From owner-freebsd-questions@FreeBSD.ORG Mon Jun 23 18:27:10 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E9C237B401 for ; Mon, 23 Jun 2003 18:27:10 -0700 (PDT) Received: from fed1mtao06.cox.net (fed1mtao06.cox.net [68.6.19.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54FB143F93 for ; Mon, 23 Jun 2003 18:27:09 -0700 (PDT) (envelope-from brently@bjwcs.com) Received: from samba ([68.98.5.134]) by fed1mtao06.cox.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20030624012639.SCNS3273.fed1mtao06.cox.net@samba>; Mon, 23 Jun 2003 21:26:39 -0400 From: "Brent Wiese" To: "'Oleg Semyonov'" , Date: Mon, 23 Jun 2003 18:26:34 -0700 Message-ID: <006301c339ef$bae48010$0a0114ac@home.bjwcs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Importance: Normal In-Reply-To: <002201c33986$ae283f60$190410ac@tavrida.local> Subject: RE: IPSec+VPN+ipfw questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2003 01:27:10 -0000 A few things come quickly to mind...=20 First, you need "gateway_enable=3DYES" in your rc.conf... I think. I = know you need it for MPD (pptp tunneling). Second, you cannot have physical routes to the remote side "private" network. > 1) Is it possible to use ipfw rules to count different kinds=20 > of traffic from legitimate computers, divert it to natd and=20 > block all other packets across the LAN? There are ESP=20 > protocol packets which I can filter, but it seems they are=20 > not processed after decryption by ipwf rules. So, no=20 > counters, no divert, etc. You should use ipfw to, at the very least, only allow legit tunnel = traffic to pass to/from the "public" and "private" NICs/ > 2) What is the best solution for IKE daemon? I've tried=20 > racoon (it works but there are some strange situations with=20 > Windows 2000 machines which are mentioned somewhere), and=20 > isakmpd (it has not very obvious syntax for their policy and=20 > conf files - how to create a minimal working configuration=20 > for a number of peer machines which use different preshared=20 > keys for IKE exchange)? Racoon works fine if set up correctly. Most of the FAQ's are wrong, espcially when they discuss setting up gif() and then racoon. You don't = need gif(). I seem to remember something about using MD5 as the hash, but its been a while... Maybe it was that my router only supported MD5 for its vpn-passthru stuff... > 3) In fact, it is not required for me to use VPN solutions.=20 > All I need is to authenticate each legitimate machine (or=20 > user - that is better). IP+MAC addresses may be forged. I can=20 > use socks proxy, but there is no standard secured=20 > authentication which is suported by number of different=20 > internet tools. And I don't wish to have a complicated setup=20 > of each client machine. So, VPN seems to be the best solution=20 > as their policies for W2K clients may be specified via Active=20 > Directory. IPSEC is probably the best way. Since the other side is Windows, you may consider using MPD and use PPTP instead of IPSEC. It's a little easier = to deal with on the Windows side since setup is all gui-wizards. Cheers, Brent