Date: Thu, 31 Oct 2002 17:30:26 +0100 From: "Michal F. Hanula" <frankie@kyblik.pieskovisko.sk> To: freebsd-questions@freebsd.org Subject: Re: IPSEC tunnel Message-ID: <20021031163026.GN76961@kyblik.pieskovisko.sk>
next in thread | raw e-mail | index | archive | help
--eVzOFob/8UvintSX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (sorry, lost the exact subject...) On Thu, Oct 31, 2002 at 11:03:22AM -0500, Jim Durham wrote: > On Thursday 31 October 2002 10:37 am, Wayne Pascoe wrote: > I have this running. I made a couple .sh files, which I placed in > /usr/local/etc/rc.d . Here is what they look like. They should answer > your questions, hopefully.. xxx.xxx.xxx.xxx is the IP of the host > that is running this file, yyy.yyy.yyy.yyy is the host at the other end. > The other end's file is the same, reversing the outside and inside IP's. = =3D You > will also need to do some routing perhaps, because the source ip of > the machines on the other LAN will show up as 10. addresses. > You don't need gif support compiled in, the module will load. > > Hope this helps, > Jim > > > #!/bin/sh > ifconfig gif0 create > # These commands need to be run on node A > # Set up the tunnel device. This presumes you have gif(4) support > # gif0 connects xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy > gifconfig gif0 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy > # The 'internal' side of the tunnel connects 10.10.10.1 to 10.20.20.1 > ifconfig gif0 inet 10.10.10.1 10.20.20.1 netmask 255.255.255.0 > # The next 2 lines delete all existing entries from the SPD and SAD > setkey -FP > setkey -F > # Add the policy > setkey -c << EOF > spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec > esp/transport/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require; > spdadd 10.20.20.0/24 10.10.10.0/24 any -P in ipsec > esp/transport/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require; > EOF > It would probably be nicer if you used gif_interfaces=3D3D"gif0" gifconfig_gif0=3D3D"xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy" ifconfig_gif0=3D3D"inet 10.10.10.1/32 10.20.20.1" ipsec_enable=3D3D"YES" in /etc/rc.conf and spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec esp/transport/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require; spdadd 10.20.20.0/24 10.10.10.0/24 any -P in ipsec esp/transport/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require; in /etc/ipsec.conf. (I know, this is undocumented. Search for ipsec_enable in /etc/rc.network)o Your solution can lead to problems if something needs IPSEC before scripts from /usr/local/etc/rc.d are run (eg. NFS over IPSEC, as in my case) m&f --=20 What do you care what other people think? --eVzOFob/8UvintSX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE9wVqiQgEMP0l2aH4RAgPwAKC8CgskDuC/ahIJZeHXByNZF7fWCwCgitUM F/RKwebcTcxuoWQFrWv4p6I= =tuVJ -----END PGP SIGNATURE----- --eVzOFob/8UvintSX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021031163026.GN76961>