From owner-freebsd-net@FreeBSD.ORG  Wed Jul  9 18:26:46 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C565A1065678
	for <freebsd-net@freebsd.org>; Wed,  9 Jul 2008 18:26:46 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18])
	by mx1.freebsd.org (Postfix) with ESMTP id 87CF38FC30
	for <freebsd-net@freebsd.org>; Wed,  9 Jul 2008 18:26:46 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m69IQivq055384;
	Wed, 9 Jul 2008 14:26:44 -0400 (EDT) (envelope-from mike@sentex.net)
Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m69IQiKR032020
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 9 Jul 2008 14:26:44 -0400 (EDT) (envelope-from mike@sentex.net)
Message-Id: <200807091826.m69IQiKR032020@lava.sentex.ca>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 09 Jul 2008 14:26:41 -0400
To: zaphod@fsklaw.com, freebsd-net@freebsd.org
From: Mike Tancsa <mike@sentex.net>
In-Reply-To: <7.1.0.9.0.20080709133535.2396cea8@sentex.net>
References: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor>
	<200807040155.m641tl8s000607@lava.sentex.ca>
	<7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor>
	<200807091545.m69FjcP4031350@lava.sentex.ca>
	<ae8c87bc77551550826e2906287c4cf0.squirrel@cor>
	<7.1.0.9.0.20080709133535.2396cea8@sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18
Cc: 
Subject: Re: Tunneling issues
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2008 18:26:46 -0000

At 02:04 PM 7/9/2008, Mike Tancsa wrote:

>Also, dont confuse using GIF and IPSEC.  To create some IPSEC 
>tunnels, you dont need gif or gre interfaces. The policies will do 
>that for you.

Here is a simple example that just uses IPSEC tunnels with a static 
key.  You dont need any gif/gre stuff. Dont use this in production, 
use IPSEC-TOOLS from the ports to do dynamic keying.


To test the tunnel, assuming the inside interface of the freebsd boxes are .1
ping -S 192.168.1.1 192.168.1.2




#/bin/sh
server1
MEOUTSIDE=1.1.1.1
MEINSIDE=192.168.1.0/24
REMOTEOUTSIDE=2.2.2.2
REMOTEINSIDE=192.168.5.0/24
IPSECKEY=ZA6PkrlNH6BN11SG1rCa8dxa


setkey -c <<EOF
         add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         spdadd $MEINSIDE $REMOTEINSIDE any -P out ipsec 
esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
         spdadd $REMOTEINSIDE $MEINSIDE any -P in  ipsec 
esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
EOF



#!/bin/sh
server2
MEOUTSIDE=2.2.2.2
MEINSIDE=192.168.5.0/24
REMOTEOUTSIDE=1.1.1.1
REMOTEINSIDE=192.168.1.0/24
IPSECKEY=ZA6PkrlNH6BN11SG1rCa8dxa


setkey -c <<EOF
         add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 -m any -E 
3des-cbc  "$IPSECKEY";
         spdadd $MEINSIDE $REMOTEINSIDE any -P out ipsec 
esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
         spdadd $REMOTEINSIDE $MEINSIDE any -P in  ipsec 
esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
EOF