From owner-freebsd-net  Fri Sep 21 13:11:44 2001
Delivered-To: freebsd-net@freebsd.org
Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9])
	by hub.freebsd.org (Postfix) with ESMTP id 0333537B407
	for <net@FreeBSD.ORG>; Fri, 21 Sep 2001 13:11:39 -0700 (PDT)
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA37670;
	Fri, 21 Sep 2001 13:58:18 -0700 (PDT)
Date: Fri, 21 Sep 2001 13:58:17 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Brian Somers <brian@freebsd-services.com>
Cc: net@FreeBSD.ORG
Subject: Re: IPSEC question.. 
In-Reply-To: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>
Message-ID: <Pine.BSF.4.21.0109211334120.37053-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org



On Fri, 21 Sep 2001, Brian Somers wrote:

> > The sample docs and the daemon-news
> > article get me part way started to making an encrypted
> > tunnel using IPsec4 between two networks.
> > However The are really quite confusing...
> > 
> > Is there a SIMPLE description of what all the parts do?
> > 
> > I have a gif tunnel going, but it's not clear to me how I make this tunnel 
> > start encrypting the damned data.
> > 
> > I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing 
> > plain encapsulated packets...no encryption..
> 
> Once you've got the gif tunnel working, say with top addresses 
> 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, 
> create an /etc/ipsec.conf that says:


which are the 'top' addresses? outer or inner?
i.e. 

   (A)gif0:-------(B)ed0-----<net>--------ed0(C)--------gif0(D)

> 
>   spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
>   spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
> 

ip4?
 I need to run this on 4.1.1 machines.

> This is your setkey input.  The ``ip4'' bit tells ipsec to only touch 
> IP-in-IP traffic, so comms going from an internal LAN to an external 
> gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be 
> NAT'd).  Only the gif-encapsulated traffic is encrypted.
> 
> Then add this to /etc/rc.conf:
> 
>   ipsec_enable=YES
>   ipsec_file=/etc/ipsec.conf
> 
> Once this is done, arrange to have racoon running on each end and 
> everything should work.  Using a shared secret in /usr/local/etc/
> racoon/psk.txt is the easiest:
> 
> 1.2.3.4 akeythatnobodyisgoingtocrack
> 
> and running racoon -F helps initially.
> 
> > -- 
> > +------------------------------------+       ______ _  __
> > |   __--_|\  Julian Elischer         |       \     U \/ / hard at work in 
> > |  /       \ julian@elischer.org     +------>x   USA    \ a very strange
> > | (   OZ    )                                \___   ___ | country !
> > +- X_.---._/    presently in San Francisco       \_/   \\
> >           v
> 
> Good luck !
> -- 
> Brian <brian@freebsd-services.com>                <brian@Awfulhak.org>
>       http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
> Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message