Date: Tue, 24 Jun 2003 08:52:32 +0300 From: "Oleg Semyonov" <os@front.ru> To: "Brent Wiese" <brently@bjwcs.com>, <freebsd-questions@freebsd.org> Subject: Re: IPSec+VPN+ipfw questions Message-ID: <000901c33a14$cdc73f90$190410ac@tavrida.local> References: <006301c339ef$bae48010$0a0114ac@home.bjwcs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
1. I'm using FreeBSD as a gateway+firewall which uses NAT (natd) to connect internal LAN to the Internet. So, gateway_enable=YES is set because it is required to use natd. 2. I prefer to use IPSec, and not a PPTP. As I can configure it on W2K using AD policies, so I don't have to setup it manually using wizards or suchlike. 3. I have a LAN where some machines have to use FreeBSD as gateway to the Internet, and some - no. All machines are in a common subnet, so physical route cannot be disabled for those machines. I think there is no problem here as I can set a VPN transport for some IP/MAC addresses and block all traffic from others. Note there is no tunnel for subnet - W2K-to-FreeBSD peer-to-peer only. The real problem is that I need to look into each IPSec-transported packet on the gateway machine after it is decrypted to divert it to natd. Also, I'm using some of counters such as 'count tcp from me 3128 to peer' (Squid traffic), etc. When all packets from local Squid are tunneled using IPSec the rule above always shows 0 as packets are encapsulated into esp protocol before captured by ipfw. And working rule will be 'count esp from me to peer' which does not give any information about properties of packet (source IP/port and so on). So, the question was: how to look into and count (using ipfw) those packets before they are encrypted by IPSec? 4. racoon is working, and, of course, I don't need the gif interface as I don't create a tunnel for subnet. The problem I mentioned is that when traffic flow stops for some time, and then it resumes, racoon or W2K machine want rekeying, and sometimes there is a long time delay before the rekeying takes place. I read this in FAQs and in fact I see the effect in my setup. I agree that some FAQs are not very accurate. All of them recommend to use only MD5 hash with W2K machines but I really see the SHA1 hash which works. Can you give some working example of racoon configuration which works fine with W2K? Thanks for the answers! OS ----- Original Message ----- From: "Brent Wiese" <brently@bjwcs.com> To: "'Oleg Semyonov'" <os@front.ru>; <freebsd-questions@freebsd.org> Sent: Tuesday, June 24, 2003 4:26 AM Subject: RE: IPSec+VPN+ipfw questions A few things come quickly to mind... First, you need "gateway_enable=YES" in your rc.conf... I think. I know you need it for MPD (pptp tunneling). Second, you cannot have physical routes to the remote side "private" network. > 1) Is it possible to use ipfw rules to count different kinds > of traffic from legitimate computers, divert it to natd and > block all other packets across the LAN? There are ESP > protocol packets which I can filter, but it seems they are > not processed after decryption by ipwf rules. So, no > counters, no divert, etc. You should use ipfw to, at the very least, only allow legit tunnel traffic to pass to/from the "public" and "private" NICs/ > 2) What is the best solution for IKE daemon? I've tried > racoon (it works but there are some strange situations with > Windows 2000 machines which are mentioned somewhere), and > isakmpd (it has not very obvious syntax for their policy and > conf files - how to create a minimal working configuration > for a number of peer machines which use different preshared > keys for IKE exchange)? Racoon works fine if set up correctly. Most of the FAQ's are wrong, espcially when they discuss setting up gif() and then racoon. You don't need gif(). I seem to remember something about using MD5 as the hash, but its been a while... Maybe it was that my router only supported MD5 for its vpn-passthru stuff... > 3) In fact, it is not required for me to use VPN solutions. > All I need is to authenticate each legitimate machine (or > user - that is better). IP+MAC addresses may be forged. I can > use socks proxy, but there is no standard secured > authentication which is suported by number of different > internet tools. And I don't wish to have a complicated setup > of each client machine. So, VPN seems to be the best solution > as their policies for W2K clients may be specified via Active > Directory. IPSEC is probably the best way. Since the other side is Windows, you may consider using MPD and use PPTP instead of IPSEC. It's a little easier to deal with on the Windows side since setup is all gui-wizards. Cheers, Brent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000901c33a14$cdc73f90$190410ac>