From owner-freebsd-isp Sun Nov 19 23: 6:28 2000 Delivered-To: freebsd-isp@freebsd.org Received: from bessel.tekniikka.turkuamk.fi (bessel.tekniikka.turkuamk.fi [193.166.133.10]) by hub.freebsd.org (Postfix) with ESMTP id 357FA37B479 for ; Sun, 19 Nov 2000 23:06:24 -0800 (PST) Received: from localhost (eyurtese@localhost) by bessel.tekniikka.turkuamk.fi (8.9.2/8.9.2) with ESMTP id JAA15578; Mon, 20 Nov 2000 09:06:09 +0200 Date: Mon, 20 Nov 2000 09:06:09 +0200 (WET) From: Evren Yurtesen To: Mike Tancsa Cc: Tom Samplonius , Evren Yurtesen , freebsd-isp@FreeBSD.ORG Subject: Re: any VPN daemon? In-Reply-To: <4.2.2.20001119221736.0173de98@marble.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org so what about the authentication? Evren On Sun, 19 Nov 2000, Mike Tancsa wrote: > At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote: > > Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not very > >well documented. For instance, there is nothing on how IPSec and ipfw > >interact. Which subsystem gets the packet first? ipfw or IPSec? > >Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to > >do. > > > I believe the person said he was using a simple LAN to LAN. I have had good > results setting up a few tunnels in the past month or so. What specifically > were you trying to find with respect to ipfw ? > > ipfw add 20 deny log 50 from any to any > > stops all ipsec data in the tunnel I have setup between the office and at > home on my DSL connection. > > There is not much you need to do to setup the tunnel using dynamic key > exchange. > > Here is a quick setup example. For DSL to work, or where a lot of latency > (relative to ethernet) you need to make one small change to the racoon.conf > > > Here is a quick sample config for two machines > > > PPPoE machine's _public_ address on tun0 : 169.1.134.1 > PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1 > > Office Server's _public_ address on fxp0 172.168.93.4 > Office Server's _private_ address aliased on lo0 : 10.1.1.1 > > > *Note, if your machine has 2 interfaces, you can of course use the RFC1918 > space on it instead. > This example assumes you just have the one NIC to play with. > > > #!/bin/sh > #PPPoE config > ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias > gifconfig gif0 169.1.134.1 172.168.93.4 > ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 > setkey -FP > setkey -F > setkey -c < spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec > esp/tunnel/169.1.134.1-172.168.93.4/require; > spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec > esp/tunnel/172.168.93.4-169.1.134.1/require; > EOF > > > > #!/bin/sh > #server at office config > ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias > gifconfig gif0 172.168.93.4 169.1.134.1 > ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0 > setkey -FP > setkey -F > setkey -c < spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec > esp/tunnel/172.168.93.4-169.1.134.1/require; > spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec > esp/tunnel/169.1.134.1-172.168.93.4/require; > EOF > > > > The changes I made to the default racoon.conf was simply to increase the > lifetime values > on both ends of the connection. > > e.g. > > @@ -101,8 +101,8 @@ > sainfo anonymous > { > pfs_group 1; > - lifetime time 30 sec; > - lifetime byte 5000 KB; > + lifetime time 3600 sec; > + lifetime byte 25000 KB; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1; > compression_algorithm deflate ; > > > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message