From owner-freebsd-questions@FreeBSD.ORG  Mon May 19 05:44:03 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C2EA41065672
	for <freebsd-questions@freebsd.org>;
	Mon, 19 May 2008 05:44:03 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 25A4F8FC2E
	for <freebsd-questions@freebsd.org>;
	Mon, 19 May 2008 05:44:02 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m4J5htpT040773; Mon, 19 May 2008 06:43:56 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.5.5 smtp.infracaninophile.co.uk m4J5htpT040773
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1211175836; bh=9lJkvJ+28Eim+2
	7YmEMpKN+vLlsduHcntsV162UocQ4=; h=Message-ID:Date:From:MIME-Version:
	To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type:
	Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes
	sage-ID:=20<48311394.8040008@infracaninophile.co.uk>|Date:=20Mon,=2
	019=20May=202008=2006:43:48=20+0100|From:=20Matthew=20Seaman=20<m.s
	eaman@infracaninophile.co.uk>|Organization:=20Infracaninophile|User
	-Agent:=20Thunderbird=202.0.0.14=20(X11/20080503)|MIME-Version:=201
	.0|To:=20Steve=20Lake=20<steve.lake@raiden.net>|CC:=20freebsd-quest
	ions@freebsd.org|Subject:=20Re:=20VPN=20setup=20question|References
	:=20<5.2.0.9.2.20080518145034.00c412a8@192.168.0.30>=09<5.2.0.9.2.2
	0080518145034.00c412a8@192.168.0.30>=20<5.2.0.9.2.20080518175447.00
	c41508@192.168.0.30>|In-Reply-To:=20<5.2.0.9.2.20080518175447.00c41
	508@192.168.0.30>|X-Enigmail-Version:=200.95.6|Content-Type:=20mult
	ipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"applic
	ation/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig3E48128
	324E16652B1699137"; b=HthHJdHsBe1fOyCKCuj9uKgJ0kEtPc4NW3P0YrxDOGDLw
	uVNy7AHULJQScI1Bo95Z5MXpae75cYlYEVGwLwQoLpoOlPnf6zk6StYMUtYTomgclSr
	83BP3fArkYY5w/UVotRE/oBahoa3Zmp3pbueMFA5ggxzXqpuUGnmwGohDN8=
Message-ID: <48311394.8040008@infracaninophile.co.uk>
Date: Mon, 19 May 2008 06:43:48 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.14 (X11/20080503)
MIME-Version: 1.0
To: Steve Lake <steve.lake@raiden.net>
References: <5.2.0.9.2.20080518145034.00c412a8@192.168.0.30>	<5.2.0.9.2.20080518145034.00c412a8@192.168.0.30>
	<5.2.0.9.2.20080518175447.00c41508@192.168.0.30>
In-Reply-To: <5.2.0.9.2.20080518175447.00c41508@192.168.0.30>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig3E48128324E16652B1699137"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Mon, 19 May 2008 06:43:56 +0100 (BST)
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: VPN setup question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 May 2008 05:44:03 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3E48128324E16652B1699137
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Steve Lake wrote:
> At 10:53 PM 5/18/2008 +0200, Mister Olli wrote:
>> first you should consider the following questions:
>> - what kind of VPN do you wanna use? (SSL or IPSec based)
>=20
>         From what I remember of my security training years ago, IPSec=20
> was always better.  So I'd likely go with that.
>=20
>> - what kind of authentication? (user or certificate based)
>=20
>         Definitely user, unless you think certificate is better.
>=20
>> - what kind of traffic do you wanna protect?
>=20
>         Everything if possible.  Basically I'm trying to create a=20
> protected Internet connection by using the VPN to allow me to connect t=
o=20
> my vpn server at my home office over an insecure public connection.  I =

> would then use that vpn connection to securely securely surf the web=20
> from anywhere in the US or the world.
>=20
>> - do you wanna transport data between two host, from host-to-network o=
r
>> networ-to-network?
>=20
>         I'm not sure which would be best.  Can you suggest one based on=
=20
> the previous answer?  Thanks.

If you're going to do this with IPSec it should be fairly simple to
set up the connection.  Given that you control both ends of the IPSec
tunnel, you can just use a shared secret.  You need to set up some=20
security policy definitions using setkey(1) -- the man page is full of
acronyms and jargon but what setkey does is define what traffic should
be encrypted based on the end point IPs, port numbers and some other
data.  [Note: in order for setkey to work, you need a kernel config with
OPTIONS IPSEC added].  Finally, the third part of setting up an IPSec
connection is to configure a method of key exchange -- this is the only
part not actually built into the system, so you should install ipsec-tool=
s
or equivalent from ports.

On the question of tunnel vs transport mode -- most of the tutorials you
can find on the net are all about setting up /tunnel/ mode -- ie. to
use a pair of routers as IPSec endpoints to connect two private networks.=

In your case, I think you do need tunnel mode, despite it requiring a
degenerate form of network with only one host at each end -- something
that naturally screams transport mode -- since you need the capability
to route traffic from elsewhere via the VPN link.

Two handy references:

Setting up a simple transport mode tunnel between two hosts:

   http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html

Step by step guide to setting up a tunnel.

   http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html

It's a bit dated now, as the kernel configuration instructions apply to
pre-6.x systems.  In 7.0+ (which uses what was previously called FAST_IPS=
EC),
all you need is to add the following:

  device crypto
  device cryptodev

  options IPSEC

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig3E48128324E16652B1699137
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkgxE5sACgkQ8Mjk52CukIxFmACfalrioS+2cqqe2Ym7XM1uMGQ1
nBQAnREe6EHaOk6TZ2LY6ZiT4HAWQrxV
=RhHY
-----END PGP SIGNATURE-----

--------------enig3E48128324E16652B1699137--