From owner-freebsd-security  Wed Oct 25 16:45:21 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1])
	by hub.freebsd.org (Postfix) with ESMTP id D7D5F37B479
	for <freebsd-security@FreeBSD.ORG>; Wed, 25 Oct 2000 16:45:17 -0700 (PDT)
Received: from chimp (fcage [192.168.0.2])
	by cage.simianscience.com (8.11.1/8.9.3) with ESMTP id e9PNjh922232;
	Wed, 25 Oct 2000 19:45:52 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <4.2.2.20001025194015.04b93008@mail.sentex.net>
X-Sender: mdtancsa@mail.sentex.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Wed, 25 Oct 2000 19:44:58 -0400
To: Matthew Hagerty <matthew@venux.net>, freebsd-security@FreeBSD.ORG
From: Mike Tancsa <mike@sentex.net>
Subject: Re: IPsec requires FreeBSD-4.??
In-Reply-To: <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 06:33 PM 10/25/2000 -0400, Matthew Hagerty wrote:
>Greetings,
>
>I am trying desperately to get a simple network-to-network VPN working 
>with FreeBSD.  I am having no luck and would like to know what version of 
>4.x I need?  I am currently using 4.0 release on both sides.  Is that 
>going to work or do I need to upgrade to 4.1.1 or something?

It certainly is easier with 4.1.1 as you can use the racoon port.  Here is 
a quick sample config that will work with racoon out of the box

This assumed that 172.16.1.1 and 192.168.1.1 are your public NON RFC 1918 
space that is publically
routed



#!/bin/sh
#Ottawa config
ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
gifconfig gif0 172.16.1.1 192.168.1.1
ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec 
esp/tunnel/172.16.1.1-192.168.1.1/require;
spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec 
esp/tunnel/192.168.1.1-172.16.1.1/require;
EOF
#!/bin/sh
#Toronto config
ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias
gifconfig gif0 192.168.1.1 172.16.1.1
ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec 
esp/tunnel/192.168.1.1-172.16.1.1/require;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec 
esp/tunnel/172.16.1.1-192.168.1.1/require;
EOF
And Presto! We have a secure VPN that is tunneled!

Toronto# ping 10.1.2.1
PING 10.1.2.1 (10.1.2.1): 56 data bytes
64 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=1.743 ms
64 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=1.746 ms
64 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=1.739 ms
64 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=1.610 ms
^C
--- 10.1.2.1 ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max/stddev = 1.610/1.710/1.746/0.058 ms
Toronto# traceroute 10.1.2.1
traceroute to 10.1.2.1 (10.1.2.1), 30 hops max, 40 byte packets
  1  10.1.2.1 (10.1.2.1)  1.363 ms  1.222 ms  1.183 ms
Toronto# telnet 10.1.2.1
Trying 10.1.2.1...
Connected to 10.1.2.1.
Escape character is '^]'.







>Also, while I'm here, this is the whole procedure I'm using (that does not 
>seem to be working.)  Is there something wrong with this?
>
>In the kernel I added these and recompiled:
>
>options         IPSEC
>options         IPSEC_ESP

Looks good to me.


--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Network Administration,     			  mike@sentex.net
Sentex Communications                 		  www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message