IPSec+VPN+ipfw questions

Brent Wiese brently at bjwcs.com
Mon Jun 23 18:27:10 PDT 2003

A few things come quickly to mind... 

First, you need "gateway_enable=YES" in your rc.conf... I think. I know you
need it for MPD (pptp tunneling).

Second, you cannot have physical routes to the remote side "private"

> 1) Is it possible to use ipfw rules to count different kinds 
> of traffic from legitimate computers, divert it to natd and 
> block all other packets across the LAN? There are ESP 
> protocol packets which I can filter, but it seems they are 
> not processed after decryption by ipwf rules. So, no 
> counters, no divert, etc.

You should use ipfw to, at the very least, only allow legit tunnel traffic
to pass to/from the "public" and "private" NICs/

> 2) What is the best solution for IKE daemon? I've tried 
> racoon (it works but there are some strange situations with 
> Windows 2000 machines which are mentioned somewhere), and 
> isakmpd (it has not very obvious syntax for their policy and 
> conf files - how to create a minimal working configuration 
> for a number of peer machines which use different preshared 
> keys for IKE exchange)?

Racoon works fine if set up correctly. Most of the FAQ's are wrong,
espcially when they discuss setting up gif() and then racoon. You don't need
gif(). I seem to remember something about using MD5 as the hash, but its
been a while... Maybe it was that my router only supported MD5 for its
vpn-passthru stuff...

> 3) In fact, it is not required for me to use VPN solutions. 
> All I need is to authenticate each legitimate machine (or 
> user - that is better). IP+MAC addresses may be forged. I can 
> use socks proxy, but there is no standard secured 
> authentication which is suported by number of different 
> internet tools. And I don't wish to have a complicated setup 
> of each client machine. So, VPN seems to be the best solution 
> as their policies for W2K clients may be specified via Active 
> Directory.

IPSEC is probably the best way. Since the other side is Windows, you may
consider using MPD and use PPTP instead of IPSEC. It's a little easier to
deal with on the Windows side since setup is all gui-wizards.


More information about the freebsd-questions mailing list