Date: Thu, 18 Jan 2001 08:58:15 -0500 From: The Babbler <bts@babbleon.org> To: freebsd-questions@freebsd.org Subject: Re: IPSEC tunneling Message-ID: <3A66F677.C56FD3A9@babbleon.org> References: <3A667B11.7BE15007@babbleon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm going to follow up on my own post, which was a bit short of details.
Here's what I'm enabling in the kernel that I believe to be related:
-------------------------------------------------------------------------------
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
# options IPFIREWALL_FORWARD #enable transparent proxy
support
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
# options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by
default
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
options IPDIVERT #divert sockets
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/
IPSEC)
options IPSEC_DEBUG #debug for IP security
-------------------------------------------------------------------------------
And here are the rules that are intended to let the relavent packets
through.
fwcmd is ipfw;
inet/imask is the inside network; and
onet/omask is the outside network.
-------------------------------------------------------------------------------
ntvpn=any
${fwcmd} add divert natd log udp from ${inet}:${imask} 500 to ${ntvpn}
500
${fwcmd} add accept log udp from ${onet}:${omask} 500 to ${ntvpn} 500
${fwcmd} add accept log udp from ${ntvpn} 500 to ${onet}:${omask} 500
${fwcmd} add accept log udp from ${ntvpn} 500 to ${inet}:${imask} 500
${fwcmd} add divert natd log esp from ${inet}:${imask} 500 to ${ntvpn}
500
${fwcmd} add accept log esp from ${onet}:${omask} 500 to ${ntvpn} 500
${fwcmd} add accept log esp from ${ntvpn} 500 to ${onet}:${omask} 500
-------------------------------------------------------------------------------
The Babbler wrote:
>
> I'm trying to get my FreeBSD gateway/firewall machine set up so that
> it will allow my wife's VPN access to work; this requires IPSEC packets
> to get through.
>
> Has anybody done this? Any helpful hints?
>
> I turned on the IPSEC and the tunneling options in the kernel,
> and I'm letting "esp" and "udp" packets through.
> (For now, I'm basically letting all of 'em through.)
>
> FWIW, I tried this in Linux and couldn't ever get it to work; this was
> a motivation for trying FreeBSD. It's still not working, but I can at
> least follow the network traffic better in FreeBSD, which at least let
> me fix my rules. (The rules I used under Linux were bad.)
>
> My gateway machine is multiplexing multiple internal-network machines
> to a single cable modem connection by using the command to translate
> packets. I suspect that something is going wrong there.
>
> [Sorry this is a little vague; for other reasons the machine isn't
> currently booted into FreeBSD so I can't double-check the precise
> settings at the moment.]
>
> --
> "Brian, the man from babble-on" bts@babbleon.org
> Brian T. Schellenberger http://www.babbleon.org
> Support http://www.eff.org. Support decss defendents.
> Support http://www.programming-freedom.org. Boycott amazon.com.
--
"Brian, the man from babble-on" bts@babbleon.org
Brian T. Schellenberger http://www.babbleon.org
Support http://www.eff.org. Support decss defendents.
Support http://www.programming-freedom.org. Boycott amazon.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A66F677.C56FD3A9>