Notes on http://www.linuxinfor.com/english/FreeBSD/ipsec.html

Kahlil (Kal) Hodgson kal at dclabs.com.au
Tue Mar 8 23:51:11 UTC 2005 

Hi Guys,

After much mucking around I've just managed to set up a IPSEC VPN 
between a BSD gateway and a Debian Linux gateway (running a 2.6 kernel) 
and using racoon.

I'm comming from the Linux side of this and the guys at the BSD end 
where kind enough to give me access to their router so could figure out 
why it was not working as expected.  I've never been on a BSD box before 
so your FreeBSD documentation was *very* helpful -- thanks guys:-)

The racoon configuration was pretty straightforward, but I had a lot of 
trouble with routing and tunneling, which led to a lot of racoon tail 
chasing:-)  In the end I could not get the gif tunnel on the BSD box to 
be demangled by either a gre or sit tunnel on the linux box (probably a 
long shot anyway).  I did find that (after dropping tunnels and routes)
the following policy worked:

At one end I had

     spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
             esp/tunnel/A.B.C.D-W.X.Y.Z/require;

     spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
             esp/tunnel/W.X.Y.Z-A.B.C.D/require;

in combination with the strange route

     route add 192.168.2.0/24 A.B.C.D

and the other end

     spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec
             esp/tunnel/A.B.C.D-W.X.Y.Z/require;

     spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec
             esp/tunnel/W.X.Y.Z-A.B.C.D/require;

in combination with

     route add 192.168.1.0/24 W.X.Y.Z

This was more in line with the documentation at 
http://www.ipsec-howto.org/x282.html (except that they don't mention the 
routes:-) With this aproach we only encapsulte the non-routable packet 
once with the ESP wrapper, but our security policy does have to look at 
all packets rather than just encapsulated ones.

Any thoughts on the security/efficiency implications of this?

Kind Regards,

Kal

-- 
Kahlil (Kal) Hodgson
DCLABS Pty Ltd
Advanced Linux Servers and Technology
http://www.dclabs.com.au
Phone: +61 3 9807 8600
Fax: +61 3 9807 9300

All parts should go together without forcing.  You must remember that
the parts you are reassembling were disassembled by you.  Therefore,
if you can't get them together again, there must be a reason.  By all
means, do not use a hammer.

		-- IBM maintenance manual, 1925

More information about the freebsd-doc mailing list