Date: Mon, 18 Jun 2001 17:45:26 +0100 From: Brian Somers <brian@Awfulhak.org> To: mi@aldan.algebra.com Cc: brian@Awfulhak.org, brian@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, brian@Awfulhak.org Subject: Re: cvs commit: src/usr.sbin/ppp ccp.c ccp.h command.c deflate.c fsm.c fsm.h ip.c mppe.c ppp.8 pred.c Message-ID: <200106181645.f5IGjQh07318@hak.lan.Awfulhak.org> In-Reply-To: Message from mi@aldan.algebra.com of "Mon, 18 Jun 2001 12:23:18 EDT." <200106181623.f5IGNJ097372@misha.privatelabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 18 Jun, Brian Somers wrote:
> >> On 18 Jun, Brian Somers wrote:
> >> > brian 2001/06/18 08:00:24 PDT
> >> >
> >> > Modified files:
> >> > usr.sbin/ppp ccp.c ccp.h command.c deflate.c fsm.c
> >> > fsm.h ip.c mppe.c ppp.8 pred.c
> >> > Log:
> >> > Add support for stateful MPPE (microsoft encryption) providing
> >> > encryption compatibility with Windows 2000. Stateful encryption
> >> > uses less CPU but is bad on lossy transports.
> ^^^^^^^^^^^^^^^^
> >>
> >> So, I suppose, I'll now be able to avoid using SSH and use PPP
> >> with encryption over a device like host:port/tcp directly, without
> >> the
> >> set login "!ssh tunnel@host"
> >>
> >> Great! Thanks,
> >
> > Aye.
> >
> > IMHO PPPoUDP with encryption is the best option for VPNs where one
>
> But, does not UDP qualify as one of those "lossy transports"?
That depends on what the IP layer under it is sitting on top of :)
> > side has a dynamic IP. For static gateway IPs with private (rfc1918)
> > addresses, IPSEC and gif are better. With real IPs, IPSEC on its own
> > is best.
>
> I looked for a tutorial on IPSEC/GIF somewhere, but could not find it :(
I had that problem too.
The best way to get started is to get the gif stuff working first
without encryption. That can all be done via rc.conf and is
reasonably straight forward.
When that works, create /etc/ipsec.conf:
spdadd r.r.r.r/32 l.l.l.l/32 ip4 -P in ipsec esp/tunnel/r.r.r.r-l.l.l.l/require;
spdadd l.l.l.l/32 r.r.r.r/32 ip4 -P out ipsec esp/tunnel/l.l.l.l-r.r.r.r/require;
replacing l.l.l.l with the local IP and r.r.r.r with the remote one
and add this to rc.conf:
ipsec_enable=YES
ipsec_file=/etc/ipsec.conf
You also need to install the racoon port. This is fairly straight
forward too - for a shared secret setup between the two gateways,
psk.txt contains the secret and racoon.conf is pretty much the same
as the stock version.
> -mi
I really should write a vpn man page...
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106181645.f5IGjQh07318>