Date: Mon, 23 Jun 2003 18:26:34 -0700 From: "Brent Wiese" <brently@bjwcs.com> To: "'Oleg Semyonov'" <os@front.ru>, <freebsd-questions@freebsd.org> Subject: RE: IPSec+VPN+ipfw questions Message-ID: <006301c339ef$bae48010$0a0114ac@home.bjwcs.com> In-Reply-To: <002201c33986$ae283f60$190410ac@tavrida.local>
next in thread | previous in thread | raw e-mail | index | archive | help
A few things come quickly to mind...=20 First, you need "gateway_enable=3DYES" in your rc.conf... I think. I = know you need it for MPD (pptp tunneling). Second, you cannot have physical routes to the remote side "private" network. > 1) Is it possible to use ipfw rules to count different kinds=20 > of traffic from legitimate computers, divert it to natd and=20 > block all other packets across the LAN? There are ESP=20 > protocol packets which I can filter, but it seems they are=20 > not processed after decryption by ipwf rules. So, no=20 > counters, no divert, etc. You should use ipfw to, at the very least, only allow legit tunnel = traffic to pass to/from the "public" and "private" NICs/ > 2) What is the best solution for IKE daemon? I've tried=20 > racoon (it works but there are some strange situations with=20 > Windows 2000 machines which are mentioned somewhere), and=20 > isakmpd (it has not very obvious syntax for their policy and=20 > conf files - how to create a minimal working configuration=20 > for a number of peer machines which use different preshared=20 > keys for IKE exchange)? Racoon works fine if set up correctly. Most of the FAQ's are wrong, espcially when they discuss setting up gif() and then racoon. You don't = need gif(). I seem to remember something about using MD5 as the hash, but its been a while... Maybe it was that my router only supported MD5 for its vpn-passthru stuff... > 3) In fact, it is not required for me to use VPN solutions.=20 > All I need is to authenticate each legitimate machine (or=20 > user - that is better). IP+MAC addresses may be forged. I can=20 > use socks proxy, but there is no standard secured=20 > authentication which is suported by number of different=20 > internet tools. And I don't wish to have a complicated setup=20 > of each client machine. So, VPN seems to be the best solution=20 > as their policies for W2K clients may be specified via Active=20 > Directory. IPSEC is probably the best way. Since the other side is Windows, you may consider using MPD and use PPTP instead of IPSEC. It's a little easier = to deal with on the Windows side since setup is all gui-wizards. Cheers, Brent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006301c339ef$bae48010$0a0114ac>