From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 16:25:33 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3AA2106567D for ; Fri, 5 Dec 2008 16:25:33 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2]) by mx1.freebsd.org (Postfix) with ESMTP id 9920B8FC1C for ; Fri, 5 Dec 2008 16:25:33 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by smtp.teledomenet.gr (Postfix, from userid 58) id 3BFF51420A8; Fri, 5 Dec 2008 18:05:57 +0200 (EET) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on smtp.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.2.5 Received: from iris.teledomenet.local (unknown [192.168.1.71]) by smtp.teledomenet.gr (Postfix) with ESMTP id BF6491420A5; Fri, 5 Dec 2008 18:05:53 +0200 (EET) From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Fri, 5 Dec 2008 18:05:38 +0200 User-Agent: KMail/1.9.10 References: <11691.95194.qm@web83803.mail.sp1.yahoo.com> In-Reply-To: <11691.95194.qm@web83803.mail.sp1.yahoo.com> X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200812051805.38800.nvass@teledomenet.gr> Cc: nrml nrml Subject: Re: IPSec + vpn + multicast X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 16:25:34 -0000 On Wednesday 03 December 2008 17:02:05 nrml nrml wrote: > Hello, > > I followed the handbook instructions and the ipsec(4) man page to setup > vpn-over-ipsec for our company's site-to-site connection via our > dedicated T1. Anyway I have it working but I found that I need to make > sure that multicast traffic can traverse through the two subnets. I have > the following options in my kernel: > > FreeBSD somebox.domain.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #1: Fri > Nov 21 08:11:47 PST 2008 > root@somebox.domain.com:/usr/obj/usr/src/sysKERNEL i386 device > crypto > options IPSEC > options IPSEC_FILTERTUNNEL > options IPSEC_DEBUG #debug for IP Security > options IPSEC_NAT_T > The kernel does not support multicast routing by default, you need to add "options MROUTING" to your kernel cf. But then again you have to use something to exchange that routing information to the other peers, something like XORP. > ipsec-tools: ... > Does anyone know how I can accomplish this? The goal is to try and have > transparency between the two sites Could you elaborate a bit on "transparency between the two sites"? > to and try and get Bonjour working. I am not familiar with Bonjour, but it seems that multicast routing is not the way to go... Maybe you can achieve that same effect using bridging and packet filtering to block what ever is supposed to be local traffic. Nikos