Subject: Re: IPsec, NAT, and Firewalling
To: None <ww@AREA22.STYX.ORG>
From: Dave Burgess <burgess@neonramp.com>
List: current-users
Date: 01/22/2001 22:40:17
William Waites wrote:
>
> Once, Dave Burgess did write:
> > I just finished a huge message to the IPsec FAQ folks, describing in
> > gory detail what I'm trying to do with a VPN here. It sounds very
> > simple, but I've been at it for a month and I can't get it squared away.
> >
> > I have the IPsec SAD and SPD set up correctly (as near as I can tell).
> >
> > Here is the general setup (read this down, the original was WAY too
> > wide):
> >
> > About 50 computers 192.168.0.x/24
> >
> > Firewall 192.168.0.1
> > + NetBSD 1.5 204.248.21.50
> >
> > The Internet 204.248.22.129
> >
> > Firewall 204.248.21.62
> > + NetBSD 1.5 192.168.1.1
> >
> > About 2 computers 192.168.1.x/24
> >
> > Simple right? You'd think so.
>
> How have you configured the tunnel between the firewalls? IPSec in
> tunnel mode is different from using gif interfaces, although
> personally I prefer your approach.
>
> You need some address space on the gif tunnel, though; i.e.:
>
> On firewall #1:
>
> ifconfig gif0 create
> ifconfig gif0 tunnel 204.248.21.50 204.248.21.62
> ifconfig gif0 172.16.0.1 netmask 255.255.255.252
> route add -net 192.168.1.0 -netmask 255.255.255.0 172.16.0.2
>
> On firewall #2:
> ifconfig gif0 create
> ifconfig gif0 tunnel 204.248.21.62 4.248.21.50
> ifconfig gif0 172.16.0.2 netmask 255.255.255.252
> route add -net 192.168.0.0 -netmask 255.255.255.0 172.16.0.1
>
> and then set up IPSec to encrypt in transport mode (as opposed to
> tunnel mode) between 204.248.21.50 ans 204.248.21.62 and vice
> versa.
>
> Using gif tunnels like this is nice, especially with more
> complicated setups since you can run routing protocols over
> them..
I just tried your suggestion. It didn't help.
I'll pick it up tomorrow when I can access the servers again. It
disappeared after I tried setting the transport SPD.