From owner-freebsd-hackers  Fri Jan 11 11:55:10 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from avocet.prod.itd.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50])
	by hub.freebsd.org (Postfix) with ESMTP id D3FC937B404
	for <freebsd-hackers@freebsd.org>; Fri, 11 Jan 2002 11:55:05 -0800 (PST)
Received: from pool0189.cvx21-bradley.dialup.earthlink.net ([209.179.192.189] helo=mindspring.com)
	by avocet.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16P7lR-0007dN-00; Fri, 11 Jan 2002 11:54:58 -0800
Message-ID: <3C3F430F.B031DD6@mindspring.com>
Date: Fri, 11 Jan 2002 11:54:55 -0800
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Wilko Bulte <wkb@freebie.xs4all.nl>
Cc: robert.thoelen@ieee.org, freebsd-hackers@FreeBSD.ORG
Subject: Re: IPsec tunnel between FreeBSD and OpenBSD
References: <20020111182049.37178.qmail@web21203.mail.yahoo.com> <3C3F3EE0.A80F5713@mindspring.com> <20020111204544.A30419@freebie.xs4all.nl>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Wilko Bulte wrote:
> > Start with:
> >
> >       "A Quick Guide to Configuring IPsec on OpenBSD v2.9"
> >       Robert Sigillito, Carol Thompson
> >       http://www.daemonnews.org/200111/ipsec.html
> >
> > Once you have the OpenBSD side configured, the FreeBSD
> > should be fgairly straight forward (just make changes
> > until it works 8-)), since most of the code is OpenBSD
> > derived.
> 
> But FreeBSD uses racoon (OK, it is a port) iso isakmpd or
> am I missing something?

No, FreeBSD is gratuitously different because of where it
got its ISA/KMP code vs. OpenBSD.

In general, you should only need to manage keys if you are
exchanging them on one server or the other, not both, so my
suggestion would be to keep the keys in the ISA/KMP server
on the OpenBSD box (for which we have example configuration
documentation), and not on the FreeBSD box.

Otherwise, the "just make changes until it works" approach
is a possible tack to take, or you could beat documentation
out of the Racoon people, if you can read Japanese.

You might also want to talk to Evan Oldford, who did a
FreeBSD<->FreeBSD configuration at Whistle/IBM (he works
for a PacketDesign spinoff now; sorry, you will have to
search out his email).  I can tell you that his advice
will probably be to statically configure certificates on
both ends, instead of relying on Racoon (don't know if he
ever got it working between Windows and FreeBSD with the
"preview" version of the IPSec stuff from Microsoft that
I found for him, and which they removed from download
very shortly thereafter).

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message