Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Jun 2001 17:45:26 +0100
From:      Brian Somers <brian@Awfulhak.org>
To:        mi@aldan.algebra.com
Cc:        brian@Awfulhak.org, brian@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, brian@Awfulhak.org
Subject:   Re: cvs commit: src/usr.sbin/ppp ccp.c ccp.h command.c deflate.c fsm.c fsm.h ip.c mppe.c ppp.8 pred.c 
Message-ID:  <200106181645.f5IGjQh07318@hak.lan.Awfulhak.org>
In-Reply-To: Message from mi@aldan.algebra.com  of "Mon, 18 Jun 2001 12:23:18 EDT." <200106181623.f5IGNJ097372@misha.privatelabs.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
> On 18 Jun, Brian Somers wrote:
> >> On 18 Jun, Brian Somers wrote:
> >> > brian       2001/06/18 08:00:24 PDT
> >> > 
> >> >   Modified files:
> >> >     usr.sbin/ppp         ccp.c ccp.h command.c deflate.c fsm.c 
> >> >                          fsm.h ip.c mppe.c ppp.8 pred.c 
> >> >   Log:
> >> >   Add support for stateful MPPE (microsoft encryption) providing
> >> >   encryption compatibility with Windows 2000.  Stateful encryption
> >> >   uses less CPU but is bad on lossy transports.
>                                    ^^^^^^^^^^^^^^^^
> >> 
> >> So, I suppose, I'll now be able to avoid using SSH and use PPP
> >> with encryption over a device like host:port/tcp directly, without
> >> the
> >> 	set login "!ssh tunnel@host"
> >> 
> >> Great! Thanks,
> > 
> > Aye.
> > 
> > IMHO PPPoUDP with encryption is the best option for VPNs where one
> 
> But, does not UDP qualify as one of those "lossy transports"?

That depends on what the IP layer under it is sitting on top of :)

> > side has a dynamic IP.  For static gateway IPs with private (rfc1918) 
> > addresses, IPSEC and gif are better. With real IPs, IPSEC on its own 
> > is best.
> 
> I looked for a tutorial on IPSEC/GIF somewhere, but could not find it :(

I had that problem too.

The best way to get started is to get the gif stuff working first 
without encryption.  That can all be done via rc.conf and is 
reasonably straight forward.

When that works, create /etc/ipsec.conf:

spdadd r.r.r.r/32 l.l.l.l/32 ip4 -P in ipsec esp/tunnel/r.r.r.r-l.l.l.l/require;
spdadd l.l.l.l/32 r.r.r.r/32 ip4 -P out ipsec esp/tunnel/l.l.l.l-r.r.r.r/require;

replacing l.l.l.l with the local IP and r.r.r.r with the remote one 
and add this to rc.conf:

ipsec_enable=YES
ipsec_file=/etc/ipsec.conf

You also need to install the racoon port.  This is fairly straight 
forward too - for a shared secret setup between the two gateways, 
psk.txt contains the secret and racoon.conf is pretty much the same 
as the stock version.

> 	-mi

I really should write a vpn man page...

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>;                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106181645.f5IGjQh07318>