Date: Fri, 21 Jun 2002 07:47:51 -0500 From: Eric Anderson <anderson@centtech.com> To: cjclark@alum.mit.edu Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) Message-ID: <3D132077.4B8FBB3D@centtech.com> References: <20020618130547.A11688@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, I'm no expert on this, but the way I have my tunnels set up is something like this (this is a script on one side of the tunnel). VNNAME=tunnelname GWAY=192.168.10.17 NMASK=255.255.255.240 HNET=192.168.10.16/28 IFACE=gif0 # DO NOT EDIT BELOW THIS POINT # EXTIP=`cat /usr/local/etc/vpn/$VNNAME-extip` gifconfig $IFACE delete gifconfig $IFACE 200.200.200.200 $EXTIP logger -t $VNNAME Interface $IFACE has been brought up. ifconfig $IFACE inet 10.10.10.39 $GWAY netmask 255.255.255.255 logger -t $VNNAME Configured $IFACE. route add -net $HNET $GWAY > /dev/null 2>&1 route add $HNET $GWAY > /dev/null 2>&1 route add 10.10.10.39 $GWAY > /dev/null 2>&1 logger -t $VNNAME Added network route for $IFACE setkey -c << EOF spddelete 10.10.10.0/24 $HNET any -P out; spddelete $HNET 10.10.10.0/24 any -P in; spddelete 10.20.0.0/16 $HNET any -P out; spddelete $HNET 10.20.0.0/16 any -P in; spdadd 10.10.10.0/24 $HNET any -P out ipsec esp/tunnel/200.200.200.200-$EXTIP/require; spdadd $HNET 10.10.10.0/24 any -P in ipsec esp/tunnel/$EXTIP-200.200.200.200/require; spdadd 10.20.0.0/16 $HNET any -P out ipsec esp/tunnel/200.200.200.200-$EXTIP/require; spdadd $HNET 10.20.0.0/16 any -P in ipsec esp/tunnel/$EXTIP-200.200.200.200/require; EOF ping -c 5 $GWAY > /dev/null 2>&1 logger -t $VNNAME Finished adding SPDs. Does this help any? Eric "Crist J. Clark" wrote: > I have my SPD set, > > # setkey -c <<EOF > spdadd 192.168.200.1 192.168.101.0/24 any > -P out ipsec esp/tunnel/192.168.200.1-192.168.100.1/require; > spdadd 192.168.101.0/24 192.168.200.1 any > -P in ipsec esp/tunnel/192.168.100.1-192.168.200.1/require; > EOF -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D132077.4B8FBB3D>