Re: IPSEC question..

Julian Elischer Fri, 21 Sep 2001 12:42:45 -0700


On Fri, 21 Sep 2001, Brian Somers wrote:

> > The sample docs and the daemon-news
> > article get me part way started to making an encrypted
> > tunnel using IPsec4 between two networks.
> > However The are really quite confusing...
> > 
> > Is there a SIMPLE description of what all the parts do?
> > 
> > I have a gif tunnel going, but it's not clear to me how I make this tunnel 
> > start encrypting the damned data.
> > 
> > I've fiddled with several commands (e.g. setkey) but tcpdump keeps showing 
> > plain encapsulated packets...no encryption..
> 
> Once you've got the gif tunnel working, say with top addresses 
> 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, 
> create an /etc/ipsec.conf that says:


which are the 'top' addresses? outer or inner?
i.e. 

   (A)gif0:-------(B)ed0-----<net>--------ed0(C)--------gif0(D)

> 
>   spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
>   spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
> 

ip4?
 I need to run this on 4.1.1 machines.

> This is your setkey input.  The ``ip4'' bit tells ipsec to only touch 
> IP-in-IP traffic, so comms going from an internal LAN to an external 
> gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be 
> NAT'd).  Only the gif-encapsulated traffic is encrypted.
> 
> Then add this to /etc/rc.conf:
> 
>   ipsec_enable=YES
>   ipsec_file=/etc/ipsec.conf
> 
> Once this is done, arrange to have racoon running on each end and 
> everything should work.  Using a shared secret in /usr/local/etc/
> racoon/psk.txt is the easiest:
> 
> 1.2.3.4 akeythatnobodyisgoingtocrack
> 
> and running racoon -F helps initially.
> 
> > -- 
> > +------------------------------------+       ______ _  __
> > |   __--_|\  Julian Elischer         |       \     U \/ / hard at work in 
> > |  /       \ [EMAIL PROTECTED]     +------>x   USA    \ a very strange
> > | (   OZ    )                                \___   ___ | country !
> > +- X_.---._/    presently in San Francisco       \_/   \\
> >           v
> 
> Good luck !
> -- 
> Brian <[EMAIL PROTECTED]>                <[EMAIL PROTECTED]>
>       http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
> Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>
> 
> 
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
> 


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
Re: IPSEC question..

Reply via email to
