From owner-freebsd-questions Fri Oct 11 15:15:33 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B393737B404 for ; Fri, 11 Oct 2002 15:15:30 -0700 (PDT) Received: from fep1.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BBFA43E9E for ; Fri, 11 Oct 2002 15:15:30 -0700 (PDT) (envelope-from dlavigne6@cogeco.ca) Received: from d226-42-146.home.cgocable.net (d226-42-146.home.cgocable.net [24.226.42.146]) by fep1.cogeco.net (Postfix) with ESMTP id 697DC3D38; Fri, 11 Oct 2002 18:15:28 -0400 (EDT) Date: Fri, 11 Oct 2002 18:16:33 -0400 (EDT) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: MrWebby Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server) In-Reply-To: <3DA72972.7030706@bigfoot.com> Message-ID: <20021011180017.J1552-100000@dhcp-17-14.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 11 Oct 2002, MrWebby wrote: > Subject: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server) > > Hello all, > > I hope you can understand how desperate I am to figure out what to do. > > I need to enable tunnels from my laptop running Windows 2000 Pro to > my FreeBSD 4.6. I have a Cable Modem link to the Internet and for my > firewall and NAT router I use a D-Link 707 Residencial Router capable > of allowing VPN using IPsec 'only'. > ---------- > VPN Sever Gateway | | > ----------- ----------- | | > 192.168.0.3 -------- 192.168.0.1 ----------------------- Internet | > ----------- ----------- | | > FreeBSD 4.6 xxx.xxx.xxx.xxx | | > ---------- > -IPsec Enabled IPsec: | > -Running Racoon -ESP mode | > -Setkey -In Tunnel Mode (DUH!) | > -OpenSSL Certificates -DES encryption | > -psk.txt -ESP mode with no encapsulation | > -VPN Sever: PoPToPt -no Integrity | > -Pre-Shared keys | > | > | > | > Client | > ------------- | > 192.168.0.226 ---------------------------------------| > ------------- > Windows 2000 Pro > > -IPsec enabled > -Certificate Install > > As this diagram explains I'm running FreeBSD 4.6 with PoPToP, Racoon > for sharing keys and IPsec enabled in the Kernel. The gateway/NAT > router allows IPsec VPN with DES encryption in ESP mode with no > encapsulation, no Integrity, in Tunnel mode and using a pre-shared > key. > > I don't know what "no Integrity" means neither why ESP > cannot "encapsulate". To add to the information you already received, and address your questions: - "no integrity" means it won't use AH (authentication header). As someone already pointed out, AH will _not_ work with NAT. As for whether or not ESP will work with NAT, the short answer is "it depends". (upon the capabilities of the device and the style of NAT it uses and whether the routing occurs before/after NAT) Usually that short answer turns out to be "no". - "no encapsulation" means it will only understand "transport mode". In "tunnel mode", ESP will add a new encapsulation (header) using the IPs of the two gateways and encrypt the entire original IP packet (original headers and data). In "transport mode", only the data is encrypted and the original headers are kept in clear text so they can be used to route the packet. Now, IIRC, Windows 2000 only supports transport mode?? That's from memory, so do a google search to see if there is any truth to that. If that is the case, your current setup will not work as transport mode requires that the VPN setup occurs directly between the 2 devices (in your case FreeBSD and 2000). If 2000 does support tunnel mode, the VPN tunnel will be between the router and 2000 and it is the responsibility of the router to route the packets to the FreeBSD box and encrypt/decrypt on behalf of that FreeBSD box. That may or may not work depending upon how its NAT interacts with IPSEC. HTH, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message