Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Nov 2000 08:51:34 -0800 (PST)
From:      Tom Samplonius <tom@sdf.com>
To:        Mike Tancsa <mike@sentex.net>
Cc:        Evren Yurtesen <eyurtese@turkuamk.fi>, freebsd-isp@FreeBSD.ORG
Subject:   Re: any VPN daemon?
Message-ID:  <Pine.BSF.4.05.10011200849560.1138-100000@misery.sdf.com>
In-Reply-To: <4.2.2.20001119221736.0173de98@marble.sentex.net>

next in thread | previous in thread | raw e-mail | index | archive | help

On Sun, 19 Nov 2000, Mike Tancsa wrote:

> At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote:
> >   Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not very
> >well documented.  For instance, there is nothing on how IPSec and ipfw
> >interact.  Which subsystem gets the packet first?  ipfw or IPSec?
> >Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to
> >do.
> 
> I believe the person said he was using a simple LAN to LAN. I have had good 
> results setting up a few tunnels in the past month or so. What specifically 
> were you trying to find with respect to ipfw ?

  What evaluates a packet first?  ipfw rules or setkey rules?

...
> #!/bin/sh
> #PPPoE config
> ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
> gifconfig gif0 169.1.134.1 172.168.93.4
> ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
> setkey -FP
> setkey -F
> setkey -c <<EOF
> spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec
> esp/tunnel/169.1.134.1-172.168.93.4/require;
> spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec
> esp/tunnel/172.168.93.4-169.1.134.1/require;
> EOF


  Why are you using gif0?  I understand that gif0 is not recommended for
IPv4 over IPv4 tunnels.  Also, since you are using ipsec tunnels setup via
setkey, I don't think gif0.

Tom



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10011200849560.1138-100000>