From owner-freebsd-security  Thu Apr 20  7:16:48 2000
Delivered-To: freebsd-security@freebsd.org
Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97])
	by hub.freebsd.org (Postfix) with ESMTP id 43ACD37B810
	for <freebsd-security@freebsd.org>; Thu, 20 Apr 2000 07:16:41 -0700 (PDT)
	(envelope-from itojun@itojun.org)
Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1])
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id XAA11597;
	Thu, 20 Apr 2000 23:16:18 +0900 (JST)
To: Muhammad Najib <najib@kdu.edu.my>
Cc: freebsd-security@freebsd.org
In-reply-to: najib's message of Thu, 20 Apr 2000 22:10:56 +0800.
      <200004201410.WAA25907@falcon.kdu.edu.my>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
Subject: Re: VPN using IPSec
From: itojun@iijlab.net
Date: Thu, 20 Apr 2000 23:16:18 +0900
Message-ID: <11595.956240178@coconut.itojun.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>I've just install the latest -RELEASE of FreeBSD and cvsup to -STABLE. 
>I've read through the documentation and found it kinda confusing, yet 
>I've tried to do what's in the doc and failed. This is my intention:
>- setting up VPN connection between two organization located at 
>different geographical area
>- at the same time allow Internet connectivity throughout the world 
>using NAT
>
>I've been understood by the doc that I need to use the 'tunnel mode' 
>instead to achieve this. I followed the documentation in the handbook 
>(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the 
>conf files:

	NAT - IPsec interaction will be very tricky, so I will not talk about
	that.

	The current KAME (origin of FreeBSD IPsec) implementation has some
	issue with AH tunnel.  In short, the receiving node will not
	consider packet tunnelled by AH tunnel as authentic (AH authenticates
	the outer packet, not the inner) and drop the packet if you set
	"require" policy for inbound. 
	This will be corrected in future KAME releases.
	If you use ESP tunnel instead, your configuration should work fine.

itojun


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message