From owner-freebsd-security Thu Apr 20 6:57: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from falcon.kdu.edu.my (owns.modestos.net [203.106.26.199]) by hub.freebsd.org (Postfix) with ESMTP id 63F6D37B612 for ; Thu, 20 Apr 2000 06:56:43 -0700 (PDT) (envelope-from najib@kdu.edu.my) Received: (from nobody@localhost) by falcon.kdu.edu.my (8.9.3/8.9.3) id WAA25907; Thu, 20 Apr 2000 22:10:56 +0800 (MYT) Date: Thu, 20 Apr 2000 22:10:56 +0800 (MYT) Message-Id: <200004201410.WAA25907@falcon.kdu.edu.my> X-Authentication-Warning: falcon.kdu.edu.my: nobody set sender to najib@kdu.edu.my using -f From: Muhammad Najib To: freebsd-security@freebsd.org Reply-To: Muhammad Najib MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP3 Imap webMail Program 2.0.11 X-Originating-IP: 203.106.26.198 Subject: VPN using IPSec Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've just install the latest -RELEASE of FreeBSD and cvsup to -STABLE. I've read through the documentation and found it kinda confusing, yet I've tried to do what's in the doc and failed. This is my intention: - setting up VPN connection between two organization located at different geographical area - at the same time allow Internet connectivity throughout the world using NAT I've been understood by the doc that I need to use the 'tunnel mode' instead to achieve this. I followed the documentation in the handbook (http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the conf files: HOST A = 100.200.100.1 (not real IP) HOST B = 200.100.100.1 (not real IP) dmz network behind HOST A = 10.1.2.0/24 dmz network behind HOST B = 10.1.1.0/24 ----------------------HOST A CONF STARTS----------------------------- add 100.200.100.1 200.100.200.1 ah-old 0x10003 -m any -A keyed-md5 "this is the test" ; add 200.100.200.1 100.200.100.1 ah-old 0x10004 -m any -A keyed-md5 "this is the test" ; spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec ah/tunnel/100.200.100.1-200.100.200.1/require ; spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec ah/tunnel/200.100.200.1-100.200.100.1/require ; ----------------------HOST B CONF STARTS----------------------------- add 100.200.100.1 200.100.200.1 ah-old 0x10003 -m any -A keyed-md5 "this is the test" ; add 200.100.200.1 100.200.100.1 ah-old 0x10004 -m any -A keyed-md5 "this is the test" ; spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec ah/tunnel/200.100.200.1-100.200.100.1/require ; spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec ah/tunnel/100.200.100.1-200.100.200.1/require ; ----------------------HOST B CONF ENDS------------------------------- I hope somebody out there that has already done with this VPN-style setup to point me if there's any flaw in this configuration. Thanx in advance :) regards, *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG WEB PROGRAMMER http://www.my-linux.org Kolej Damansara Utama, SS22/41, najib@csi-x.net 47400 Petaling Jaya, Selangor. najib@kaypo.net http://www.kdu.edu.my najib@kdu.edu.my Tel : +603 77288123 ext.320 najib@my-linux.org *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* _______________________________________________ UNIX - it makes the world go round :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message