Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jan 2007 12:43:38 +0300
From:      "Andrew Pantyukhin" <infofarmer@FreeBSD.org>
To:        "Dan Mahoney, System Admin" <danm@prime.gushi.org>
Cc:        questions@freebsd.org
Subject:   Re: Transport Mode IPSEC
Message-ID:  <cb5206420701180143v48249b95l71d5623d4b22c63b@mail.gmail.com>
In-Reply-To: <20070118033808.I55095@prime.gushi.org>
References:  <20070118022306.Q26349@prime.gushi.org> <cb5206420701180036l4dbc7bax952a674905c94489@mail.gmail.com> <20070118033808.I55095@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 1/18/07, Dan Mahoney, System Admin <danm@prime.gushi.org> wrote:
> On Thu, 18 Jan 2007, Andrew Pantyukhin wrote:
>
> > On 1/18/07, Dan Mahoney, System Admin <danm@prime.gushi.org> wrote:
> >
> > It's not that simple. The difficulty is in key exchange,
> > and it stays. I can show you how to implement it with
> > static keys:
>
> As I read through the article
> (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...I
> get the distinct impression the howto
> actually is somewhat adaptable -- one just needs to ignore everything it
> says about tunnels, and the GIF device.
>
> I'd still install raccoon, still do everything like that -- the change
> comes in the lines in /etc/ipsec.conf
>
> spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
> esp/tunnel/W.X.Y.Z-A.B.C.D/require;
> spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
> esp/tunnel/A.B.C.D-W.X.Y.Z/require;
>
> which would be I think modified to your lines below.  I'm not sure if you
> still need the additional policy definition (between the slashes).
> Perhaps you can clarify for me?

Just esp/transport//require; should do

> I'm liking doing things with raccoon only because it allows you to use
> those nice non-static keys.

So do I. The problem is there's no perfect way to
block non-ipsec traffic right now and there's no
way to make sure raccoon won't ever croak and leave
you insecure/disconnected. YMMV.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420701180143v48249b95l71d5623d4b22c63b>