From owner-cvs-all Mon Jun 18 9:45:39 2001 Delivered-To: cvs-all@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id BB68037B401; Mon, 18 Jun 2001 09:45:28 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f5IGjRF13487; Mon, 18 Jun 2001 17:45:27 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f5IGjQh07318; Mon, 18 Jun 2001 17:45:26 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200106181645.f5IGjQh07318@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: mi@aldan.algebra.com Cc: brian@Awfulhak.org, brian@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, brian@Awfulhak.org Subject: Re: cvs commit: src/usr.sbin/ppp ccp.c ccp.h command.c deflate.c fsm.c fsm.h ip.c mppe.c ppp.8 pred.c In-Reply-To: Message from mi@aldan.algebra.com of "Mon, 18 Jun 2001 12:23:18 EDT." <200106181623.f5IGNJ097372@misha.privatelabs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Jun 2001 17:45:26 +0100 From: Brian Somers Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On 18 Jun, Brian Somers wrote: > >> On 18 Jun, Brian Somers wrote: > >> > brian 2001/06/18 08:00:24 PDT > >> > > >> > Modified files: > >> > usr.sbin/ppp ccp.c ccp.h command.c deflate.c fsm.c > >> > fsm.h ip.c mppe.c ppp.8 pred.c > >> > Log: > >> > Add support for stateful MPPE (microsoft encryption) providing > >> > encryption compatibility with Windows 2000. Stateful encryption > >> > uses less CPU but is bad on lossy transports. > ^^^^^^^^^^^^^^^^ > >> > >> So, I suppose, I'll now be able to avoid using SSH and use PPP > >> with encryption over a device like host:port/tcp directly, without > >> the > >> set login "!ssh tunnel@host" > >> > >> Great! Thanks, > > > > Aye. > > > > IMHO PPPoUDP with encryption is the best option for VPNs where one > > But, does not UDP qualify as one of those "lossy transports"? That depends on what the IP layer under it is sitting on top of :) > > side has a dynamic IP. For static gateway IPs with private (rfc1918) > > addresses, IPSEC and gif are better. With real IPs, IPSEC on its own > > is best. > > I looked for a tutorial on IPSEC/GIF somewhere, but could not find it :( I had that problem too. The best way to get started is to get the gif stuff working first without encryption. That can all be done via rc.conf and is reasonably straight forward. When that works, create /etc/ipsec.conf: spdadd r.r.r.r/32 l.l.l.l/32 ip4 -P in ipsec esp/tunnel/r.r.r.r-l.l.l.l/require; spdadd l.l.l.l/32 r.r.r.r/32 ip4 -P out ipsec esp/tunnel/l.l.l.l-r.r.r.r/require; replacing l.l.l.l with the local IP and r.r.r.r with the remote one and add this to rc.conf: ipsec_enable=YES ipsec_file=/etc/ipsec.conf You also need to install the racoon port. This is fairly straight forward too - for a shared secret setup between the two gateways, psk.txt contains the secret and racoon.conf is pretty much the same as the stock version. > -mi I really should write a vpn man page... -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message