From owner-freebsd-isp  Sun Nov 19 19:40:25 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1])
	by hub.freebsd.org (Postfix) with ESMTP id 65BF237B479
	for <freebsd-isp@FreeBSD.ORG>; Sun, 19 Nov 2000 19:40:19 -0800 (PST)
Received: from chimp (fcage [192.168.0.2])
	by cage.simianscience.com (8.11.1/8.9.3) with ESMTP id eAK3gLO13672;
	Sun, 19 Nov 2000 22:42:22 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <4.2.2.20001119221736.0173de98@marble.sentex.net>
X-Sender: mdtancsa@marble.sentex.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Sun, 19 Nov 2000 22:39:54 -0500
To: Tom Samplonius <tom@sdf.com>
From: Mike Tancsa <mike@sentex.net>
Subject: Re: any VPN daemon?
Cc: Evren Yurtesen <eyurtese@turkuamk.fi>, freebsd-isp@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.05.10011191827430.1138-100000@misery.sdf.com>
References: <ss2h1t4iestndng88etmrnf19less0339j@4ax.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote:
>   Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not very
>well documented.  For instance, there is nothing on how IPSec and ipfw
>interact.  Which subsystem gets the packet first?  ipfw or IPSec?
>Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to
>do.


I believe the person said he was using a simple LAN to LAN. I have had good 
results setting up a few tunnels in the past month or so. What specifically 
were you trying to find with respect to ipfw ?

ipfw add 20 deny log 50 from any to any

stops all ipsec data in the tunnel I have setup between the office and at 
home on my DSL connection.

There is not much you need to do to setup the tunnel using dynamic key 
exchange.

Here is a quick setup example.  For DSL to work, or where a lot of latency 
(relative to ethernet) you need to make one small change to the racoon.conf


Here is a quick sample config for two machines


PPPoE machine's _public_ address on tun0 : 169.1.134.1
PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1

Office Server's _public_ address on fxp0 172.168.93.4
Office Server's _private_ address aliased on lo0 : 10.1.1.1


*Note, if your machine has 2 interfaces, you can of course use the RFC1918
space on it instead.
This example assumes you just have the one NIC to play with.


#!/bin/sh
#PPPoE config
ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
gifconfig gif0 169.1.134.1 172.168.93.4
ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
EOF



#!/bin/sh
#server at office config
ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias
gifconfig gif0 172.168.93.4 169.1.134.1
ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
EOF



The changes I made to the default racoon.conf was simply to increase the
lifetime values
on both ends of the connection.

e.g.

@@ -101,8 +101,8 @@
   sainfo anonymous
   {
          pfs_group 1;
-       lifetime time 30 sec;
-       lifetime byte 5000 KB;
+       lifetime time 3600 sec;
+       lifetime byte 25000 KB;
          encryption_algorithm 3des ;
          authentication_algorithm hmac_sha1;
          compression_algorithm deflate ;


         ---Mike
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Network Administration,     			  mike@sentex.net
Sentex Communications                 		  www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message