Date: Thu, 29 Dec 2005 11:50:45 +0100 From: Eric Masson <e-masson@kisoft-services.com> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation Message-ID: <861wzw89dm.fsf@srvbsdnanssv.interne.kisoft-services.com> In-Reply-To: <20051228190721.GB7695@uk.tiscali.com> (Brian Candler's message of "Wed, 28 Dec 2005 19:07:21 %2B0000") References: <20051228143817.GA6898@uk.tiscali.com> <86lky5p7ik.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051228155545.GA7166@uk.tiscali.com> <86d5jhp590.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051228190721.GB7695@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Candler <B.Candler@pobox.com> writes: Hi, > security/vpnc works fine for me as a client for talking to a Cisco VPN > concentrator. I think that's IPSEC tunnel mode + PSK + XAUTH (which can also > assign an IP address and insert routes into your forwarding table) Ok, you just need a vpn3000 or other equipment that can act like vpn3000 as remote side. Emmanuel Dreyfus wrote a nice paper about building a vpn concentrator that could act as a server for the cisco vpn client : http://www.netbsd.org/Documentation/network/ipsec/rasvpn.html Iirc, the same could be done on FreeBSD once NAT-T support is merged in the main tree. > There's net/pipsecd in ports. Its version is 19991014. I have no idea if it > still works. Interesting, it seems to be a userland implementation of tunnel mode ipsec tunnel, development has stalled, and dynamic keying is not supported. > I know of non-IPSEC solutions using tun (OpenVPN, TINC). Don't forget SSLTunnel from HSC's Alain Thivillon (ppp over ssl), quite easy to setup net/ssltunnel-* and useful when http/https is the only possibility to reach the outside. > All a bit of a nightmare really. Documentation would be good :-) Yes, sure. Every setup you talked about is documented somewhere on the internet, but a synthesis in the handbook would be really useful. Vpn over ipsec section could be extended to present ipsec based solutions you talked about in this thread. I'd then see two more sections covering ssl vpns and host to host ipsec transport mode (not necessarily in this order) Regards Éric -- tenir à bout de bras un câble ethernet qui traverse une salle de restau pour pas qu'il tombe dans les tiramisu, pendant que d'autres parlent en infrarouge, c'est bien la vraie vie, n'est-ce pas ? -+- DA in Guide du Macounet Pervers : http://www.le-visconti.net/ -+-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?861wzw89dm.fsf>