Date: Thu, 20 Apr 2000 23:16:18 +0900 From: itojun@iijlab.net To: Muhammad Najib <najib@kdu.edu.my> Cc: freebsd-security@freebsd.org Subject: Re: VPN using IPSec Message-ID: <11595.956240178@coconut.itojun.org> In-Reply-To: najib's message of Thu, 20 Apr 2000 22:10:56 %2B0800. <200004201410.WAA25907@falcon.kdu.edu.my>
next in thread | previous in thread | raw e-mail | index | archive | help
>I've just install the latest -RELEASE of FreeBSD and cvsup to -STABLE. >I've read through the documentation and found it kinda confusing, yet >I've tried to do what's in the doc and failed. This is my intention: >- setting up VPN connection between two organization located at >different geographical area >- at the same time allow Internet connectivity throughout the world >using NAT > >I've been understood by the doc that I need to use the 'tunnel mode' >instead to achieve this. I followed the documentation in the handbook >(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the >conf files: NAT - IPsec interaction will be very tricky, so I will not talk about that. The current KAME (origin of FreeBSD IPsec) implementation has some issue with AH tunnel. In short, the receiving node will not consider packet tunnelled by AH tunnel as authentic (AH authenticates the outer packet, not the inner) and drop the packet if you set "require" policy for inbound. This will be corrected in future KAME releases. If you use ESP tunnel instead, your configuration should work fine. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11595.956240178>