On 2/19/2003 8:39 PM, George Hartzell wrote:
Not really. There are a number of different ways to set this up, and only one (valid) one uses gif tunnels:I'd like to set up an IPsec connection between my laptop running FreeBSD 4.7-REL-p3 and a Linksys BEFVP41 router w/ built in IPsec capability.I've found a number of sites w/ information on setting up ipsec between a pair of FreeBSD machines, including: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html http://www.freebsddiary.org/ipsec-tunnel.php http://www.daemonnews.org/200101/ipsec-howto.html http://www.bsdtoday.com/2002/April/Features671.html But none that talk about getting FreeBSD's IPsec talking to anything non-FreeBSD. All of the methods are based on setting up a gif tunnel and passing the packets over that.
1. Use IPsec transport mode. The handbook (1st link) explains how to set this up.
2. Use IPsec tunnel mode. Again, the handbook describes the setup, so does the bsdtoday article.
(Note that these two do not use IPIP gif tunnels!)
3. Use an IPIP gif tunnel and IPsec transport mode, as described in draft-touch-ipsec-vpn, and the daemonnews article. This is an alternative to IPsec tunnel mode that has advantages when running dynamic routing - you don't seem to, so you should stick to vanilla IPsec, esp. since you only control one end.
You do NOT want to follow the freebsddiary article, which sets up parallel IPIP gif tunnels and IPsec tunnel mode SAs. It abuses the duplicate tunnels for routing, and can result in subtle interactions that can make your traffic go silently unencrypted. (I've contacted the author a long time ago, but he doesn't seem to belive in fixing "diary" entries.)
> I've tried a number of variations on the
Without a lot more information about your configuration, we can only guess at the issues.recommended recipes, and at best I can watch the isakmp packet going from the laptop towards the router and get see an icmp packet back from the router that suggests the the gif tunnel isn't what it wants to see (sadly, I didn't save the exact message, but can recreate it if it's important enough).
All three aproaches above can be made to work, as explained by the tutorials you cite. The question is, which one is supported by your Linksys box?So, the quick question is, has anyone set up a FreeBSD laptop as a "road warrior" to an IPsec router? I'd appreciate any pointers.
Lars
--
Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature
