Date: Sun, 19 Nov 2000 22:39:54 -0500 From: Mike Tancsa <mike@sentex.net> To: Tom Samplonius <tom@sdf.com> Cc: Evren Yurtesen <eyurtese@turkuamk.fi>, freebsd-isp@FreeBSD.ORG Subject: Re: any VPN daemon? Message-ID: <4.2.2.20001119221736.0173de98@marble.sentex.net> In-Reply-To: <Pine.BSF.4.05.10011191827430.1138-100000@misery.sdf.com> References: <ss2h1t4iestndng88etmrnf19less0339j@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote:
> Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not very
>well documented. For instance, there is nothing on how IPSec and ipfw
>interact. Which subsystem gets the packet first? ipfw or IPSec?
>Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to
>do.
I believe the person said he was using a simple LAN to LAN. I have had good
results setting up a few tunnels in the past month or so. What specifically
were you trying to find with respect to ipfw ?
ipfw add 20 deny log 50 from any to any
stops all ipsec data in the tunnel I have setup between the office and at
home on my DSL connection.
There is not much you need to do to setup the tunnel using dynamic key
exchange.
Here is a quick setup example. For DSL to work, or where a lot of latency
(relative to ethernet) you need to make one small change to the racoon.conf
Here is a quick sample config for two machines
PPPoE machine's _public_ address on tun0 : 169.1.134.1
PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1
Office Server's _public_ address on fxp0 172.168.93.4
Office Server's _private_ address aliased on lo0 : 10.1.1.1
*Note, if your machine has 2 interfaces, you can of course use the RFC1918
space on it instead.
This example assumes you just have the one NIC to play with.
#!/bin/sh
#PPPoE config
ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
gifconfig gif0 169.1.134.1 172.168.93.4
ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
EOF
#!/bin/sh
#server at office config
ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias
gifconfig gif0 172.168.93.4 169.1.134.1
ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
EOF
The changes I made to the default racoon.conf was simply to increase the
lifetime values
on both ends of the connection.
e.g.
@@ -101,8 +101,8 @@
sainfo anonymous
{
pfs_group 1;
- lifetime time 30 sec;
- lifetime byte 5000 KB;
+ lifetime time 3600 sec;
+ lifetime byte 25000 KB;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administration, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20001119221736.0173de98>