Date: Mon, 20 Nov 2000 13:11:12 -0500 From: Mike Tancsa <mike@sentex.net> To: Tom Samplonius <tom@sdf.com> Cc: Evren Yurtesen <eyurtese@turkuamk.fi>, freebsd-isp@FreeBSD.ORG Subject: Re: any VPN daemon? Message-ID: <5.0.1.4.0.20001120130314.00af46c0@marble.sentex.ca> In-Reply-To: <Pine.BSF.4.05.10011200849560.1138-100000@misery.sdf.com> References: <4.2.2.20001119221736.0173de98@marble.sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:51 AM 11/20/00 -0800, Tom Samplonius wrote:
>On Sun, 19 Nov 2000, Mike Tancsa wrote:
>
> > At 06:29 PM 11/19/2000 -0800, Tom Samplonius wrote:
> > > Well building IPSec tunnels on FreeBSD 4.x is rather arcane and not
> very
> > >well documented. For instance, there is nothing on how IPSec and ipfw
> > >interact. Which subsystem gets the packet first? ipfw or IPSec?
> > >Building a system with ipfw, natd and IPSec tunnels isn't an easy thing to
> > >do.
> >
> > I believe the person said he was using a simple LAN to LAN. I have had
> good
> > results setting up a few tunnels in the past month or so. What
> specifically
> > were you trying to find with respect to ipfw ?
>
> What evaluates a packet first? ipfw rules or setkey rules?
It would _appear_ ipfw does first, as I can stop a working ipsec connection
with ipfw first, at least when I use the gif tunneling interface. I dont
have a tunnel setup currently in transport mode only, but it would be easy
enough to test.
>...
> > #!/bin/sh
> > #PPPoE config
> > ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
> > gifconfig gif0 169.1.134.1 172.168.93.4
> > ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
> > setkey -FP
> > setkey -F
> > setkey -c <<EOF
> > spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec
> > esp/tunnel/169.1.134.1-172.168.93.4/require;
> > spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec
> > esp/tunnel/172.168.93.4-169.1.134.1/require;
> > EOF
>
>
> Why are you using gif0? I understand that gif0 is not recommended for
>IPv4 over IPv4 tunnels. Also, since you are using ipsec tunnels setup via
>setkey, I don't think gif0.
From my understanding the danger with using gif was routing loops. I
found it easier to do this way. I agree the documentation is fairly sparse
for IPSec, but once you get it running, it does work, and it there is
interoperability amongst different vendors implementations. Also, there
are more and more books, articles and general resources dealing with IPSec,
where as the only other VPN solution that is close to a broad install base
I guess is MS PTPTP which has its own issues. What are you using for VPNs ?
---Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.1.4.0.20001120130314.00af46c0>