From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 12:17:49 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 246F416A47E for ; Sun, 17 Dec 2006 12:17:49 +0000 (UTC) (envelope-from aburke@nullplusone.net) Received: from alpha.nullplusone.net (sub25-168.member.dsl-only.net [63.105.25.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 674D243D7B for ; Sun, 17 Dec 2006 12:16:51 +0000 (GMT) (envelope-from aburke@nullplusone.net) Received: from leda (leda.int.nullplusone.net [192.168.10.242]) by alpha.nullplusone.net (8.12.9/8.12.9) with ESMTP id kBHCGfKa086361; Sun, 17 Dec 2006 04:16:41 -0800 (PST) (envelope-from aburke@nullplusone.net) From: "Aaron Burke" To: "Sam Wun" , "Freebsd-Net@Freebsd. Org" Date: Sun, 17 Dec 2006 04:17:48 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Importance: Normal In-Reply-To: Cc: Subject: RE: Adding a new VPN connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2006 12:17:49 -0000 SNIP > In a FreeBSD router (5.4-stable), there are currently 50 IPSEC VPN > connections running with 50 remote sites, now I need to add one more (new) > vpn to it without resetting the existing VPN connection. Therefore I have > created a script (new-vpn.sh): > > #!/bin/sh > > # Tunnel to kgportsmith > /sbin/ifconfig gif108 destroy > /sbin/ifconfig gif108 create > /sbin/ifconfig gif108 tunnel 10.152.34.74 10.154.3.74 > /sbin/ifconfig gif108 inet 10.1.1.1 10.1.1.33 netmask 255.255.255.0 > /sbin/route delete 10.1.33.1/24 > /sbin/route delete 172.17.33.0/24 > /sbin/route add 10.1.33.1/24 10.1.1.33 > /sbin/route add 172.17.33.0/24 10.1.1.33 I love the gif interface, you may want to possible increase the default TTL on each gif connection. They default MTU is 1280. My gif tunnels have an MTU of 1472. 1474 requires fragmentation. > > setkey -c << EOF > > # Setup policies with kgportsmith > spdadd 10.152.34.74 10.154.3.74 any -P out ipsec esp/tunnel/10.152.34.74- > 10.154.3.74/require ; > spdadd 10.154.3.74 10.152.34.74 any -P in ipsec esp/tunnel/10.154.3.74- > 10.152.34.74/require ; > add 10.152.34.74 10.154.3.74 esp 2797 -m tunnel -E blowfish-cbc > 0x11205611340CCEA4C816670A4A8DD2A67403F46A08169850DC0B8E2989C3C209 > 4CEF174297ECCF39644B6C4E28D5A3BD4C0861DD7094E398 > -A hmac-sha1 0x2C49F538BAF74917311382F7EE42CC43FBDBDA4B ; > add 10.154.3.74 10.152.34.74 esp 4074 -m tunnel -E blowfish-cbc > 0x82A7C78A8C1F8B0DF8EE75F4BEEA5A26D987C6237D43ED98EF3E2A18D2B7F2C9 > 4674E1E4B1FAFE645CCB2C18603646E20EB925B06AEC4F6B > -A hmac-sha1 0xCE1D85113D11D43C061E499CFFECCD81D50A3530 ; > > EOF > > ### END OF SCRIPT ### I dont see any reference to "spdflush;" or "flush;", therefore your should be fine. > Will this script (especially the command setkey -c) erase (reset) the > existing VPN connection and security keys)? If it does, I will lose the > connectino with all other sites. I dont see any flush commands, therfore the existing keys should be fine. SNIP -- Aaron aburke@nullplusone.net