Date: Wed, 25 Oct 2000 19:44:58 -0400 From: Mike Tancsa <mike@sentex.net> To: Matthew Hagerty <matthew@venux.net>, freebsd-security@FreeBSD.ORG Subject: Re: IPsec requires FreeBSD-4.?? Message-ID: <4.2.2.20001025194015.04b93008@mail.sentex.net> In-Reply-To: <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:33 PM 10/25/2000 -0400, Matthew Hagerty wrote: >Greetings, > >I am trying desperately to get a simple network-to-network VPN working >with FreeBSD. I am having no luck and would like to know what version of >4.x I need? I am currently using 4.0 release on both sides. Is that >going to work or do I need to upgrade to 4.1.1 or something? It certainly is easier with 4.1.1 as you can use the racoon port. Here is a quick sample config that will work with racoon out of the box This assumed that 172.16.1.1 and 192.168.1.1 are your public NON RFC 1918 space that is publically routed #!/bin/sh #Ottawa config ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias gifconfig gif0 172.16.1.1 192.168.1.1 ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 setkey -FP setkey -F setkey -c <<EOF spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec esp/tunnel/172.16.1.1-192.168.1.1/require; spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec esp/tunnel/192.168.1.1-172.16.1.1/require; EOF #!/bin/sh #Toronto config ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias gifconfig gif0 192.168.1.1 172.16.1.1 ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0 setkey -FP setkey -F setkey -c <<EOF spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec esp/tunnel/192.168.1.1-172.16.1.1/require; spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec esp/tunnel/172.16.1.1-192.168.1.1/require; EOF And Presto! We have a secure VPN that is tunneled! Toronto# ping 10.1.2.1 PING 10.1.2.1 (10.1.2.1): 56 data bytes 64 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=1.743 ms 64 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=1.746 ms 64 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=1.739 ms 64 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=1.610 ms ^C --- 10.1.2.1 ping statistics --- 5 packets transmitted, 4 packets received, 20% packet loss round-trip min/avg/max/stddev = 1.610/1.710/1.746/0.058 ms Toronto# traceroute 10.1.2.1 traceroute to 10.1.2.1 (10.1.2.1), 30 hops max, 40 byte packets 1 10.1.2.1 (10.1.2.1) 1.363 ms 1.222 ms 1.183 ms Toronto# telnet 10.1.2.1 Trying 10.1.2.1... Connected to 10.1.2.1. Escape character is '^]'. >Also, while I'm here, this is the whole procedure I'm using (that does not >seem to be working.) Is there something wrong with this? > >In the kernel I added these and recompiled: > >options IPSEC >options IPSEC_ESP Looks good to me. -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20001025194015.04b93008>