From owner-freebsd-security  Thu Jan 24 11:26:46 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.recruit2recruit.net (pc-62-30-156-58-hw.blueyonder.co.uk [62.30.156.58])
	by hub.freebsd.org (Postfix) with ESMTP id A483337B41C
	for <freebsd-security@freebsd.org>; Thu, 24 Jan 2002 11:26:36 -0800 (PST)
content-class: urn:content-classes:message
Subject: Re: Can't set up an IPsec tunnel.
Date: Thu, 24 Jan 2002 19:26:35 -0000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <F6EDFA037E2BA541851DFEFDAF759EB9054E08@newmedia-serve.newmedia-lan.net>
X-MS-Has-Attach: 
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
X-MS-TNEF-Correlator: 
Thread-Topic: Re: Can't set up an IPsec tunnel.
Thread-Index: AcGlDQkHs3TNzMS7SaWUYllfYbfIkA==
From: "Kerin Millar" <kerin@recruit2recruit.net>
To: <freebsd-security@freebsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Haven't had much experience with IPSEC myself but maybe this document =
will help: http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html

Of course it is Linux specific but it seems to cover the masquerading =
topic adequately, and presumably the parts about setting up the firewall =
should be easily adaptable to IPFW. Here is an interesting excerpt from =
the document:

<BEGIN>
If you are setting up a masqueraded VPN server, you will also have to =
obtain and install the following two packages:=20

To redirect the inbound TCP/UDP traffic (the 1723/tcp PPTP control =
channel or the 500/udp ISAKMP channel), you need the appropriate =
ipportfw port-forwarding kernel patch and configuration tool from =
http://www.ox.compsoc.org.uk/~steve/portforwarding.html. Port forwarding =
has been incorporated into the 2.2.x kernel. See man ipmasqadm for =
configuration details. If ipmasqadm is not included with your =
distribution it can be obtained at http://juanjox.kernelnotes.org/.=20

To redirect the initial inbound tunnel traffic (GRE for PPTP and ESP for =
IPsec), you need the ipfwd generic-IP redirector from =
http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/.=20
You do not need port forwarding or ipfwd if you are masquerading only =
clients."
<END>

Regards,

Kerin Millar

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message