From owner-freebsd-questions@FreeBSD.ORG Thu Jan 18 09:43:39 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D9D7E16A40F for ; Thu, 18 Jan 2007 09:43:39 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id 74CEE13C459 for ; Thu, 18 Jan 2007 09:43:39 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so118668uge for ; Thu, 18 Jan 2007 01:43:38 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=scVPLcPCLpnjQhCHSVauq4+iVCmrl5129aauKAv2GIwjOMJV1jzI38lB/xD3tFNJ8wbGi+efDoLLL+gzf2Fmhv9XegH5SGywXpiELZ29GAblOYQPT9Yor0bx62n3NrBJNAIfi3SU6po5TUaN/DahRsFU68Ln2UibUeF9gAl/eOA= Received: by 10.78.201.15 with SMTP id y15mr629981huf.1169113418080; Thu, 18 Jan 2007 01:43:38 -0800 (PST) Received: by 10.78.164.20 with HTTP; Thu, 18 Jan 2007 01:43:38 -0800 (PST) Message-ID: Date: Thu, 18 Jan 2007 12:43:38 +0300 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Dan Mahoney, System Admin" In-Reply-To: <20070118033808.I55095@prime.gushi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070118022306.Q26349@prime.gushi.org> <20070118033808.I55095@prime.gushi.org> X-Google-Sender-Auth: 694c3c63c3fad5fa Cc: questions@freebsd.org Subject: Re: Transport Mode IPSEC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 09:43:39 -0000 On 1/18/07, Dan Mahoney, System Admin wrote: > On Thu, 18 Jan 2007, Andrew Pantyukhin wrote: > > > On 1/18/07, Dan Mahoney, System Admin wrote: > > > > It's not that simple. The difficulty is in key exchange, > > and it stays. I can show you how to implement it with > > static keys: > > As I read through the article > (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...I > get the distinct impression the howto > actually is somewhat adaptable -- one just needs to ignore everything it > says about tunnels, and the GIF device. > > I'd still install raccoon, still do everything like that -- the change > comes in the lines in /etc/ipsec.conf > > spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec > esp/tunnel/W.X.Y.Z-A.B.C.D/require; > spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec > esp/tunnel/A.B.C.D-W.X.Y.Z/require; > > which would be I think modified to your lines below. I'm not sure if you > still need the additional policy definition (between the slashes). > Perhaps you can clarify for me? Just esp/transport//require; should do > I'm liking doing things with raccoon only because it allows you to use > those nice non-static keys. So do I. The problem is there's no perfect way to block non-ipsec traffic right now and there's no way to make sure raccoon won't ever croak and leave you insecure/disconnected. YMMV.