Date: Fri, 17 May 2002 13:16:47 -0400 (EDT) From: "C J Michaels" <cjm2@earthling.net> To: <Danny.Carroll@mail.ing.nl> Cc: <questions@freebsd.org> Subject: Re: IPsec / KAME newbie wants to play VPN admin. Message-ID: <1874.216.153.202.55.1021655807.squirrel@www.27in.tv> In-Reply-To: <6C506EA550443D44A061432F1E92EA4C012DC3@ing.com> References: <6C506EA550443D44A061432F1E92EA4C012DC3@ing.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Danny said: > Hello, > > I am looking at testing IPsec in both tunneling mode (for a VPN) and > transport mode. I'm currently using tunneling (ESP) mode myself. > I thought it was about time I got my head around this. > > To make matters a little more complicated my VPN partner is a Linux man > (can only make it more interesting right? ;-) That's not the word I would use, but sure. ;) > Anyway, before I dive into it too deeply there are a few basic > questions I have about it all. > > I am only interested in IPv4 at the moment. Same here. > > To use IPsec with FreeBSD does that mean I'll be using the KAME > implementation? Yes, but it's built into FreeBSD (w/ a kernel recompile), the only additional piece of software you'll want to install is racoon. Which can be found in the ports. > Is it easy to get a Linux FreeS/WAN and FreeBSD VPN to work. No. We had decided to setup a WAN via IPSEC. One of the boxes, run by a friend of mine, is a linux box. It was anything but easy. Just make sure racoon is set to a high debug level and you keep a keen eye on the log. Once we finally tweaked out configs enough to actually have a working IPSec tunnel, it would frequently go down and require a manual restart on his (the linux side's) part. When it was up, it worked _very_ well. Unfortunately, my friend's box was compromised not too long ago. He blew away the OS and installed a different linux distro. He hasn't done the work to bring his network back into the wan yet. So it's no longer up. Getting the FreeBSD boxes to work together was a piece of cake. > Since I do not want to break my firewall, will it work through a natd > gateway? What about a natd gateway and a linux ?? nat gateway? Are the *nix boxes connecting to the WAN also the natd gateways, or are they behind said gateways? If they are behind a nat gateway, I do not believe IPSec will work, as the packets are tampered with (rewritten) by natd. If they are operating AS the gateways, I would simply put a couple rules into your firewall config (before the divert) to pass ESP and AH traffic unmolested. > Am I right in assuming that racoon simply sets up the key's / > authtication but the kernel via gif0 does the encrypting/decrypting?? This is my understanding. > What is the difference between isakmpd.conf and racoon.conf, or for > that matter racoon and isakmpd?? Are they the same but racoon is > newer? This I honestly can't answer. > > -D We found ALOT of useful links, example configs, etc... online and did alot of tweaking to get this to work. I'll see if I can dig up the information and hopefully get a copy of the FreeS/WAN config (not my box) along with the relevant parts of my racoon.conf. -- Chris "I'll defend to the death your right to say that, but I never said I'd listen to it!" -- Tom Galloway with apologies to Voltaire To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1874.216.153.202.55.1021655807.squirrel>