.27.37.0/24 any address 172.30.101.0/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
Just for information, since ipsec-tools 0.7.0, the sainfo for
"incoming SA" is not needed anymore: you just need a sainfo for
"local->peer" traffic.
> sainfo address 172.30.101.0/24 any address 10.27.37.0/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
So this one will be enough.
Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120112095559.GA54843>