Date: Fri, 31 Jan 2003 01:15:25 -0800 (PST) From: Mike Hoskins <mike@adept.org> To: freebsd-net@freebsd.org Subject: freebsd/kame - linux s/wan Message-ID: <20030131010305.W38150-100000@fubar.adept.org>
next in thread | raw e-mail | index | archive | help
I've got a client wanting to establish IPSEC tunnel / VPN between two offices. One end running FreeBSD/IPSEC (KAME), the other end Linux FreeS/WAN. The problem I'm having is most interoperability docs I've found on the 'Net are dated back to 2000 or so - has anything changed? This is my first time playing with this. I wish they'd just use FreeBSD on both ends, then the handbook entry (which is clear and understandable at first read) would be all I'd need. I guess that's not what they pay me for. They only want/need to do shared secrets - do I still need to use racoon? At present I believe so, because according to gif(4) there are inteoperability issues that would keep the usual bsd-bsd configuration from working in this case. I was primarily hoping for some sort of verification that information like the following is still accurate so I don't waste time copying configs that no longer work. Itojun should certainly be an authoritative source, but it is dated 2000: http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/09/msg00511.html To anyone that has this working now, did you follow similar advice or find a solution yourself? I'm curious to see examples, including any tweaks you've had to make over time. I'm sure there's more than one way to skin this <insert least favorite animal here>. At this point both the FreeBSD and Linux boxes sit in a DMZ without NAT. The client has expressed a desire to move both of these boxes behind the local firewalls (PIX) "once everything else is working". From my PPTP experience NAT makes my skin crawl, but does IPSEC have similar issues? Would the tunnel be affected by an intermediate NAT device? This would be true 1-to-1/static NAT (static commands on the PIX) and not something like port address translation. Oh, and I did try to get them to just connect FreeS/WAN to the remote PIX as an IPSEC peer. That would work, but the PIX does not have a 3DES license so I would like to use an alternative with better encryption. (I saw the FreeS/WAN DES patch, but that seems somewhat backwards.) Thanks for any insight, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030131010305.W38150-100000>