From owner-freebsd-questions Tue Dec 10 9:24:36 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0523537B401 for ; Tue, 10 Dec 2002 09:24:35 -0800 (PST) Received: from fep1.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F14043EB2 for ; Tue, 10 Dec 2002 09:24:34 -0800 (PST) (envelope-from dlavigne6@cogeco.ca) Received: from d226-42-146.home.cgocable.net (d226-42-146.home.cgocable.net [24.226.42.146]) by fep1.cogeco.net (Postfix) with ESMTP id E08B8A1FC; Tue, 10 Dec 2002 12:24:12 -0500 (EST) Date: Tue, 10 Dec 2002 12:25:49 -0500 (EST) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: Jeff Walters Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPsec on a NAT gateway In-Reply-To: <825B5EDE-0C5B-11D7-A833-00039342A52C@yahoo.com> Message-ID: <20021210122319.T41610-100000@dhcp-17-14.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 10 Dec 2002, Jeff Walters wrote: > At home I have a FreeBSD gateway working nicely for NAT and firewall. > One of the machines behind this firewall is an OS X iBook running > through a WEP-enabled Airport base station in bridged mode (i.e. it > only bridges the wireless and the ethernet). WEP has known problems, > and I'd like to secure the link between the iBook and the FreeBSD > firewall against snooping or malicious neighbors, etc. > > I think that IPsec is the closest thing to an answer, however after > much digging through setkey man pages, the FreeBSD handbook, and other > HOWTO web pages nothing clearly describes this configuration. This is > not really IPSec transport mode, because it's only secure between host > and gateway not host and host, and it's not tunnel mode because I'm not > joining two LANs. Has anyone done this? The configuration you describe is still considered tunnel mode, even though it looks part transport / part tunnel mode. Tunnel mode occurs whenever a gateway encrypts on behalf of a network. Typical tunnels have gateways at both ends, however it is possible to have a gateway at one end and a single machine at the other. HTH, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message