From owner-freebsd-net@FreeBSD.ORG Fri Jun 23 03:17:42 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 060F916A47C for ; Fri, 23 Jun 2006 03:17:42 +0000 (UTC) (envelope-from mv@thebeastie.org) Received: from p4.roq.com (ns1.ecoms.com [207.44.130.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 598D843D45 for ; Fri, 23 Jun 2006 03:17:39 +0000 (GMT) (envelope-from mv@thebeastie.org) Received: from p4.roq.com (localhost.roq.com [127.0.0.1]) by p4.roq.com (Postfix) with ESMTP id E17174CD52 for ; Fri, 23 Jun 2006 03:18:03 +0000 (GMT) Received: from vaulte.jumbuck.com (ppp166-27.static.internode.on.net [150.101.166.27]) by p4.roq.com (Postfix) with ESMTP id 8444B4CD39 for ; Fri, 23 Jun 2006 03:18:03 +0000 (GMT) Received: from vaulte.jumbuck.com (localhost [127.0.0.1]) by vaulte.jumbuck.com (Postfix) with ESMTP id 61C6F8A029; Fri, 23 Jun 2006 13:17:37 +1000 (EST) Received: from [192.168.46.102] (unknown [192.168.46.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vaulte.jumbuck.com (Postfix) with ESMTP id 5D82A8A027; Fri, 23 Jun 2006 13:17:37 +1000 (EST) Message-ID: <449B5D50.8000700@thebeastie.org> Date: Fri, 23 Jun 2006 13:17:36 +1000 From: Michael Vince User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.7.12) Gecko/20060404 X-Accept-Language: en-us, en MIME-Version: 1.0 To: David DeSimone References: <449228FA.50303@thebeastie.org> <20060616122855.GA29279@uk.tiscali.com> <20060616154306.GA18578@verio.net> In-Reply-To: <20060616154306.GA18578@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-net@freebsd.org, B.Candler@pobox.com Subject: Re: VPN with FAST_IPSEC and ipsec tools X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2006 03:17:42 -0000 David DeSimone wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Brian Candler wrote: > > >>Ah, I guess this means you're following the instructions in the >>FreeBSD handbook, which last time I looked gave a most bizarre and >>unnecessary way of setting up IPSEC (GIF tunneling running on top of >>IPSEC *tunnel* mode). I raised it on this list before. >> >> > >I ran into the same thing when analyzing the handbook's examples, and >quickly abandoned the handbook when writing my own configs. > > > >>Most people are better off just setting up IPSEC tunnel mode. A few >>use GIF running on top of IPSEC _transport_ mode (e.g. those running >>routing protocols like OSPF over tunnels) >> >> > >The main reason to use IPSEC tunnel mode and avoid GIF is that such a >config is interoperable with other IPSEC implementations (Cisco, >Checkpoint, etc), and thus is much more useful in the real world. > >- -- >David DeSimone == Network Admin == fox@verio.net > OK that said, how do you create a network to network tunnel based VPN without using the gif or gre devices? I been trying to link up 2 networks between to VPN gateways and I have kind of given up, all the examples out there use a gif tunnel or a gre tunnel. I simply haven't been able to work out the routes or how to make ipsec-tools trigger based on seeing interesting traffic, its using a preshared key configuration. I have been using the typical ipsec.conf settings that most examples give for tunnel configurations but still no luck. At first I thought it was a NAT-T problem as the reason the IKE wasn't kicking in but after testing with pure internet IPs and no nat I realized it wasn't that. If I could just have an example to look at I think it could really help. Thanks Mike