From owner-freebsd-questions@FreeBSD.ORG Tue Oct 28 15:21:55 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDA7B16A4CE for ; Tue, 28 Oct 2003 15:21:55 -0800 (PST) Received: from fed1mtao01.cox.net (fed1mtao01.cox.net [68.6.19.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCEBD43F93 for ; Tue, 28 Oct 2003 15:21:54 -0800 (PST) (envelope-from brently@bjwcs.com) Received: from SAMBA ([68.98.26.35]) by fed1mtao01.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031028232154.XGJZ2935.fed1mtao01.cox.net@SAMBA>; Tue, 28 Oct 2003 18:21:54 -0500 From: "Brent Wiese" To: "'Micheal Patterson'" , Date: Tue, 28 Oct 2003 16:25:48 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOZzkvE83eLChPmRa+Wj1zcFImYKgD2do0gAABVmVA= Message-Id: <20031028232154.XGJZ2935.fed1mtao01.cox.net@SAMBA> Subject: RE: IPSEC tunnel issue.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 23:21:56 -0000 > Here's my situation. > > I've got 2 networks at different facilities that are using > public routable > IP's. Each end has a fbsd box in bridge mode as their > firewall between the > lan and the cisco routers at each end. I've been tasked to establish a > secure tunnel between these two networks and I'm having some > trouble. I've > searched google for ipsec information on this but every thing > that I have > found depicts a private lan behind the public ip's of the > tunnel endpoints. > Has anyone been able to establish this type of tunnel > successfully? If so, > can you please direct me to some information on this? So if I understand correctly, you're running the FreeBSD firewall in "transparent" mode? Hosts behind the firewall use public addresses on the same subnet as the firewall public? I think you may need to switch to NAT mode so you're running a non-net-routeable (private) LAN. You can always stack more public Ips on the firewall and port forward. Or, if you run a routing daemon and have all your hosts point to it as the default gateway, build the tunnel and route anything that isn't through the tunnel at your real gateway. Or, build the tunnel and add routes to all the hosts specifing the FreeBSD box as the gateway for the remote network. This can be a pain to admin long term, but if, for instance, you run a Windows domain, you can run a "route add" batch file when users log into the network. Brent