From owner-freebsd-security Thu Oct 26 20:44: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail3.mx.voyager.net (unknown [216.93.66.202]) by hub.freebsd.org (Postfix) with ESMTP id 9EB9037B479 for ; Thu, 26 Oct 2000 20:44:05 -0700 (PDT) Received: from thunder.voyager.net (net-216-93-125-061.hcv.com [216.93.125.61]) by mail3.mx.voyager.net (8.10.2/8.10.2) with ESMTP id e9R3i2423576; Thu, 26 Oct 2000 23:44:02 -0400 (EDT) Message-Id: <5.0.0.25.2.20001026234133.02b0bc30@pop.voyager.net> X-Sender: mhagerty@pop.voyager.net X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Thu, 26 Oct 2000 23:43:59 -0400 To: Mike Tancsa , Matthew Hagerty , freebsd-security@FreeBSD.ORG From: Matthew Hagerty Subject: Re: IPsec requires FreeBSD-4.?? In-Reply-To: <4.2.2.20001025194015.04b93008@mail.sentex.net> References: <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the info, however I am still not having any luck. Should the configuration you give below work if NAT is taking place on this machine as well? Also, are there any pointers as to how I can troubleshoot this problem, check where the communication stops, etc? Thanks, Matthew At 07:44 PM 10/25/00 -0400, Mike Tancsa wrote: >At 06:33 PM 10/25/2000 -0400, Matthew Hagerty wrote: >>Greetings, >> >>I am trying desperately to get a simple network-to-network VPN working >>with FreeBSD. I am having no luck and would like to know what version of >>4.x I need? I am currently using 4.0 release on both sides. Is that >>going to work or do I need to upgrade to 4.1.1 or something? > >It certainly is easier with 4.1.1 as you can use the racoon port. Here is >a quick sample config that will work with racoon out of the box > >This assumed that 172.16.1.1 and 192.168.1.1 are your public NON RFC 1918 >space that is publically >routed > > > >#!/bin/sh >#Ottawa config >ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias >gifconfig gif0 172.16.1.1 192.168.1.1 >ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 >setkey -FP >setkey -F >setkey -c <spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec >esp/tunnel/172.16.1.1-192.168.1.1/require; >spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec >esp/tunnel/192.168.1.1-172.16.1.1/require; >EOF >#!/bin/sh >#Toronto config >ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias >gifconfig gif0 192.168.1.1 172.16.1.1 >ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0 >setkey -FP >setkey -F >setkey -c <spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec >esp/tunnel/192.168.1.1-172.16.1.1/require; >spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec >esp/tunnel/172.16.1.1-192.168.1.1/require; >EOF >And Presto! We have a secure VPN that is tunneled! > >Toronto# ping 10.1.2.1 >PING 10.1.2.1 (10.1.2.1): 56 data bytes >64 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=1.743 ms >64 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=1.746 ms >64 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=1.739 ms >64 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=1.610 ms >^C >--- 10.1.2.1 ping statistics --- >5 packets transmitted, 4 packets received, 20% packet loss >round-trip min/avg/max/stddev = 1.610/1.710/1.746/0.058 ms >Toronto# traceroute 10.1.2.1 >traceroute to 10.1.2.1 (10.1.2.1), 30 hops max, 40 byte packets > 1 10.1.2.1 (10.1.2.1) 1.363 ms 1.222 ms 1.183 ms >Toronto# telnet 10.1.2.1 >Trying 10.1.2.1... >Connected to 10.1.2.1. >Escape character is '^]'. > > > > > > > >>Also, while I'm here, this is the whole procedure I'm using (that does >>not seem to be working.) Is there something wrong with this? >> >>In the kernel I added these and recompiled: >> >>options IPSEC >>options IPSEC_ESP > >Looks good to me. > > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Network Administration, mike@sentex.net >Sentex Communications www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message