From owner-freebsd-net Fri Sep 21 1:47:14 2001 Delivered-To: freebsd-net@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 0C6CF37B414 for ; Fri, 21 Sep 2001 01:47:09 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L8l6t18725; Fri, 21 Sep 2001 09:47:07 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8L8l3R32993; Fri, 21 Sep 2001 09:47:03 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Julian Elischer Cc: net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: IPSEC question.. In-Reply-To: Message from Julian Elischer of "Thu, 20 Sep 2001 23:33:35 PDT." <3BAADF3F.D48189AD@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 21 Sep 2001 09:47:03 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The sample docs and the daemon-news > article get me part way started to making an encrypted > tunnel using IPsec4 between two networks. > However The are really quite confusing... > > Is there a SIMPLE description of what all the parts do? > > I have a gif tunnel going, but it's not clear to me how I make this tunnel > start encrypting the damned data. > > I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing > plain encapsulated packets...no encryption.. Once you've got the gif tunnel working, say with top addresses 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, create an /etc/ipsec.conf that says: spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require; spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require; This is your setkey input. The ``ip4'' bit tells ipsec to only touch IP-in-IP traffic, so comms going from an internal LAN to an external gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be NAT'd). Only the gif-encapsulated traffic is encrypted. Then add this to /etc/rc.conf: ipsec_enable=YES ipsec_file=/etc/ipsec.conf Once this is done, arrange to have racoon running on each end and everything should work. Using a shared secret in /usr/local/etc/ racoon/psk.txt is the easiest: 1.2.3.4 akeythatnobodyisgoingtocrack and running racoon -F helps initially. > -- > +------------------------------------+ ______ _ __ > | __--_|\ Julian Elischer | \ U \/ / hard at work in > | / \ julian@elischer.org +------>x USA \ a very strange > | ( OZ ) \___ ___ | country ! > +- X_.---._/ presently in San Francisco \_/ \\ > v Good luck ! -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message