Re: IPSEC tunnel

Thu, 31 Oct 2002 08:33:18 -0800 

(sorry, lost the exact subject...)

On Thu, Oct 31, 2002 at 11:03:22AM -0500, Jim Durham wrote:
> On Thursday 31 October 2002 10:37 am, Wayne Pascoe wrote:
> I have this running. I made a couple .sh files, which I placed in
> /usr/local/etc/rc.d . Here is what they look like. They should answer
> your questions, hopefully..   xxx.xxx.xxx.xxx is the IP of the host
> that is running this file, yyy.yyy.yyy.yyy is the host at the other end.
> The other end's file is the same, reversing the outside and inside IP's. =
You
> will also need to do some routing perhaps, because the source ip of
> the machines on the other LAN will show up as 10. addresses.
> You don't need gif support compiled in, the module will load.
>
> Hope this helps,
> Jim
>
>
> #!/bin/sh
> ifconfig gif0 create
> # These commands need to be run on node A
> # Set up the tunnel device. This presumes you have gif(4) support
> # gif0 connects xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy
> gifconfig gif0 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
> # The 'internal' side of the tunnel connects 10.10.10.1 to 10.20.20.1
> ifconfig gif0 inet 10.10.10.1 10.20.20.1 netmask 255.255.255.0
> # The next 2 lines delete all existing entries from the SPD and SAD
> setkey -FP
> setkey -F
> # Add the policy
> setkey -c << EOF
> spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec
> esp/transport/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
> spdadd 10.20.20.0/24 10.10.10.0/24 any -P in ipsec
> esp/transport/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
> EOF
>
It would probably be nicer if you used

        gif_interfaces=3D"gif0"
        gifconfig_gif0=3D"xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy"
        ifconfig_gif0=3D"inet 10.10.10.1/32 10.20.20.1"
        ipsec_enable=3D"YES"

in /etc/rc.conf and

        spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec
                esp/transport/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
        spdadd 10.20.20.0/24 10.10.10.0/24 any -P in ipsec
                esp/transport/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;

in /etc/ipsec.conf.

(I know, this is undocumented. Search for ipsec_enable in
/etc/rc.network)o
Your solution can lead to problems if something needs IPSEC before
scripts from /usr/local/etc/rc.d are run (eg. NFS over IPSEC, as in my
case)
                                                m&f

-- 
What do you care what other people think?

Attachment: msg07260/pgp00000.pgp
Description: PGP signature

Reply via email to