From owner-freebsd-net@FreeBSD.ORG Wed Sep 22 21:26:47 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E78816A4CE for ; Wed, 22 Sep 2004 21:26:47 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11CD643D1F for ; Wed, 22 Sep 2004 21:26:47 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 941277A3D2; Wed, 22 Sep 2004 14:26:46 -0700 (PDT) Message-ID: <4151EE16.1020100@elischer.org> Date: Wed, 22 Sep 2004 14:26:46 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: miha@ghuug.org References: <200409221617.59860.miha@ghuug.org> In-Reply-To: <200409221617.59860.miha@ghuug.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: net@freebsd.org Subject: Re: question on tunnels (VPN) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 21:26:47 -0000 Mikhail P. wrote: >Dear users, > >I have been experimenting with simple gif tunnels (no IPSec) in local network >(192.168.0.0/24). I have used the following scenario between two hosts (both >running FreeBSD-5.2.1): > >HOST_A [192.168.0.1]: >ifconfig gif0 create >ifconfig gif0 tunnel 192.168.0.1 192.168.0.2 >ifconfig gif0 10.0.0.1 10.0.0.2 netmask 255.255.255.255 > >and on - > >HOST_B [192.168.0.2]: >ifconfig gif0 create >ifconfig gif0 tunnel 192.168.0.2 192.168.0.1 >ifconfig gif0 10.0.0.2 10.0.0.1 netmask 255.255.255.255 > >The above works well for me, and I can send traffic on 10.0.0.1 and 10.0.0.2. > >The next thing I wanted to implement is to create similar tunnel from our >local router (which is FreeBSD too) to remote server, however there is small >problem which stops me - router has no public IP, and it sees internet >through DSL router, so basically that router is NAT'ed behind DSL router. >As far as I understand, it appears to be that I won't be able to create such a >simple tunnel, unless my router gets public IP address. > >What I tried next was MPD pptp link (which is known to work behind NAT, unlike >above example), but something (ISP? DSL router?) cuts GRE packets on their >way, so MPD can't establish LCP connection with remote host. > >I'm now in loss as to what to try next - could someone please advise what >other techniques will work in my scenario (where I want to connect machine >which is behind NAT and no GRE packets will go through)? > I use MPD using the "UDP" transport. in other words packets get sent as udp packets. I then set up IPSEC to encrypt the UDP packets.. when I had a NAT in the way I did further encapsulate the GRE packets in UDP again :-)