From owner-freebsd-isp Mon Nov 20 9:34:38 2000 Delivered-To: freebsd-isp@freebsd.org Received: from misery.sdf.com (misery.sdf.com [204.244.213.49]) by hub.freebsd.org (Postfix) with ESMTP id 5C41237B4CF for ; Mon, 20 Nov 2000 09:34:33 -0800 (PST) Received: from tom (helo=localhost) by misery.sdf.com with local-esmtp (Exim 2.12 #1) id 13xuAK-0003pi-00; Mon, 20 Nov 2000 08:51:36 -0800 Date: Mon, 20 Nov 2000 08:51:34 -0800 (PST) From: Tom Samplonius To: Mike Tancsa Cc: Evren Yurtesen , freebsd-isp@FreeBSD.ORG Subject: Re: any VPN daemon? In-Reply-To: <4.2.2.20001119221736.0173de98@marble.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 19 Nov 2000, Mike Tancsa wrote: > At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote: > > Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not very > >well documented. For instance, there is nothing on how IPSec and ipfw > >interact. Which subsystem gets the packet first? ipfw or IPSec? > >Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to > >do. > > I believe the person said he was using a simple LAN to LAN. I have had good > results setting up a few tunnels in the past month or so. What specifically > were you trying to find with respect to ipfw ? What evaluates a packet first? ipfw rules or setkey rules? ... > #!/bin/sh > #PPPoE config > ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias > gifconfig gif0 169.1.134.1 172.168.93.4 > ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 > setkey -FP > setkey -F > setkey -c < spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec > esp/tunnel/169.1.134.1-172.168.93.4/require; > spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec > esp/tunnel/172.168.93.4-169.1.134.1/require; > EOF Why are you using gif0? I understand that gif0 is not recommended for IPv4 over IPv4 tunnels. Also, since you are using ipsec tunnels setup via setkey, I don't think gif0. Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message