IPSec+VPN+ipfw questions

[Oleg Semyonov]

Hi!

I wish to use IPSec to provide secure channels between some LAN machines
(Windows 2000) and a FreeBSD gateway which acts as a NAT router to the
Internet upstream provider. Each channel works in IPSec transport mode (no
tunnel, host-to-host only). FreeBSD runs racoon to provide IKE services for
IPSec. FreeBSD 4.8, ipfw2.

The questions are:

1) Is it possible to use ipfw rules to count different kinds of traffic from
legitimate computers, divert it to natd and block all other packets across
the LAN? There are ESP protocol packets which I can filter, but it seems
they are not processed after decryption by ipwf rules. So, no counters, no
divert, etc.

2) What is the best solution for IKE daemon? I've tried racoon (it works but
there are some strange situations with Windows 2000 machines which are
mentioned somewhere), and isakmpd (it has not very obvious syntax for their
policy and conf files - how to create a minimal working configuration for a
number of peer machines which use different preshared keys for IKE
exchange)?

3) In fact, it is not required for me to use VPN solutions. All I need is to
authenticate each legitimate machine (or user - that is better). IP+MAC
addresses may be forged. I can use socks proxy, but there is no standard
secured authentication which is suported by number of different internet
tools. And I don't wish to have a complicated setup of each client machine.
So, VPN seems to be the best solution as their policies for W2K clients may
be specified via Active Directory.

Thanks!
OS