From owner-freebsd-net@FreeBSD.ORG Wed May 28 14:05:11 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 876F637B401 for ; Wed, 28 May 2003 14:05:11 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1C0D43F3F for ; Wed, 28 May 2003 14:05:09 -0700 (PDT) (envelope-from julian@elischer.org) Received: from interjet.elischer.org (12-232-168-4.client.attbi.com[12.232.168.4]) by attbi.com (sccrmhc02) with ESMTP id <2003052821050800200eute9e>; Wed, 28 May 2003 21:05:09 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id OAA38304; Wed, 28 May 2003 14:05:08 -0700 (PDT) Date: Wed, 28 May 2003 14:05:06 -0700 (PDT) From: Julian Elischer To: "BRA-SAO-Verzolla,David" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: net@freebsd.org Subject: Re: Linkproof or Fatpipe with FreeBSD? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 21:05:11 -0000 On Wed, 28 May 2003, BRA-SAO-Verzolla,David wrote: > Hi, Does anybody know if there is possible to make a clone of these > hardwares with a FreeBSD box? (set of scripts + ipfw + ... )? > > http://www.westlakecom.com/linkproof.htm > http://www.fatpipeinc.com > Yes I have done similar: Basically: set up two machines. one at each end of the vpn. order two links to the internet, from two different national ISPS Say for example, that we use Sprint and AT&T, then packets going from the sprint connection at one site will stay totally within the sprint network while traversing to the sprint connection at the other site. Similarly the AT&T packests will stay within AT&T whe whole path. The I set up ipsec so that there is a security association between each pair of matching interfaces. I run racoon, set up to keep the conections running on different keys. I only allow UDP packets to teh far end to be encrypted. all else discarded. Now I set the firewall (ipfw) to block ALL packets in and out of the interfaces except for IPSEC (ESP) packets (and udp-500.. IKE) that are going to or coming from teh other end.. all other packets are rejected. I then run mpd (from ports) running in multilink mode and I set its link type to be via UDP sockets. The UDP sockets are 'connected' to fixed ports at the far end. Mpd creates an 'ng0' interface. I assign an 10.x.x.x address to each ng interface and set up the routes in teh mpd setup so that the route to each site is via the ng0 interface.... Mpd will automatically fail-over to using only one of the links if the other goes down, and it will start using it again when it comes back again. If I wanted to use mpd's encryption, then I would have double encryption.. /-[udp-socket]---[IPSEC]--[ISP1]--- [local-net]<-->[mpd] \-[udp-socket]---[IPSEC]--[ISP2]--- I started to write a netgraph node to do the job of mpd but I never got good enough behaviour out of it.. it would be possible but I ran out of time.. Mpd does the job ok and it does things like set up the routes.. Julian