From owner-freebsd-doc@FreeBSD.ORG Tue Mar 8 23:51:10 2005 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AAD416A4DB for ; Tue, 8 Mar 2005 23:51:07 +0000 (GMT) Received: from mail.tpgi.com.au (mail4.tpgi.com.au [203.12.160.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF5EB43D3F for ; Tue, 8 Mar 2005 23:51:05 +0000 (GMT) (envelope-from kal@dclabs.com.au) Received: from hero.office.dclabs.com.au (203-219-203-198-vic.tpgi.com.au [203.219.203.198]) by mail.tpgi.com.au (8.12.10/8.12.10) with ESMTP id j28Np3ok006655 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 9 Mar 2005 10:51:03 +1100 Received: from eden-int.office.dclabs.com.au ([192.168.1.253]) ESMTP id j28Np2lq007999; Wed, 9 Mar 2005 10:51:02 +1100 Received: from [192.168.1.241] ([192.168.1.241])id j28NnZQ5020986; Wed, 9 Mar 2005 10:49:35 +1100 Message-ID: <422E3A0F.30209@dclabs.com.au> Date: Wed, 09 Mar 2005 10:49:35 +1100 From: "Kahlil (Kal) Hodgson" User-Agent: Mozilla Thunderbird 0.9 (X11/20041124) X-Accept-Language: en-us, en MIME-Version: 1.0 To: doc@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamd / ClamAV version 0.72, clamav-milter version 0.72 on hero.office.dclabs.com.au X-Virus-Status: Clean X-TPG-Antivirus: Passed Subject: Notes on http://www.linuxinfor.com/english/FreeBSD/ipsec.html X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: support@dclabs.com.au List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2005 23:51:11 -0000 Hi Guys, After much mucking around I've just managed to set up a IPSEC VPN between a BSD gateway and a Debian Linux gateway (running a 2.6 kernel) and using racoon. I'm comming from the Linux side of this and the guys at the BSD end where kind enough to give me access to their router so could figure out why it was not working as expected. I've never been on a BSD box before so your FreeBSD documentation was *very* helpful -- thanks guys:-) The racoon configuration was pretty straightforward, but I had a lot of trouble with routing and tunneling, which led to a lot of racoon tail chasing:-) In the end I could not get the gif tunnel on the BSD box to be demangled by either a gre or sit tunnel on the linux box (probably a long shot anyway). I did find that (after dropping tunnels and routes) the following policy worked: At one end I had spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; in combination with the strange route route add 192.168.2.0/24 A.B.C.D and the other end spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; in combination with route add 192.168.1.0/24 W.X.Y.Z This was more in line with the documentation at http://www.ipsec-howto.org/x282.html (except that they don't mention the routes:-) With this aproach we only encapsulte the non-routable packet once with the ESP wrapper, but our security policy does have to look at all packets rather than just encapsulated ones. Any thoughts on the security/efficiency implications of this? Kind Regards, Kal -- Kahlil (Kal) Hodgson DCLABS Pty Ltd Advanced Linux Servers and Technology http://www.dclabs.com.au Phone: +61 3 9807 8600 Fax: +61 3 9807 9300 All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer. -- IBM maintenance manual, 1925