Date: Thu, 16 Nov 2000 06:57:50 -0500 From: Mike Tancsa <mike@sentex.net> To: hamilton@twopoint.com (Hamilton Hoover) Cc: freebsd-net@freebsd.org Subject: Re: ipsec vpn on firewall Message-ID: <fni71t4vh87n30sp27drr3v5k8edtctio5@4ax.com> In-Reply-To: <SEN.974309061.497006503@news.sentex.net> References: <SEN.974309061.497006503@news.sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15 Nov 2000 12:24:21 -0500, in sentex.lists.freebsd.net you wrote:
>I have been given the task of setting up a vpn using ipsec on our
>firewall. I am somewhat new to FreeBsd and am not sure of how to go
>about this. We are trying to let home dsl users connect securely to our
>corporate lan and browse through 'network neighborhood'. Home users are
>using win9x with PGP Personal Firewall and the Office runs FreeBsd 4.1.
>The Firewall is nated. All incoming requests are blocked so I also don't
>know what holes if any to poke in the firewall. I included the
>FreeBsd ipsec package when I installed the system but after looking at
>the man pages I don't get it. I have looked for a howto as well as a
>tutorial and haven't found anything on setting up the vpn. If anyone
>know of an idiot proof howto or some good resources please let me know.
>If more info is needed I will do my best to supply it.
You will need to let protocol 50 and 51 through your firewall which is the
IP sec stuff. Here is a simple configuration that works for FreeBSD to
FreeBSD one of which using DSL. If you suspect the firewall, try allowing
a single test machine through first and then gradually add back the rules
to see where it breaks. e.g
ipfw add 12 allow log all from cust.test.machine.ip to any
-------------
Setup is a FreeBSD box running PPPoE over DSL across a few hops to another
FreeBSD machine on the ethernet. The trick is to bump up the lifetime
value in racoon.conf and to make sure you have a recent version of racoon.
I used the one from November 11th.
Here is a quick sample config for two machines
PPPoE machine's _public_ address on tun0 : 169.1.134.1
PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1
Office Server's _public_ address on fxp0 172.168.93.4
Office Server's _private_ address aliased on lo0 : 10.1.1.1
*Note, if your machine has 2 interfaces, you can of course use the RFC1918
space on it instead.
This example assumes you just have the one NIC to play with.
#!/bin/sh
#PPPoE config
ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
gifconfig gif0 169.1.134.1 172.168.93.4
ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
EOF
#!/bin/sh
#server at office config
ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias
gifconfig gif0 172.168.93.4 169.1.134.1
ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
EOF
The changes I made to the default racoon.conf was simply to increase the
lifetime values
on both ends of the connection.
e.g.
@@ -101,8 +101,8 @@
sainfo anonymous
{
pfs_group 1;
- lifetime time 30 sec;
- lifetime byte 5000 KB;
+ lifetime time 3600 sec;
+ lifetime byte 25000 KB;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
---Mike
Mike Tancsa (mdtancsa@sentex.net)
Sentex Communications Corp,
Waterloo, Ontario, Canada
"Given enough time, 100 monkeys on 100 routers
could setup a national IP network." (KDW2)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fni71t4vh87n30sp27drr3v5k8edtctio5>