From owner-freebsd-questions@FreeBSD.ORG Tue Oct 11 21:28:35 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBEAF16A41F; Tue, 11 Oct 2005 21:28:35 +0000 (GMT) (envelope-from jmire@lsuhsc.edu) Received: from EXCHMX2.master.lsuhsc.edu (exchmx2.lsuhsc.edu [155.58.212.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A10443D5F; Tue, 11 Oct 2005 21:28:33 +0000 (GMT) (envelope-from jmire@lsuhsc.edu) Received: by exchmx2.master.lsuhsc.edu with Internet Mail Service (5.5.2657.72) id <4R9F8YKR>; Tue, 11 Oct 2005 16:22:01 -0500 Message-ID: From: "Mire, John" To: Danny Howard , Joshua Weaver Date: Tue, 11 Oct 2005 16:22:13 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Cc: freebsd-net@freebsd.org, 'free bsd' Subject: RE: GRE tunnels anyone? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 21:28:36 -0000 In the past, with RELEASE-4.X we had multiple tunnels coming in to our 7206VXR, I can't put my hands on the the IOS config at the moment but here's the startup script used on the two remote boxes. #!/bin/sh if [ $# -eq 0 ]; then disable_config_ipsec="NO" else if [ "$#" -eq 1 ]; then case "$1" in [Yy][Ee][Ss]) disable_config_ipsec="YES" ;; *) disable_config_ipsec="NO" ;; esac fi fi ################################################################# # # /usr/local/etc/rc.d/tunnel.sh - configure gif tunnels and ipsec # $Id: tunnel.sh,v 1.3 2002/05/13 14:21:30 jmire Exp $ # ################################################################# # Function definitions f_ipsecinit1(){ /usr/sbin/setkey -FP #Flush the SPD entries /usr/sbin/setkey -F #Flush the SAD entries } # end f_ipsecinit1 f_gifconfig1() { ifconfig $GIF destroy # make sure gif doesn't exist with old config ifconfig $GIF create # create gif interface gifconfig $GIF $BSD1_PUB $BSD2_PUB # setup the tunnel endpoints ifconfig $GIF inet $BSD1_IP $BSD2_IP netmask $NETMASK # setup the network connects inside tunnel route add $BSD2_NET $BSD2_IP # setup the route } # end f_gifconfig1 f_confipsec1() { /usr/sbin/setkey -c << EOF spdadd $BSD1_PUB $BSD2_PUB any -P out ipsec esp/tunnel/${BSD1_PUB}-${BSD2_PUB}/require; spdadd $BSD2_PUB $BSD1_PUB any -P in ipsec esp/tunnel/${BSD2_PUB}-${BSD1_PUB}/require; EOF } # end f_confipsec1 f_confipsec3() { /usr/sbin/setkey -c << EOF spdadd $BSD1_NET $BSD2_NET any -P out ipsec esp/tunnel/${BSD1_IP}-${BSD2_IP}/require; spdadd $BSD2_NET $BSD1_NET any -P in ipsec esp/tunnel/${BSD2_IP}-${BSD1_IP}/require; EOF } # end f_confipsec3 f_config-remote1() { ############################################################## # gif0: flags=8051 mtu 1280 # tunnel inet 24.242.107.143 --> 206.176.175.6 # inet 192.168.1.1 --> 192.168.4.1 netmask 0xffffff00 # # set local variables # gif0, 24.242.107.143, 205.166.221.1, 192.168.1.1, 192.168.4.1 local GIF="gif0" local BSD2_IP="192.168.4.1" local BSD2_NET="192.168.4.0/24" local BSD2_PUB="206.176.175.6" local BSD1_IP="192.168.1.1" local BSD1_NET="192.168.1.0/24" local BSD1_PUB="24.242.107.143" local NETMASK="255.255.255.0" f_gifconfig1 > /dev/null # set gif0 config ifconfig $GIF # check config case ${disable_config_ipsec} in [Nn][Oo]) f_confipsec1 # set policy setkey -DP ;; *) ;; esac } # end f_config-remote1 f_config-remote2() { ############################################################# # gif0: flags=8051 mtu 1280 # tunnel inet 207.254.204.147 --> 206.176.175.6 # inet 192.168.0.5 --> 192.168.0.6 netmask 0xfffffffc # # gif0, 207.254.204.147, 205.166.221.1, 192.168.0.5, 192.168.0.6 local GIF="gif0" local BSD2_IP="192.168.0.6" local BSD2_NET="192.168.4.0/24" local BSD2_PUB="206.176.175.6" local BSD1_IP="192.168.0.5" local BSD1_NET="192.168.3.0/24" local BSD1_PUB="207.254.204.147" local NETMASK="255.255.255.252" f_gifconfig1 > /dev/null # set gif0 config ifconfig $GIF # check config case ${disable_config_ipsec} in [Nn][Oo]) f_confipsec1 # set policy setkey -DP ;; *) ;; esac } # end f_config-fosa3 # main ############################################################# HOSTNAME=`/bin/hostname -s` #kill racoon if running killall racoon f_ipsecinit1 # initialize case $HOSTNAME in Remote1) echo $HOSTNAME f_config-remote1 ;; Remote2) echo $HOSTNAME f_config-remote2 ;; esac -----Original Message----- From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Danny Howard Sent: Tuesday, October 11, 2005 3:20 PM To: Joshua Weaver Cc: freebsd-net@freebsd.org; 'free bsd' Subject: Re: GRE tunnels anyone? On Tue, Oct 11, 2005 at 01:06:58PM -0500, Joshua Weaver wrote: > The company I work for uses a lot of multicast tunnels, usually with a > QOS/GRE implementation with quite pricy hardware. I googled around a bit, > it looks like basic vpn is supported for FreeBSD. I guess my questions are > > 1.) Does FreeBSD play well with vpn-capable routers (like a 3Com 5012) > > 2.) Would getting acceptable latency tunneling multicast mean hardware > that's just as expensive as a router costing thousands? Joshua, We run a tunnel using gif interfaces, managed by racoon. The performance is less than super, but I think that's a constraint of our network resources. My answer would be: "Why not grab a spare box and try it out?" If the day's diversion may lead you to saving thousands, then please spend a little more effort and write a brief article on a blog or a journal somewhere to help the next person who comes along asking your question. :) The handbook has a great chapter on how-to-setup-a-tunnel-from-scratch, though it sounds like you don't need a lot of hand-holding. I would LIKE to think that if we spent a bit of cash on proper VPN hardware, that tunnel maintenance would be easier and performance might be better. Well, that's an aside. Good Luck, -danny -- http://dannyman.toldme.com/ _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"