Tunneling issues
Mike Tancsa
mike at sentex.net
Wed Jul 9 18:26:46 UTC 2008
At 02:04 PM 7/9/2008, Mike Tancsa wrote:
>Also, dont confuse using GIF and IPSEC. To create some IPSEC
>tunnels, you dont need gif or gre interfaces. The policies will do
>that for you.
Here is a simple example that just uses IPSEC tunnels with a static
key. You dont need any gif/gre stuff. Dont use this in production,
use IPSEC-TOOLS from the ports to do dynamic keying.
To test the tunnel, assuming the inside interface of the freebsd boxes are .1
ping -S 192.168.1.1 192.168.1.2
#/bin/sh
server1
MEOUTSIDE=1.1.1.1
MEINSIDE=192.168.1.0/24
REMOTEOUTSIDE=2.2.2.2
REMOTEINSIDE=192.168.5.0/24
IPSECKEY=ZA6PkrlNH6BN11SG1rCa8dxa
setkey -c <<EOF
add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 -m any -E
3des-cbc "$IPSECKEY";
add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 -m any -E
3des-cbc "$IPSECKEY";
spdadd $MEINSIDE $REMOTEINSIDE any -P out ipsec
esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
spdadd $REMOTEINSIDE $MEINSIDE any -P in ipsec
esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
EOF
#!/bin/sh
server2
MEOUTSIDE=2.2.2.2
MEINSIDE=192.168.5.0/24
REMOTEOUTSIDE=1.1.1.1
REMOTEINSIDE=192.168.1.0/24
IPSECKEY=ZA6PkrlNH6BN11SG1rCa8dxa
setkey -c <<EOF
add $MEOUTSIDE $REMOTEOUTSIDE esp 1049 -m any -E
3des-cbc "$IPSECKEY";
add $REMOTEOUTSIDE $MEOUTSIDE esp 1049 -m any -E
3des-cbc "$IPSECKEY";
spdadd $MEINSIDE $REMOTEINSIDE any -P out ipsec
esp/tunnel/$MEOUTSIDE-$REMOTEOUTSIDE/require;
spdadd $REMOTEINSIDE $MEINSIDE any -P in ipsec
esp/tunnel/$REMOTEOUTSIDE-$MEOUTSIDE/require;
EOF
More information about the freebsd-net
mailing list