From owner-freebsd-questions Fri May 17 10:16:54 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.27in.tv (roc-24-169-195-157.rochester.rr.com [24.169.195.157]) by hub.freebsd.org (Postfix) with ESMTP id CE0A237B409 for ; Fri, 17 May 2002 10:16:48 -0700 (PDT) Received: (from root@localhost) by mail.27in.tv (8.12.2/8.11.6) id g4HHGmgM020839; Fri, 17 May 2002 13:16:48 -0400 (EDT) (envelope-from cjm2@earthling.net) Received: from 27in.tv (localhost [127.0.0.1]) by mail.27in.tv (8.12.2/8.11.6av) with SMTP id g4HHGj8G020829; Fri, 17 May 2002 13:16:45 -0400 (EDT) (envelope-from cjm2@earthling.net) Received: from 216.153.202.55 (SquirrelMail authenticated user cjm2) by www.27in.tv with HTTP; Fri, 17 May 2002 13:16:47 -0400 (EDT) Message-ID: <1874.216.153.202.55.1021655807.squirrel@www.27in.tv> Date: Fri, 17 May 2002 13:16:47 -0400 (EDT) Subject: Re: IPsec / KAME newbie wants to play VPN admin. From: "C J Michaels" To: In-Reply-To: <6C506EA550443D44A061432F1E92EA4C012DC3@ing.com> References: <6C506EA550443D44A061432F1E92EA4C012DC3@ing.com> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7 [CVS]) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Danny said: > Hello, > > I am looking at testing IPsec in both tunneling mode (for a VPN) and > transport mode. I'm currently using tunneling (ESP) mode myself. > I thought it was about time I got my head around this. > > To make matters a little more complicated my VPN partner is a Linux man > (can only make it more interesting right? ;-) That's not the word I would use, but sure. ;) > Anyway, before I dive into it too deeply there are a few basic > questions I have about it all. > > I am only interested in IPv4 at the moment. Same here. > > To use IPsec with FreeBSD does that mean I'll be using the KAME > implementation? Yes, but it's built into FreeBSD (w/ a kernel recompile), the only additional piece of software you'll want to install is racoon. Which can be found in the ports. > Is it easy to get a Linux FreeS/WAN and FreeBSD VPN to work. No. We had decided to setup a WAN via IPSEC. One of the boxes, run by a friend of mine, is a linux box. It was anything but easy. Just make sure racoon is set to a high debug level and you keep a keen eye on the log. Once we finally tweaked out configs enough to actually have a working IPSec tunnel, it would frequently go down and require a manual restart on his (the linux side's) part. When it was up, it worked _very_ well. Unfortunately, my friend's box was compromised not too long ago. He blew away the OS and installed a different linux distro. He hasn't done the work to bring his network back into the wan yet. So it's no longer up. Getting the FreeBSD boxes to work together was a piece of cake. > Since I do not want to break my firewall, will it work through a natd > gateway? What about a natd gateway and a linux ?? nat gateway? Are the *nix boxes connecting to the WAN also the natd gateways, or are they behind said gateways? If they are behind a nat gateway, I do not believe IPSec will work, as the packets are tampered with (rewritten) by natd. If they are operating AS the gateways, I would simply put a couple rules into your firewall config (before the divert) to pass ESP and AH traffic unmolested. > Am I right in assuming that racoon simply sets up the key's / > authtication but the kernel via gif0 does the encrypting/decrypting?? This is my understanding. > What is the difference between isakmpd.conf and racoon.conf, or for > that matter racoon and isakmpd?? Are they the same but racoon is > newer? This I honestly can't answer. > > -D We found ALOT of useful links, example configs, etc... online and did alot of tweaking to get this to work. I'll see if I can dig up the information and hopefully get a copy of the FreeS/WAN config (not my box) along with the relevant parts of my racoon.conf. -- Chris "I'll defend to the death your right to say that, but I never said I'd listen to it!" -- Tom Galloway with apologies to Voltaire To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message