From owner-freebsd-net@FreeBSD.ORG Mon Dec 11 23:31:59 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E58A116A407 for ; Mon, 11 Dec 2006 23:31:59 +0000 (UTC) (envelope-from smw2010@gmail.com) Received: from nz-out-0102.google.com (nz-out-0506.google.com [64.233.162.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2291643DFA for ; Mon, 11 Dec 2006 23:27:00 +0000 (GMT) (envelope-from smw2010@gmail.com) Received: by nz-out-0102.google.com with SMTP id i11so862317nzh for ; Mon, 11 Dec 2006 15:27:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=Go3guwIShJU9B4MqDKBF908JKts7SViWF+ehdJAV5Ovw9XX0ptwPir8tGPS3wtTF+Etp5WkRi9Yw7QXVwMDmEuxC8C5iInDFNWE8z7visEvHS/VY82oK0cR+hv+9fE6XtzN/nU2LCegiNLVfVL5pcIX1tbPbdnBJNxE59mEv4+c= Received: by 10.65.234.3 with SMTP id l3mr11932825qbr.1165879675615; Mon, 11 Dec 2006 15:27:55 -0800 (PST) Received: by 10.65.204.12 with HTTP; Mon, 11 Dec 2006 15:27:55 -0800 (PST) Message-ID: Date: Tue, 12 Dec 2006 10:27:55 +1100 From: "Sam Wun" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Adding a new VPN connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2006 23:32:00 -0000 Hi, In a FreeBSD router (5.4-stable), there are currently 50 IPSEC VPN connections running with 50 remote sites, now I need to add one more (new) vpn to it without resetting the existing VPN connection. Therefore I have created a script (new-vpn.sh): #!/bin/sh # Tunnel to kgportsmith /sbin/ifconfig gif108 destroy /sbin/ifconfig gif108 create /sbin/ifconfig gif108 tunnel 10.152.34.74 10.154.3.74 /sbin/ifconfig gif108 inet 10.1.1.1 10.1.1.33 netmask 255.255.255.0 /sbin/route delete 10.1.33.1/24 /sbin/route delete 172.17.33.0/24 /sbin/route add 10.1.33.1/24 10.1.1.33 /sbin/route add 172.17.33.0/24 10.1.1.33 setkey -c << EOF # Setup policies with kgportsmith spdadd 10.152.34.74 10.154.3.74 any -P out ipsec esp/tunnel/10.152.34.74- 10.154.3.74/require ; spdadd 10.154.3.74 10.152.34.74 any -P in ipsec esp/tunnel/10.154.3.74- 10.152.34.74/require ; add 10.152.34.74 10.154.3.74 esp 2797 -m tunnel -E blowfish-cbc 0x11205611340CCEA4C816670A4A8DD2A67403F46A08169850DC0B8E2989C3C2094CEF174297ECCF39644B6C4E28D5A3BD4C0861DD7094E398 -A hmac-sha1 0x2C49F538BAF74917311382F7EE42CC43FBDBDA4B ; add 10.154.3.74 10.152.34.74 esp 4074 -m tunnel -E blowfish-cbc 0x82A7C78A8C1F8B0DF8EE75F4BEEA5A26D987C6237D43ED98EF3E2A18D2B7F2C94674E1E4B1FAFE645CCB2C18603646E20EB925B06AEC4F6B -A hmac-sha1 0xCE1D85113D11D43C061E499CFFECCD81D50A3530 ; EOF ### END OF SCRIPT ### Will this script (especially the command setkey -c) erase (reset) the existing VPN connection and security keys)? If it does, I will lose the connectino with all other sites. Thanks S