Site Navigation

Date:      Sun, 17 Dec 2006 04:17:48 -0800
From:      "Aaron Burke" <aburke@nullplusone.net>
To:        "Sam Wun" <smw2010@gmail.com>, "Freebsd-Net@Freebsd. Org" <freebsd-net@freebsd.org>
Subject:   RE: Adding a new VPN connection
Message-ID:  <PGENKKAMCLFNBHPINBGAIELCDDAA.aburke@nullplusone.net>
In-Reply-To: <ff64092b0612111527k21c73729gb618767ba119a522@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

SNIP
> In a FreeBSD router (5.4-stable), there are currently 50 IPSEC VPN
> connections running with 50 remote sites, now I need to add one more (new)
> vpn to it without resetting the existing VPN connection. Therefore I have
> created a script (new-vpn.sh):
>
> #!/bin/sh
>
> # Tunnel to kgportsmith
> /sbin/ifconfig gif108 destroy
> /sbin/ifconfig gif108 create
> /sbin/ifconfig gif108 tunnel 10.152.34.74 10.154.3.74
> /sbin/ifconfig gif108 inet 10.1.1.1 10.1.1.33 netmask 255.255.255.0
> /sbin/route delete 10.1.33.1/24
> /sbin/route delete 172.17.33.0/24
> /sbin/route add 10.1.33.1/24 10.1.1.33
> /sbin/route add 172.17.33.0/24 10.1.1.33
I love the gif interface, you may want to possible increase the default
TTL on each gif connection. They default MTU is 1280. My gif tunnels
have an MTU of 1472. 1474 requires fragmentation.

>
> setkey -c << EOF
>
> # Setup policies with kgportsmith
> spdadd 10.152.34.74 10.154.3.74 any -P out ipsec esp/tunnel/10.152.34.74-
> 10.154.3.74/require ;
> spdadd 10.154.3.74 10.152.34.74 any -P in  ipsec esp/tunnel/10.154.3.74-
> 10.152.34.74/require ;
> add 10.152.34.74 10.154.3.74 esp 2797 -m tunnel -E blowfish-cbc
> 0x11205611340CCEA4C816670A4A8DD2A67403F46A08169850DC0B8E2989C3C209
> 4CEF174297ECCF39644B6C4E28D5A3BD4C0861DD7094E398
> -A hmac-sha1 0x2C49F538BAF74917311382F7EE42CC43FBDBDA4B ;
> add 10.154.3.74 10.152.34.74 esp 4074 -m tunnel -E blowfish-cbc
> 0x82A7C78A8C1F8B0DF8EE75F4BEEA5A26D987C6237D43ED98EF3E2A18D2B7F2C9
> 4674E1E4B1FAFE645CCB2C18603646E20EB925B06AEC4F6B
> -A hmac-sha1 0xCE1D85113D11D43C061E499CFFECCD81D50A3530 ;
>
> EOF
>
> ### END OF SCRIPT ###
I dont see any reference to "spdflush;" or "flush;", therefore your should
be fine.

> Will this script (especially the command setkey -c) erase (reset) the
> existing VPN connection and security keys)? If it does, I will lose the
> connectino with all other sites.
I dont see any flush commands, therfore the existing keys should be fine.

SNIP

-- Aaron
aburke@nullplusone.net

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PGENKKAMCLFNBHPINBGAIELCDDAA.aburke>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact