From owner-freebsd-net Thu Nov 16 3:58:24 2000 Delivered-To: freebsd-net@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id D743B37B479 for ; Thu, 16 Nov 2000 03:58:19 -0800 (PST) Received: from chimp.simianscience.com (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.0/8.11.0) with SMTP id eAGBvp285455; Thu, 16 Nov 2000 06:57:51 -0500 (EST) From: Mike Tancsa To: hamilton@twopoint.com (Hamilton Hoover) Cc: freebsd-net@freebsd.org Subject: Re: ipsec vpn on firewall Date: Thu, 16 Nov 2000 06:57:50 -0500 Message-ID: References: In-Reply-To: X-Mailer: Forte Agent 1.8/32.548 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 15 Nov 2000 12:24:21 -0500, in sentex.lists.freebsd.net you wrote: >I have been given the task of setting up a vpn using ipsec on our >firewall. I am somewhat new to FreeBsd and am not sure of how to go >about this. We are trying to let home dsl users connect securely to our >corporate lan and browse through 'network neighborhood'. Home users are >using win9x with PGP Personal Firewall and the Office runs FreeBsd 4.1. >The Firewall is nated. All incoming requests are blocked so I also don't >know what holes if any to poke in the firewall. I included the >FreeBsd ipsec package when I installed the system but after looking at >the man pages I don't get it. I have looked for a howto as well as a >tutorial and haven't found anything on setting up the vpn. If anyone >know of an idiot proof howto or some good resources please let me know. >If more info is needed I will do my best to supply it. You will need to let protocol 50 and 51 through your firewall which is = the IP sec stuff. Here is a simple configuration that works for FreeBSD to =46reeBSD one of which using DSL. If you suspect the firewall, try = allowing a single test machine through first and then gradually add back the rules to see where it breaks. e.g ipfw add 12 allow log all from cust.test.machine.ip to any ------------- Setup is a FreeBSD box running PPPoE over DSL across a few hops to = another=20 =46reeBSD machine on the ethernet. The trick is to bump up the lifetime=20 value in racoon.conf and to make sure you have a recent version of = racoon.=20 I used the one from November 11th. Here is a quick sample config for two machines PPPoE machine's _public_ address on tun0 : 169.1.134.1 PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1 Office Server's _public_ address on fxp0 172.168.93.4 Office Server's _private_ address aliased on lo0 : 10.1.1.1 *Note, if your machine has 2 interfaces, you can of course use the = RFC1918=20 space on it instead. This example assumes you just have the one NIC to play with. #!/bin/sh #PPPoE config ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias gifconfig gif0 169.1.134.1 172.168.93.4 ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 setkey -FP setkey -F setkey -c <