VPN setup question

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon May 19 05:44:03 UTC 2008 

Steve Lake wrote:
> At 10:53 PM 5/18/2008 +0200, Mister Olli wrote:
>> first you should consider the following questions:
>> - what kind of VPN do you wanna use? (SSL or IPSec based)
> 
>         From what I remember of my security training years ago, IPSec 
> was always better.  So I'd likely go with that.
> 
>> - what kind of authentication? (user or certificate based)
> 
>         Definitely user, unless you think certificate is better.
> 
>> - what kind of traffic do you wanna protect?
> 
>         Everything if possible.  Basically I'm trying to create a 
> protected Internet connection by using the VPN to allow me to connect to 
> my vpn server at my home office over an insecure public connection.  I 
> would then use that vpn connection to securely securely surf the web 
> from anywhere in the US or the world.
> 
>> - do you wanna transport data between two host, from host-to-network or
>> networ-to-network?
> 
>         I'm not sure which would be best.  Can you suggest one based on 
> the previous answer?  Thanks.

If you're going to do this with IPSec it should be fairly simple to
set up the connection.  Given that you control both ends of the IPSec
tunnel, you can just use a shared secret.  You need to set up some 
security policy definitions using setkey(1) -- the man page is full of
acronyms and jargon but what setkey does is define what traffic should
be encrypted based on the end point IPs, port numbers and some other
data.  [Note: in order for setkey to work, you need a kernel config with
OPTIONS IPSEC added].  Finally, the third part of setting up an IPSec
connection is to configure a method of key exchange -- this is the only
part not actually built into the system, so you should install ipsec-tools
or equivalent from ports.

On the question of tunnel vs transport mode -- most of the tutorials you
can find on the net are all about setting up /tunnel/ mode -- ie. to
use a pair of routers as IPSec endpoints to connect two private networks.
In your case, I think you do need tunnel mode, despite it requiring a
degenerate form of network with only one host at each end -- something
that naturally screams transport mode -- since you need the capability
to route traffic from elsewhere via the VPN link.

Two handy references:

Setting up a simple transport mode tunnel between two hosts:

   http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html

Step by step guide to setting up a tunnel.

   http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html

It's a bit dated now, as the kernel configuration instructions apply to
pre-6.x systems.  In 7.0+ (which uses what was previously called FAST_IPSEC),
all you need is to add the following:

  device crypto
  device cryptodev

  options IPSEC

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080519/0874fa77/signature.pgp

More information about the freebsd-questions mailing list