Date: Fri, 21 Sep 2001 13:58:17 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Brian Somers <brian@freebsd-services.com> Cc: net@FreeBSD.ORG Subject: Re: IPSEC question.. Message-ID: <Pine.BSF.4.21.0109211334120.37053-100000@InterJet.elischer.org> In-Reply-To: <200109210847.f8L8l3R32993@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Sep 2001, Brian Somers wrote: > > The sample docs and the daemon-news > > article get me part way started to making an encrypted > > tunnel using IPsec4 between two networks. > > However The are really quite confusing... > > > > Is there a SIMPLE description of what all the parts do? > > > > I have a gif tunnel going, but it's not clear to me how I make this tunnel > > start encrypting the damned data. > > > > I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing > > plain encapsulated packets...no encryption.. > > Once you've got the gif tunnel working, say with top addresses > 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, > create an /etc/ipsec.conf that says: which are the 'top' addresses? outer or inner? i.e. (A)gif0:-------(B)ed0-----<net>--------ed0(C)--------gif0(D) > > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require; > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require; > ip4? I need to run this on 4.1.1 machines. > This is your setkey input. The ``ip4'' bit tells ipsec to only touch > IP-in-IP traffic, so comms going from an internal LAN to an external > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be > NAT'd). Only the gif-encapsulated traffic is encrypted. > > Then add this to /etc/rc.conf: > > ipsec_enable=YES > ipsec_file=/etc/ipsec.conf > > Once this is done, arrange to have racoon running on each end and > everything should work. Using a shared secret in /usr/local/etc/ > racoon/psk.txt is the easiest: > > 1.2.3.4 akeythatnobodyisgoingtocrack > > and running racoon -F helps initially. > > > -- > > +------------------------------------+ ______ _ __ > > | __--_|\ Julian Elischer | \ U \/ / hard at work in > > | / \ julian@elischer.org +------>x USA \ a very strange > > | ( OZ ) \___ ___ | country ! > > +- X_.---._/ presently in San Francisco \_/ \\ > > v > > Good luck ! > -- > Brian <brian@freebsd-services.com> <brian@Awfulhak.org> > http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org> > Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109211334120.37053-100000>