From owner-freebsd-net Tue Jun 18 8: 6:49 2002 Delivered-To: freebsd-net@freebsd.org Received: from proton.hexanet.fr (proton.hexanet.fr [81.23.32.33]) by hub.freebsd.org (Postfix) with ESMTP id 814D937B40C for ; Tue, 18 Jun 2002 08:06:41 -0700 (PDT) Received: from hexanet.fr (localhost [127.0.0.1]) by proton.hexanet.fr (8.12.3/8.12.3) with SMTP id g5IF6dfS004253; Tue, 18 Jun 2002 17:06:39 +0200 (CEST) (envelope-from c.prevotaux@hexanet.fr) Date: Tue, 18 Jun 2002 17:06:39 +0200 From: Christophe Prevotaux To: Lars Eggert Cc: net@freebsd.org Subject: Re: IPIP (kind of) with Payload Encryption only Message-Id: <20020618170639.3754910d.c.prevotaux@hexanet.fr> In-Reply-To: <3D0F4AFA.3000908@isi.edu> References: <20020618153956.2a9352fa.c.prevotaux@hexanet.fr> <200206181352.g5IDqqnq047326@whizzo.transsys.com> <3D0F4AFA.3000908@isi.edu> Organization: HEXANET Sarl X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.4) X-NCC-RegID: fr.hexanet Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I can use AH/ESP however since I am using a satellite link thru a modem/hub(NOC) that fiddles around with packets in order to optimize them , I can't encrypt the headers otherwise the optimizer can't see inside the packets and therefore can't see the headers , so no optimization is done ,and I end up with a 33,6Kbps like speed for the VPN , which is useless (at best 56Kbps). SKIP seems like a goes solution, I am going to look at it and see what it does. On Tue, 18 Jun 2002 08:00:10 -0700 Lars Eggert wrote: > Louis A. Mamakos wrote: > >> > >>Could someone tell me if there is a way to build a VPN(like) tunnel from > >>a FreeBSD machine acting as a VPN gateway to another machine acting as > >>another VPN gateway using normal IP packets that have only their data > >>payload encrypted. Of course there would have to be a way to setup the > >>tunnel and still retain the network addressing of each side of the VPN > > > > > > Look at vtun in /usr/ports/net/vtun to see if this can address your > > problem. I use it over a (cable modem) network that seems to > > filter IPSEC traffic. > > Too bad you can't use IPsec, this seems like the perfect scenario for it. > > I've also used vtun in such a scenario, and can second that it'll work > UNLESS you need your tunnel to go through a NAT box - vtun uses the > client's IP address during its authentication handshake (which is dumb, > since stronger shared secrets need be in place anyway.) > > Archie's daemonnews article has an example of how to do UDP tunneling > with netgraph, which nets about a 2x performance improvement over vtun > (without encryption, haven't figured out how tie in ng_mppc). > > Lars > -- > Lars Eggert USC Information Sciences Institute > -- =============================================================== Christophe Prevotaux Email: c.prevotaux@hexanet.fr HEXANET SARL URL: http://www.hexanet.fr/ Z.A.C Les Charmilles Tel: +33 (0)3 26 79 30 05 3 Allée Thierry Sabine Direct: +33 (0)3 26 61 77 72 BP202 Fax: +33 (0)3 26 79 30 06 51686 Reims Cedex 2 FRANCE HEXANET Network Operation Center =============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message