Date: Fri, 13 Apr 2001 19:53:29 -0700 From: steve@Watt.COM (Steve Watt) To: Gunther Schadow <gunther@aurora.regenstrief.org> Cc: questions@FreeBSD.ORG Subject: Re: IPsec painful setup... Message-ID: <200104140253.f3E2rU107619@wattres.Watt.COM> In-Reply-To: Gunther Schadow <gunther@aurora.regenstrief.org> "Re: IPsec painful setup..." (Apr 14, 2:09)
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 14, 2:09, Gunther Schadow wrote: } Steve Watt wrote: } > I have tried both transport and tunnel mode; it seemed clear to me that } > transport wouldn't work, but I had to try it anyhow. I'd dearly love to } > use the FreeBSD box directly as the NAT box, but it's a DSL installation } > where the DSL line comes into a port on the router. Unless there are } > PCI DSL cards that are likely to work in such a scenario, I think I get } > to wrestle with this. } } You have too many free variables in your equation :-) I would start } with two FreeBSD boxes on each end of the line and try to set up a } statically keyed IPsec tunnel. I don't trust racoon just yet, it } didn't work for me reliably so far. And of course I don't trust the } "other IPsec capable" router. Go step by step. If NAT is a problem } in the DSL box, turn NAT off and use it straight through as a bridge, } if that's possible... Actually, I've already got a setup working, with racoon, gif, and the non FreeBSD IPsec implementation, and it's fine roughly 80% of the time. The rest of the time, rebooting the non FreeBSD box (it's a Netscreen router) makes things work again. Unfortunately, I am trying to duplicate the configuration onto the above-mentioned ugly setup, so the only variable I'm adding is a NAT thingy in the way. } > You said "old gif tunnel method"; that implies that there's some new } > method? Where can I find info on that? I'm currently using gif tunnels, } > racoon for isakmp, and ipsec in tunnel mode. } } See my recent bug report on freebsd-net. On how to set this up. You can } use the first half of the bug report as a cookbook recipe. if you } don't try the second half, you'll be fine :-). Thanks! I'll take a peek at that. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104140253.f3E2rU107619>