From owner-freebsd-questions Thu Oct 31 8: 3:40 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7969637B401 for ; Thu, 31 Oct 2002 08:03:38 -0800 (PST) Received: from pgh.nepinc.com (pgh.nepinc.com [66.207.129.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id B167643E75 for ; Thu, 31 Oct 2002 08:03:37 -0800 (PST) (envelope-from durham@jcdurham.com) Received: from jimslaptop.pgh.nepinc.com (jimslaptop.pitt.nepinc.com [192.100.100.107]) by pgh.nepinc.com (8.11.4/8.11.3) with ESMTP id g9VG3QI96937; Thu, 31 Oct 2002 11:03:26 -0500 (EST) (envelope-from durham@jcdurham.com) Content-Type: text/plain; charset="iso-8859-1" From: Jim Durham Reply-To: durham@jcdurham.com Organization: JC Durham Consulting To: Wayne Pascoe , freebsd-questions@FreeBSD.ORG Subject: Re: IPSEC tunnel help Date: Thu, 31 Oct 2002 11:03:22 -0500 User-Agent: KMail/1.4.3 References: <86u1j2obzj.fsf@marvin.penguinpowered.org.uk> In-Reply-To: <86u1j2obzj.fsf@marvin.penguinpowered.org.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210311103.23004.durham@jcdurham.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thursday 31 October 2002 10:37 am, Wayne Pascoe wrote: > Hi all, > > I'm struggling to setup a VPN. I'm now reading through > http://www.daemonnews.org/200101/ipsec-howto.html > and this is confusing me even more :( > > Reading this, I see: > > However, if your goal is to set up a VPN, that is, link 2 > widely-separated networks together over the Internet, then you'll > probably want to use ESP/tunnel mode. > > The example then goes on to show > spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec > esp/transport/1.2.3.4-5.6.7.8/require; > > which is transport mode, no ? > > Can anyone point me at a decent howto to link 2 networks together? I'm > trying to setup 2 VPN gateways so that everything behind each of those > talks to everything behind the other one via a VPN. > > I'm also confused about the ifconfig instructions for the gif0 > device. I've got 2 network cards going with one being the external > device > (172.16.0.1 and 172.16.0.2 respectively) > and the other for the internal network > (10.0.1.1 and 10.0.2.1 respectively) > What should my gifconfig and ifconfig lines be ? I have this running. I made a couple .sh files, which I placed in=20 /usr/local/etc/rc.d . Here is what they look like. They should answer your questions, hopefully.. xxx.xxx.xxx.xxx is the IP of the host that is running this file, yyy.yyy.yyy.yyy is the host at the other end. The other end's file is the same, reversing the outside and inside IP's. = You=20 will also need to do some routing perhaps, because the source ip of the machines on the other LAN will show up as 10. addresses. You don't need gif support compiled in, the module will load. Hope this helps, Jim #!/bin/sh ifconfig gif0 create # These commands need to be run on node A # Set up the tunnel device. This presumes you have gif(4) support # gif0 connects xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy gifconfig gif0 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy # The 'internal' side of the tunnel connects 10.10.10.1 to 10.20.20.1 ifconfig gif0 inet 10.10.10.1 10.20.20.1 netmask 255.255.255.0 # The next 2 lines delete all existing entries from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c << EOF spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec esp/transport/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require; spdadd 10.20.20.0/24 10.10.10.0/24 any -P in ipsec esp/transport/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require; EOF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message