From owner-freebsd-questions Fri Oct 11 12:37:41 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A0E837B401 for ; Fri, 11 Oct 2002 12:37:36 -0700 (PDT) Received: from smtp02.mrf.mail.rcn.net (smtp02.mrf.mail.rcn.net [207.172.4.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DB6C43E8A for ; Fri, 11 Oct 2002 12:37:35 -0700 (PDT) (envelope-from mrwebby@bigfoot.com) Received: from 209-122-138-242.c5-0.hlb-ubr1.hlb-ubr.nj.cable.rcn.com ([209.122.138.242] helo=bigfoot.com) by smtp02.mrf.mail.rcn.net with esmtp (Exim 3.35 #1) id 1805bK-0004ek-00 for freebsd-questions@freebsd.org; Fri, 11 Oct 2002 15:37:34 -0400 Message-ID: <3DA72972.7030706@bigfoot.com> Date: Fri, 11 Oct 2002 15:41:38 -0400 From: MrWebby User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server) Content-Type: multipart/mixed; boundary="------------000703050902030406070700" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------000703050902030406070700 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server) Hello all, I hope you can understand how desperate I am to figure out what to do. I need to enable tunnels from my laptop running Windows 2000 Pro to my FreeBSD 4.6. I have a Cable Modem link to the Internet and for my firewall and NAT router I use a D-Link 707 Residencial Router capable of allowing VPN using IPsec 'only'. ---------- VPN Sever Gateway | | ----------- ----------- | | 192.168.0.3 -------- 192.168.0.1 ----------------------- Internet | ----------- ----------- | | FreeBSD 4.6 xxx.xxx.xxx.xxx | | ---------- -IPsec Enabled IPsec: | -Running Racoon -ESP mode | -Setkey -In Tunnel Mode (DUH!) | -OpenSSL Certificates -DES encryption | -psk.txt -ESP mode with no encapsulation | -VPN Sever: PoPToPt -no Integrity | -Pre-Shared keys | | | | Client | ------------- | 192.168.0.226 ---------------------------------------| ------------- Windows 2000 Pro -IPsec enabled -Certificate Install As this diagram explains I'm running FreeBSD 4.6 with PoPToP, Racoon for sharing keys and IPsec enabled in the Kernel. The gateway/NAT router allows IPsec VPN with DES encryption in ESP mode with no encapsulation, no Integrity, in Tunnel mode and using a pre-shared key. I don't know what "no Integrity" means neither why ESP cannot "encapsulate". Please, help me in anyway you can. Point me to any webpages you think will help me. THIS IS WHAT I HAVE DONE SO FAR: - PoPToP works. In its bare bones without IPsec policies and racoon's deamon turned off I can connect 'directly' to the server from within the LAN. - Racoon has been installed. - I have searched the Internet and followed various HOWTO's but none of the are based on the scheme I'm using. Usually they involve two FreeBSD machines, a Windows 2000 Server, etc. - I have read the FreeBSD Handbook Section on IPsec, setkey man pages and racoon man pages. - Tried several times to set the security policies in "both" machines and connect but the results are worse everytime. - A set of certificates have been made and installed. I followed a guide that made me create OpenSSL certificates and installed them, but I can't quite figure out when they come into play. My major problem has been setting up the Security Policies in both Machines. I think that's the step that's causing me all this trouble. The most confusing thing to me is why there is no way of editing the security policies in the Gateway. Please, excuse my ignorance and I appreciate all the help I can recieve. MrWebby --------------000703050902030406070700 Content-Type: message/rfc822; name="nsmail.eml.eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="nsmail.eml.eml" Received: (qmail 97564 invoked from network); 11 Oct 2002 19:13:32 -0000 Received: from unknown (66.218.66.218) by m7.grp.scd.yahoo.com with QMQP; 11 Oct 2002 19:13:32 -0000 Received: from unknown (HELO n23.grp.scd.yahoo.com) (66.218.66.79) by mta3.grp.scd.yahoo.com with SMTP; 11 Oct 2002 19:13:31 -0000 X-eGroups-Return: mrwebby@bigfoot.com Received: from [66.218.67.152] by n23.grp.scd.yahoo.com with NNFMP; 11 Oct 2002 19:13:31 -0000 Date: Fri, 11 Oct 2002 19:13:29 -0000 From: "MrWebby" To: freebsd-questions@egroups.com Subject: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server) Message-ID: User-Agent: eGroups-EW/0.82 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 209.122.138.242 Hello all, I hope you can understand how desperate I am to figure out what to do. I need to enable tunnels from my laptop running Windows 2000 Pro to my FreeBSD 4.6. I have a Cable Modem link to the Internet and for my firewall and NAT router I use a D-Link 707 Residencial Router capable of allowing VPN using IPsec 'only'. ---------- VPN Sever Gateway | | ----------- ----------- | | 192.168.0.3 -------- 192.168.0.1 ----------------------- Internet | ----------- ----------- | | FreeBSD 4.6 xxx.xxx.xxx.xxx | | ---------- -IPsec Enabled IPsec: | -Running Racoon -ESP mode | -Setkey -In Tunnel Mode (DUH!) | -OpenSSL Certificates -DES encryption | -psk.txt -ESP mode with no encapsulation | -VPN Sever: PoPToPt -no Integrity | -Pre-Shared keys | | | | Client | ------------- | 192.168.0.226 ----------------------------------------=84=A3 ------------- Windows 2000 Pro -IPsec enabled -Certificate Install As this diagram explains I'm running FreeBSD 4.6 with PoPToP, Racoon for sharing keys and IPsec enabled in the Kernel. The gateway/NAT router allows IPsec VPN with DES encryption in ESP mode with no encapsulation, no Integrity, in Tunnel mode and using a pre-shared key. I don't know what "no Integrity" means neither why ESP cannot "encapsulate". Please, help me in anyway you can. Point me to any webpages you think will help me. THIS IS WHAT I HAVE DONE SO FAR: - PoPToP works. In its bare bones without IPsec policies and racoon's deamon turned off I can connect 'directly' to the server from within the LAN. - Racoon has been installed. - I have searched the Internet and followed various HOWTO's but none of the are based on the scheme I'm using. Usually they involve two FreeBSD machines, a Windows 2000 Server, etc. - I have read the FreeBSD Handbook Section on IPsec, setkey man pages and racoon man pages. - Tried several times to set the security policies in "both" machines and connect but the results are worse everytime. - A set of certificates have been made and installed. I followed a guide that made me create OpenSSL certificates and installed them, but I can't quite figure out when they come into play. My major problem has been setting up the Security Policies in both Machines. I think that's the step that's causing me all this trouble. The most confusing thing to me is why there is no way of editing the security policies in the Gateway. Please, excuse my ignorance and I appreciate all the help I can recieve. MrWebby --------------000703050902030406070700-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message