From owner-freebsd-questions@FreeBSD.ORG Mon Jun 23 05:56:49 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C09C37B401 for ; Mon, 23 Jun 2003 05:56:49 -0700 (PDT) Received: from smtp1.alkar.net (pandora.alkar.net [195.248.191.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9FF543FB1 for ; Mon, 23 Jun 2003 05:56:46 -0700 (PDT) (envelope-from os@front.ru) Received: from tavrida.a-teleport.com (tavrida.a-teleport.com [195.248.166.50]) by smtp1.alkar.net (Postfix) with ESMTP id E98678F773 for ; Mon, 23 Jun 2003 15:56:42 +0300 (EEST) Received: from tel.tavrida.net ([10.0.0.2])h5NCGXH8025361 for ; Mon, 23 Jun 2003 15:35:12 +0300 (EEST) (envelope-from os@front.ru) Received: from kbuusoy ([172.16.4.25]) by tel.tavrida.net with Microsoft SMTPSVC(5.0.2195.5329); Mon, 23 Jun 2003 15:55:11 +0300 Message-ID: <002201c33986$ae283f60$190410ac@tavrida.local> From: "Oleg Semyonov" To: Date: Mon, 23 Jun 2003 15:55:10 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 23 Jun 2003 12:55:11.0236 (UTC) FILETIME=[AE7D6440:01C33986] Subject: IPSec+VPN+ipfw questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2003 12:56:49 -0000 Hi! I wish to use IPSec to provide secure channels between some LAN machines (Windows 2000) and a FreeBSD gateway which acts as a NAT router to the Internet upstream provider. Each channel works in IPSec transport mode (no tunnel, host-to-host only). FreeBSD runs racoon to provide IKE services for IPSec. FreeBSD 4.8, ipfw2. The questions are: 1) Is it possible to use ipfw rules to count different kinds of traffic from legitimate computers, divert it to natd and block all other packets across the LAN? There are ESP protocol packets which I can filter, but it seems they are not processed after decryption by ipwf rules. So, no counters, no divert, etc. 2) What is the best solution for IKE daemon? I've tried racoon (it works but there are some strange situations with Windows 2000 machines which are mentioned somewhere), and isakmpd (it has not very obvious syntax for their policy and conf files - how to create a minimal working configuration for a number of peer machines which use different preshared keys for IKE exchange)? 3) In fact, it is not required for me to use VPN solutions. All I need is to authenticate each legitimate machine (or user - that is better). IP+MAC addresses may be forged. I can use socks proxy, but there is no standard secured authentication which is suported by number of different internet tools. And I don't wish to have a complicated setup of each client machine. So, VPN seems to be the best solution as their policies for W2K clients may be specified via Active Directory. Thanks! OS