Re: FreeBSD 4.7-REL-p3 and an IPsec connection to Linksys BEFVP41

2003-02-20 Thread George Hartzell 
David Cramblett writes:
 > 
 > Just a quick note, what Linksys box do you have?  Are you sure it 
 > supports IPsec? I have seen many that support IPsec pass through, but I 
 > have not seen any that support IPsec.

Yes, it actually supports IPsec itself, with encryption hardware and
everything.  It's a BEFVP41.

g.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: FreeBSD 4.7-REL-p3 and an IPsec connection to Linksys BEFVP41

2003-02-20 Thread David Cramblett 

Just a quick note, what Linksys box do you have?  Are you sure it 
supports IPsec? I have seen many that support IPsec pass through, but I 
have not seen any that support IPsec.


George Hartzell wrote:
Thanks for the response!  I'll dig a bit more and either report
success or come back with more data.

Lars Eggert writes:
 > [...]
 > All three aproaches above can be made to work, as explained by the 
 > tutorials you cite. The question is, which one is supported by your 
 > Linksys box?

*That* is the 64-million dollar question.  I'll keep at it.

g.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: FreeBSD 4.7-REL-p3 and an IPsec connection to Linksys BEFVP41

2003-02-20 Thread George Hartzell 

Thanks for the response!  I'll dig a bit more and either report
success or come back with more data.

Lars Eggert writes:
 > [...]
 > All three aproaches above can be made to work, as explained by the 
 > tutorials you cite. The question is, which one is supported by your 
 > Linksys box?

*That* is the 64-million dollar question.  I'll keep at it.

g.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: FreeBSD 4.7-REL-p3 and an IPsec connection to Linksys BEFVP41

2003-02-19 Thread Lars Eggert 
On 2/19/2003 8:39 PM, George Hartzell wrote:

I'd like to set up an IPsec connection between my laptop running
FreeBSD 4.7-REL-p3 and a Linksys BEFVP41 router w/ built in IPsec
capability.

I've found a number of sites w/ information on setting up ipsec
between a pair of FreeBSD machines, including:

  http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
  http://www.freebsddiary.org/ipsec-tunnel.php
  http://www.daemonnews.org/200101/ipsec-howto.html
  http://www.bsdtoday.com/2002/April/Features671.html

But none that talk about getting FreeBSD's IPsec talking to anything
non-FreeBSD.

All of the methods are based on setting up a gif tunnel and passing
the packets over that.


Not really. There are a number of different ways to set this up, and 
only one (valid) one uses gif tunnels:

1. Use IPsec transport mode. The handbook (1st link) explains how to set 
this up.

2. Use IPsec tunnel mode. Again, the handbook describes the setup, so 
does the bsdtoday article.

(Note that these two do not use IPIP gif tunnels!)

3. Use an IPIP gif tunnel and IPsec transport mode, as described in 
draft-touch-ipsec-vpn, and the daemonnews article. This is an 
alternative to IPsec tunnel mode that has advantages when running 
dynamic routing - you don't seem to, so you should stick to vanilla 
IPsec, esp. since you only control one end.

You do NOT want to follow the freebsddiary article, which sets up 
parallel IPIP gif tunnels and IPsec tunnel mode SAs. It abuses the 
duplicate tunnels for routing, and can result in subtle interactions 
that can make your traffic go silently unencrypted. (I've contacted the 
author a long time ago, but he doesn't seem to belive in fixing "diary" 
entries.)

> I've tried a number of variations on the
recommended recipes, and at best I can watch the isakmp packet going
from the laptop towards the router and get see an icmp packet back
from the router that suggests the the gif tunnel isn't what it wants
to see (sadly, I didn't save the exact message, but can recreate it if
it's important enough).


Without a lot more information about your configuration, we can only 
guess at the issues.

So, the quick question is, has anyone set up a FreeBSD laptop as a
"road warrior" to an IPsec router?  I'd appreciate any pointers.


All three aproaches above can be made to work, as explained by the 
tutorials you cite. The question is, which one is supported by your 
Linksys box?

Lars
--
Lars Eggert <[EMAIL PROTECTED]>   USC Information Sciences Institute


smime.p7s
Description: S/MIME Cryptographic Signature