From owner-freebsd-security Thu Apr 20 7:16:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 43ACD37B810 for ; Thu, 20 Apr 2000 07:16:41 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id XAA11597; Thu, 20 Apr 2000 23:16:18 +0900 (JST) To: Muhammad Najib Cc: freebsd-security@freebsd.org In-reply-to: najib's message of Thu, 20 Apr 2000 22:10:56 +0800. <200004201410.WAA25907@falcon.kdu.edu.my> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: VPN using IPSec From: itojun@iijlab.net Date: Thu, 20 Apr 2000 23:16:18 +0900 Message-ID: <11595.956240178@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I've just install the latest -RELEASE of FreeBSD and cvsup to -STABLE. >I've read through the documentation and found it kinda confusing, yet >I've tried to do what's in the doc and failed. This is my intention: >- setting up VPN connection between two organization located at >different geographical area >- at the same time allow Internet connectivity throughout the world >using NAT > >I've been understood by the doc that I need to use the 'tunnel mode' >instead to achieve this. I followed the documentation in the handbook >(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the >conf files: NAT - IPsec interaction will be very tricky, so I will not talk about that. The current KAME (origin of FreeBSD IPsec) implementation has some issue with AH tunnel. In short, the receiving node will not consider packet tunnelled by AH tunnel as authentic (AH authenticates the outer packet, not the inner) and drop the packet if you set "require" policy for inbound. This will be corrected in future KAME releases. If you use ESP tunnel instead, your configuration should work fine. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message