From owner-freebsd-security Thu Jan 10 10:13:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from fe170.worldonline.dk (fe170.worldonline.dk [212.54.64.199]) by hub.freebsd.org (Postfix) with SMTP id D5EFE37B400 for ; Thu, 10 Jan 2002 10:13:36 -0800 (PST) Received: (qmail 27476 invoked by uid 0); 10 Jan 2002 18:13:34 -0000 Received: from 213.237.14.128.adsl.ho.worldonline.dk (HELO dpws) (213.237.14.128) by fe170.worldonline.dk with SMTP; 10 Jan 2002 18:13:34 -0000 Message-ID: <022201c19a02$d1130020$0301a8c0@dpws> From: "Dennis Pedersen" To: Subject: FreeBSD and racoon (2offices + single computer = how?) Date: Thu, 10 Jan 2002 19:15:41 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I have been fooling a little around with Racoon between 2 FreeBSD 4,4 box's with tunnel mode (http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html) and this works fine. The idea was that theese 2 box's should be used to make a encrypted tunnel this works fine but i also need some end computers connected to office 1 too, i have some idea about how to set this up but the documentation the kame projekt don't have that many examples so i need some advices on some point. I realice that i need some kind of setkey policy for the end users, but after searching google.com for simular setups i get the impression that if one racoon box has 2 sets of setkey policys then it gets kind of confused?! Anyways i was thinking of something like for my end users: spdadd A[3389] 0.0.0.0/0 tcp -P out ipsec ah/transport//require; spdadd 0.0.0.0/0 A[3389] tcp -P in ipsec ah/transport//require; Will this work if i simply add this to my setkey file along with the setkey policy for the tunnel? And finally what about if i need to run racoon on the same box as i have ipfw with a deny any from any to any at the end, i understand that i need to allow SPI and ESP (ipfw add allow SPI/ESP from any to any?) Regards Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message