Date: Mon, 19 May 2008 06:43:48 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Steve Lake <steve.lake@raiden.net> Cc: freebsd-questions@freebsd.org Subject: Re: VPN setup question Message-ID: <48311394.8040008@infracaninophile.co.uk> In-Reply-To: <5.2.0.9.2.20080518175447.00c41508@192.168.0.30> References: <5.2.0.9.2.20080518145034.00c412a8@192.168.0.30> <5.2.0.9.2.20080518145034.00c412a8@192.168.0.30> <5.2.0.9.2.20080518175447.00c41508@192.168.0.30>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3E48128324E16652B1699137 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Steve Lake wrote: > At 10:53 PM 5/18/2008 +0200, Mister Olli wrote: >> first you should consider the following questions: >> - what kind of VPN do you wanna use? (SSL or IPSec based) >=20 > From what I remember of my security training years ago, IPSec=20 > was always better. So I'd likely go with that. >=20 >> - what kind of authentication? (user or certificate based) >=20 > Definitely user, unless you think certificate is better. >=20 >> - what kind of traffic do you wanna protect? >=20 > Everything if possible. Basically I'm trying to create a=20 > protected Internet connection by using the VPN to allow me to connect t= o=20 > my vpn server at my home office over an insecure public connection. I = > would then use that vpn connection to securely securely surf the web=20 > from anywhere in the US or the world. >=20 >> - do you wanna transport data between two host, from host-to-network o= r >> networ-to-network? >=20 > I'm not sure which would be best. Can you suggest one based on= =20 > the previous answer? Thanks. If you're going to do this with IPSec it should be fairly simple to set up the connection. Given that you control both ends of the IPSec tunnel, you can just use a shared secret. You need to set up some=20 security policy definitions using setkey(1) -- the man page is full of acronyms and jargon but what setkey does is define what traffic should be encrypted based on the end point IPs, port numbers and some other data. [Note: in order for setkey to work, you need a kernel config with OPTIONS IPSEC added]. Finally, the third part of setting up an IPSec connection is to configure a method of key exchange -- this is the only part not actually built into the system, so you should install ipsec-tool= s or equivalent from ports. On the question of tunnel vs transport mode -- most of the tutorials you can find on the net are all about setting up /tunnel/ mode -- ie. to use a pair of routers as IPSec endpoints to connect two private networks.= In your case, I think you do need tunnel mode, despite it requiring a degenerate form of network with only one host at each end -- something that naturally screams transport mode -- since you need the capability to route traffic from elsewhere via the VPN link. Two handy references: Setting up a simple transport mode tunnel between two hosts: http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html Step by step guide to setting up a tunnel. http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html It's a bit dated now, as the kernel configuration instructions apply to pre-6.x systems. In 7.0+ (which uses what was previously called FAST_IPS= EC), all you need is to add the following: device crypto device cryptodev options IPSEC Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig3E48128324E16652B1699137 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkgxE5sACgkQ8Mjk52CukIxFmACfalrioS+2cqqe2Ym7XM1uMGQ1 nBQAnREe6EHaOk6TZ2LY6ZiT4HAWQrxV =RhHY -----END PGP SIGNATURE----- --------------enig3E48128324E16652B1699137--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48311394.8040008>