Date: Mon, 20 Nov 2000 09:06:09 +0200 (WET) From: Evren Yurtesen <eyurtese@turkuamk.fi> To: Mike Tancsa <mike@sentex.net> Cc: Tom Samplonius <tom@sdf.com>, Evren Yurtesen <eyurtese@turkuamk.fi>, freebsd-isp@FreeBSD.ORG Subject: Re: any VPN daemon? Message-ID: <Pine.A41.4.10.10011200904160.62770-100000@bessel.tekniikka.turkuamk.fi> In-Reply-To: <4.2.2.20001119221736.0173de98@marble.sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
so what about the authentication?
Evren
On Sun, 19 Nov 2000, Mike Tancsa wrote:
> At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote:
> > Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not very
> >well documented. For instance, there is nothing on how IPSec and ipfw
> >interact. Which subsystem gets the packet first? ipfw or IPSec?
> >Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to
> >do.
>
>
> I believe the person said he was using a simple LAN to LAN. I have had good
> results setting up a few tunnels in the past month or so. What specifically
> were you trying to find with respect to ipfw ?
>
> ipfw add 20 deny log 50 from any to any
>
> stops all ipsec data in the tunnel I have setup between the office and at
> home on my DSL connection.
>
> There is not much you need to do to setup the tunnel using dynamic key
> exchange.
>
> Here is a quick setup example. For DSL to work, or where a lot of latency
> (relative to ethernet) you need to make one small change to the racoon.conf
>
>
> Here is a quick sample config for two machines
>
>
> PPPoE machine's _public_ address on tun0 : 169.1.134.1
> PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1
>
> Office Server's _public_ address on fxp0 172.168.93.4
> Office Server's _private_ address aliased on lo0 : 10.1.1.1
>
>
> *Note, if your machine has 2 interfaces, you can of course use the RFC1918
> space on it instead.
> This example assumes you just have the one NIC to play with.
>
>
> #!/bin/sh
> #PPPoE config
> ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
> gifconfig gif0 169.1.134.1 172.168.93.4
> ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
> setkey -FP
> setkey -F
> setkey -c <<EOF
> spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec
> esp/tunnel/169.1.134.1-172.168.93.4/require;
> spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec
> esp/tunnel/172.168.93.4-169.1.134.1/require;
> EOF
>
>
>
> #!/bin/sh
> #server at office config
> ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias
> gifconfig gif0 172.168.93.4 169.1.134.1
> ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0
> setkey -FP
> setkey -F
> setkey -c <<EOF
> spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
> esp/tunnel/172.168.93.4-169.1.134.1/require;
> spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
> esp/tunnel/169.1.134.1-172.168.93.4/require;
> EOF
>
>
>
> The changes I made to the default racoon.conf was simply to increase the
> lifetime values
> on both ends of the connection.
>
> e.g.
>
> @@ -101,8 +101,8 @@
> sainfo anonymous
> {
> pfs_group 1;
> - lifetime time 30 sec;
> - lifetime byte 5000 KB;
> + lifetime time 3600 sec;
> + lifetime byte 25000 KB;
> encryption_algorithm 3des ;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate ;
>
>
> ---Mike
> --------------------------------------------------------------------
> Mike Tancsa, tel +1 519 651 3400
> Network Administration, mike@sentex.net
> Sentex Communications www.sentex.net
> Cambridge, Ontario Canada www.sentex.net/mike
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.A41.4.10.10011200904160.62770-100000>