> The sample docs and the daemon-news
> article get me part way started to making an encrypted
> tunnel using IPsec4 between two networks.
> However The are really quite confusing...
>
> Is there a SIMPLE description of what all the parts do?
>
> I have a gif tunnel going, but it's not clear to me how I make this tunnel
> start encrypting the damned data.
>
> I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing
> plain encapsulated packets...no encryption..
Once you've got the gif tunnel working, say with top addresses
10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8,
create an /etc/ipsec.conf that says:
spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
This is your setkey input. The ``ip4'' bit tells ipsec to only touch
IP-in-IP traffic, so comms going from an internal LAN to an external
gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be
NAT'd). Only the gif-encapsulated traffic is encrypted.
Then add this to /etc/rc.conf:
ipsec_enable=YES
ipsec_file=/etc/ipsec.conf
Once this is done, arrange to have racoon running on each end and
everything should work. Using a shared secret in /usr/local/etc/
racoon/psk.txt is the easiest:
1.2.3.4 akeythatnobodyisgoingtocrack
and running racoon -F helps initially.
> --
> +------------------------------------+ ______ _ __
> | __--_|\ Julian Elischer | \ U \/ / hard at work in
> | / \ [EMAIL PROTECTED] +------>x USA \ a very strange
> | ( OZ ) \___ ___ | country !
> +- X_.---._/ presently in San Francisco \_/ \\
> v
Good luck !
--
Brian <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
