Cisco <-> FreeBSD / Kame / Raccon Ipsec Interoperabilty

From: ahb@ahb.net
Date: 08/30/02 

From: ahb@ahb.net
To: freebsd-security@freebsd.org
Date: Fri, 30 Aug 2002 23:50:09 +0200

Hi !

Perhaps a bit off topic on this list, but perhaps one of you
guys has an answer to the following question.

I have two sites.

One is running a cisco router and a second that has a FreeBSD
box with a DSL dialup line.

Behind both boxes is a LAN that I would like to connect
together with an ipsec tunnel.

The cisco router is not under my control and perhaps everything
would be fine if the cisco router would not assign the
unencrypted end of the tunnel from a pool of a class "C"
network.

So I have basicly the following configuration

10.1/16 Private LAN "A"
  |
FreeBSD box
  |
Some dynamic IP from the dialup provider
  |
Internet
  |
1.2.3.4 Fixed IP on the public end of the cisco
  |
cisco
  |
10.2.1/24 dynamic assigned IP
  |
Some other firewall stuff here and the LAN behind it

The configuration is normally used as a dialin pool for home
office PC's, but there are some guys that do have a working
dialup LAN on their home office rather than a single PC.

So setting up the public side of the gif interface is a piece
of cake.

The dynamic IP is assigned during the setup of the IPsec
connection.

What I could not find out until now is how to set up the
private part of the gif interface. Usually one would have to
use :

ifconfig <src-priv> <dest-priv> netmask <netmask>

But since the dest-priv address is assigned during the tunnel
setup I could not figure out how to configure the private
destination address.

Also it would be a question how the setkey parameters for the
spdadd have to be, as I would need this destination address
there as well.

So if someone has this kind of setup in use, could you please
send me the scripts ? Or if someone has an idea where to start
searching, this would be nice as well. I have been searching
the internet for nearly two days now, but I could not find an
answer for this.

I forgot to mention that the FreeBSD box is running 4.2. If
this is too old, it would not hurt to upgrade it to some newer
version.

Thanks in advance

   Achim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: FreeBSD IPSEC connection to a Cisco Router using ESP (FAQ submission)
    ... How do I setup an IPSEC ESP Tunnel between a Cisco router and ... > search engines a sample config on how to setup an IPSEC tunnel between a ... > FreeBSD box and Cisco router. ...
    (FreeBSD-Security)
  • Problems with Bluetooth LAN access
    ... while trying to access my LAN from iPaq 2210 through ... FreeBSD 5.3 box via Bluetooth. ... sanvean% /etc/rc.bluetooth start ubt0 ... Service Name: LAN Access using PPP ...
    (freebsd-current)
  • sharing a DSL connection using FreeBSD-5.3
    ... i have a freebsd machine which i want to use to share my DSL ... connect to my DSL provider which gave me a static IP address. ... setup with one LAN card and correctly setup IP address & settings, ... dc0: flags=8843mtu 1500 ...
    (freebsd-questions)
  • Fwd: pppNAT woes =(
    ... more time consuming (go and buy the card and stuff, ... add second NIC card to FreeBSD box and cable it to switch. ... FreeBSD box is common gateway to internet for all pc on LAN and all ...
    (freebsd-questions)
  • Dummynet in an IPFilter setup
    ... I am running a FreeBSD 5.x box with IPFilter/IPNAT. ... Internet and internal interface connected to a switch for the LAN. ... I need to guarantee 128Kbit/s of the available bandwidth to the ...
    (freebsd-questions)