Date: Thu, 26 Oct 2000 23:43:59 -0400 From: Matthew Hagerty <mhagerty@voyager.net> To: Mike Tancsa <mike@sentex.net>, Matthew Hagerty <matthew@venux.net>, freebsd-security@FreeBSD.ORG Subject: Re: IPsec requires FreeBSD-4.?? Message-ID: <5.0.0.25.2.20001026234133.02b0bc30@pop.voyager.net> In-Reply-To: <4.2.2.20001025194015.04b93008@mail.sentex.net> References: <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the info, however I am still not having any luck. Should the configuration you give below work if NAT is taking place on this machine as well? Also, are there any pointers as to how I can troubleshoot this problem, check where the communication stops, etc? Thanks, Matthew At 07:44 PM 10/25/00 -0400, Mike Tancsa wrote: >At 06:33 PM 10/25/2000 -0400, Matthew Hagerty wrote: >>Greetings, >> >>I am trying desperately to get a simple network-to-network VPN working >>with FreeBSD. I am having no luck and would like to know what version of >>4.x I need? I am currently using 4.0 release on both sides. Is that >>going to work or do I need to upgrade to 4.1.1 or something? > >It certainly is easier with 4.1.1 as you can use the racoon port. Here is >a quick sample config that will work with racoon out of the box > >This assumed that 172.16.1.1 and 192.168.1.1 are your public NON RFC 1918 >space that is publically >routed > > > >#!/bin/sh >#Ottawa config >ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias >gifconfig gif0 172.16.1.1 192.168.1.1 >ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 >setkey -FP >setkey -F >setkey -c <<EOF >spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec >esp/tunnel/172.16.1.1-192.168.1.1/require; >spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec >esp/tunnel/192.168.1.1-172.16.1.1/require; >EOF >#!/bin/sh >#Toronto config >ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias >gifconfig gif0 192.168.1.1 172.16.1.1 >ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0 >setkey -FP >setkey -F >setkey -c <<EOF >spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec >esp/tunnel/192.168.1.1-172.16.1.1/require; >spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec >esp/tunnel/172.16.1.1-192.168.1.1/require; >EOF >And Presto! We have a secure VPN that is tunneled! > >Toronto# ping 10.1.2.1 >PING 10.1.2.1 (10.1.2.1): 56 data bytes >64 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=1.743 ms >64 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=1.746 ms >64 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=1.739 ms >64 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=1.610 ms >^C >--- 10.1.2.1 ping statistics --- >5 packets transmitted, 4 packets received, 20% packet loss >round-trip min/avg/max/stddev = 1.610/1.710/1.746/0.058 ms >Toronto# traceroute 10.1.2.1 >traceroute to 10.1.2.1 (10.1.2.1), 30 hops max, 40 byte packets > 1 10.1.2.1 (10.1.2.1) 1.363 ms 1.222 ms 1.183 ms >Toronto# telnet 10.1.2.1 >Trying 10.1.2.1... >Connected to 10.1.2.1. >Escape character is '^]'. > > > > > > > >>Also, while I'm here, this is the whole procedure I'm using (that does >>not seem to be working.) Is there something wrong with this? >> >>In the kernel I added these and recompiled: >> >>options IPSEC >>options IPSEC_ESP > >Looks good to me. > > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Network Administration, mike@sentex.net >Sentex Communications www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.0.25.2.20001026234133.02b0bc30>