Site Navigation

Date:      Fri, 21 Sep 2001 09:47:03 +0100
From:      Brian Somers <brian@freebsd-services.com>
To:        Julian Elischer <julian@elischer.org>
Cc:        net@FreeBSD.ORG, brian@freebsd-services.com
Subject:   Re: IPSEC question.. 
Message-ID:  <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>
In-Reply-To: Message from Julian Elischer <julian@elischer.org>  of "Thu, 20 Sep 2001 23:33:35 PDT." <3BAADF3F.D48189AD@elischer.org> 

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

> The sample docs and the daemon-news
> article get me part way started to making an encrypted
> tunnel using IPsec4 between two networks.
> However The are really quite confusing...
> 
> Is there a SIMPLE description of what all the parts do?
> 
> I have a gif tunnel going, but it's not clear to me how I make this tunnel 
> start encrypting the damned data.
> 
> I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing 
> plain encapsulated packets...no encryption..

Once you've got the gif tunnel working, say with top addresses 
10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, 
create an /etc/ipsec.conf that says:

  spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
  spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;

This is your setkey input.  The ``ip4'' bit tells ipsec to only touch 
IP-in-IP traffic, so comms going from an internal LAN to an external 
gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be 
NAT'd).  Only the gif-encapsulated traffic is encrypted.

Then add this to /etc/rc.conf:

  ipsec_enable=YES
  ipsec_file=/etc/ipsec.conf

Once this is done, arrange to have racoon running on each end and 
everything should work.  Using a shared secret in /usr/local/etc/
racoon/psk.txt is the easiest:

1.2.3.4 akeythatnobodyisgoingtocrack

and running racoon -F helps initially.

> -- 
> +------------------------------------+       ______ _  __
> |   __--_|\  Julian Elischer         |       \     U \/ / hard at work in 
> |  /       \ julian@elischer.org     +------>x   USA    \ a very strange
> | (   OZ    )                                \___   ___ | country !
> +- X_.---._/    presently in San Francisco       \_/   \\
>           v

Good luck !
-- 
Brian <brian@freebsd-services.com>                <brian@Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109210847.f8L8l3R32993>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact