From owner-freebsd-isp Mon Nov 20 10:18:17 2000 Delivered-To: freebsd-isp@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 55E3D37B479 for ; Mon, 20 Nov 2000 10:18:14 -0800 (PST) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.0/8.11.0) with ESMTP id eAKIH5t23115; Mon, 20 Nov 2000 13:17:05 -0500 (EST) Message-Id: <5.0.1.4.0.20001120130314.00af46c0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 20 Nov 2000 13:11:12 -0500 To: Tom Samplonius From: Mike Tancsa Subject: Re: any VPN daemon? Cc: Evren Yurtesen , freebsd-isp@FreeBSD.ORG In-Reply-To: References: <4.2.2.20001119221736.0173de98@marble.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:51 AM 11/20/00 -0800, Tom Samplonius wrote: >On Sun, 19 Nov 2000, Mike Tancsa wrote: > > > At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote: > > > Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not > very > > >well documented. For instance, there is nothing on how IPSec and ipfw > > >interact. Which subsystem gets the packet first? ipfw or IPSec? > > >Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to > > >do. > > > > I believe the person said he was using a simple LAN to LAN. I have had > good > > results setting up a few tunnels in the past month or so. What > specifically > > were you trying to find with respect to ipfw ? > > What evaluates a packet first? ipfw rules or setkey rules? It would _appear_ ipfw does first, as I can stop a working ipsec connection with ipfw first, at least when I use the gif tunneling interface. I dont have a tunnel setup currently in transport mode only, but it would be easy enough to test. >... > > #!/bin/sh > > #PPPoE config > > ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias > > gifconfig gif0 169.1.134.1 172.168.93.4 > > ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 > > setkey -FP > > setkey -F > > setkey -c < > spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec > > esp/tunnel/169.1.134.1-172.168.93.4/require; > > spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec > > esp/tunnel/172.168.93.4-169.1.134.1/require; > > EOF > > > Why are you using gif0? I understand that gif0 is not recommended for >IPv4 over IPv4 tunnels. Also, since you are using ipsec tunnels setup via >setkey, I don't think gif0. From my understanding the danger with using gif was routing loops. I found it easier to do this way. I agree the documentation is fairly sparse for IPSec, but once you get it running, it does work, and it there is interoperability amongst different vendors implementations. Also, there are more and more books, articles and general resources dealing with IPSec, where as the only other VPN solution that is close to a broad install base I guess is MS PTPTP which has its own issues. What are you using for VPNs ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message