From owner-freebsd-security  Mon Nov 12 16:57:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38])
	by hub.freebsd.org (Postfix) with ESMTP id 0999D37B405
	for <freebsd-security@FreeBSD.ORG>; Mon, 12 Nov 2001 16:57:38 -0800 (PST)
Received: from [192.168.69.11] (unknown [192.168.69.11])
	by warez.scriptkiddie.org (Postfix) with ESMTP id B0F7862D02
	for <freebsd-security@FreeBSD.ORG>; Mon, 12 Nov 2001 16:57:37 -0800 (PST)
Date: Mon, 12 Nov 2001 16:57:39 -0800 (PST)
From: Lamont Granquist <lamont@scriptkiddie.org>
To: FreeBSD Security List <freebsd-security@FreeBSD.ORG>
Subject: Bump-in-the-Road IPsec?
In-Reply-To: <3BF00B66.11A3F4AF@algroup.co.uk>
Message-ID: <20011112164936.F538-100000@coredump.scriptkiddie.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I'm trying to implement a transparent IPsec gateway and am wondering if I
can make it work under FreeBSD?  What I want is a transparent bridge which
will encrypt communications between a set of machines on two different
subnets with real IP numbers.  Something like:


            other servers
                 |
Server1 -- SG1 --+-- Router - - - INET - - - Router --- SG2 --- Server2


Server1 should have a real IP address, SG1 should have at least one real
IP address on one of its interfaces for administration.  Server1 should be
able to talk to the other servers on its subnet with SG1 acting like a
transpart bridge.  Server1 should also be able to talk to machines on the
internet through the router, unecrypted.  However, for talking to Server2
(also with a real IP address) the traffic should go between SG1 and SG2
encrypted.

I've tried doing this with OpenBSD and have run into a problem in that I
can setup the transparent bridge, but from SG1 i cannot connect to
Server1 (the routing tables and the bridging tables don't seem to
communicate with each other).

Can I make something like this work under FreeBSD and what kind of magic
do I need to do?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message