Date: Mon, 23 Jun 2003 15:55:10 +0300 From: "Oleg Semyonov" <os@front.ru> To: <freebsd-questions@freebsd.org> Subject: IPSec+VPN+ipfw questions Message-ID: <002201c33986$ae283f60$190410ac@tavrida.local>
next in thread | raw e-mail | index | archive | help
Hi! I wish to use IPSec to provide secure channels between some LAN machines (Windows 2000) and a FreeBSD gateway which acts as a NAT router to the Internet upstream provider. Each channel works in IPSec transport mode (no tunnel, host-to-host only). FreeBSD runs racoon to provide IKE services for IPSec. FreeBSD 4.8, ipfw2. The questions are: 1) Is it possible to use ipfw rules to count different kinds of traffic from legitimate computers, divert it to natd and block all other packets across the LAN? There are ESP protocol packets which I can filter, but it seems they are not processed after decryption by ipwf rules. So, no counters, no divert, etc. 2) What is the best solution for IKE daemon? I've tried racoon (it works but there are some strange situations with Windows 2000 machines which are mentioned somewhere), and isakmpd (it has not very obvious syntax for their policy and conf files - how to create a minimal working configuration for a number of peer machines which use different preshared keys for IKE exchange)? 3) In fact, it is not required for me to use VPN solutions. All I need is to authenticate each legitimate machine (or user - that is better). IP+MAC addresses may be forged. I can use socks proxy, but there is no standard secured authentication which is suported by number of different internet tools. And I don't wish to have a complicated setup of each client machine. So, VPN seems to be the best solution as their policies for W2K clients may be specified via Active Directory. Thanks! OS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002201c33986$ae283f60$190410ac>