Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 09 Jul 2008 14:26:41 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        zaphod@fsklaw.com, freebsd-net@freebsd.org
Subject:   Re: Tunneling issues
Message-ID:  <200807091826.m69IQiKR032020@lava.sentex.ca>
In-Reply-To: <7.1.0.9.0.20080709133535.2396cea8@sentex.net>
References:  <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> <200807040155.m641tl8s000607@lava.sentex.ca> <7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor> <200807091545.m69FjcP4031350@lava.sentex.ca> <ae8c87bc77551550826e2906287c4cf0.squirrel@cor> <7.1.0.9.0.20080709133535.2396cea8@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 02:04 PM 7/9/2008, Mike Tancsa wrote:

>Also, dont confuse using GIF and IPSEC.  To create some IPSEC 
>tunnels, you dont need gif or gre interfaces. The policies will do 
>that for you.

Here is a simple example that just uses IPSEC tunnels with a static 
key.  You dont need any gif/gre stuff. Dont use this in production, 
use IPSEC-TOOLS from the ports to do dynamic keying.


To test the tunnel, assuming the inside interface of the freebsd boxes are .1
ping -S 192.168.1.1 192.168.1.2




#/bin/sh
server1
MEOUTSIDE=1.1.1.1
MEINSIDE=192.168.1.0/24
REMOTEOUTSIDE=2.2.2.2
REMOTEINSIDE=192.168.5.0/24
IPSECKEY=ZA6PkrlNH6BN11SG1rCa8dxa


setkey -c <<EOF
         add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         spdadd $MEINSIDE $REMOTEINSIDE any -P out ipsec 
esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
         spdadd $REMOTEINSIDE $MEINSIDE any -P in  ipsec 
esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
EOF



#!/bin/sh
server2
MEOUTSIDE=2.2.2.2
MEINSIDE=192.168.5.0/24
REMOTEOUTSIDE=1.1.1.1
REMOTEINSIDE=192.168.1.0/24
IPSECKEY=ZA6PkrlNH6BN11SG1rCa8dxa


setkey -c <<EOF
         add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         spdadd $MEINSIDE $REMOTEINSIDE any -P out ipsec 
esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
         spdadd $REMOTEINSIDE $MEINSIDE any -P in  ipsec 
esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
EOF

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807091826.m69IQiKR032020>