On 2/19/2003 8:39 PM, George Hartzell wrote:
I'd like to set up an IPsec connection between my laptop running
FreeBSD 4.7-REL-p3 and a Linksys BEFVP41 router w/ built in IPsec
capability.
I've found a number of sites w/ information on setting up ipsec
between a pair of FreeBSD machines, including:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
http://www.freebsddiary.org/ipsec-tunnel.php
http://www.daemonnews.org/200101/ipsec-howto.html
http://www.bsdtoday.com/2002/April/Features671.html
But none that talk about getting FreeBSD's IPsec talking to anything
non-FreeBSD.
All of the methods are based on setting up a gif tunnel and passing
the packets over that.
Not really. There are a number of different ways to set this up, and
only one (valid) one uses gif tunnels:
1. Use IPsec transport mode. The handbook (1st link) explains how to set
this up.
2. Use IPsec tunnel mode. Again, the handbook describes the setup, so
does the bsdtoday article.
(Note that these two do not use IPIP gif tunnels!)
3. Use an IPIP gif tunnel and IPsec transport mode, as described in
draft-touch-ipsec-vpn, and the daemonnews article. This is an
alternative to IPsec tunnel mode that has advantages when running
dynamic routing - you don't seem to, so you should stick to vanilla
IPsec, esp. since you only control one end.
You do NOT want to follow the freebsddiary article, which sets up
parallel IPIP gif tunnels and IPsec tunnel mode SAs. It abuses the
duplicate tunnels for routing, and can result in subtle interactions
that can make your traffic go silently unencrypted. (I've contacted the
author a long time ago, but he doesn't seem to belive in fixing "diary"
entries.)
> I've tried a number of variations on the
recommended recipes, and at best I can watch the isakmp packet going
from the laptop towards the router and get see an icmp packet back
from the router that suggests the the gif tunnel isn't what it wants
to see (sadly, I didn't save the exact message, but can recreate it if
it's important enough).
Without a lot more information about your configuration, we can only
guess at the issues.
So, the quick question is, has anyone set up a FreeBSD laptop as a
"road warrior" to an IPsec router? I'd appreciate any pointers.
All three aproaches above can be made to work, as explained by the
tutorials you cite. The question is, which one is supported by your
Linksys box?
Lars
--
Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature