Alex Dupre <ale at FreeBSD.org> wrote:
>
> I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint
> VPN-1. I've used a gif interface for the tunnel, setkey for security
> policies and racoon for ikev1.
I've peered with Checkpoint VPN's using FreeBSD but I never needed to
use gif interfaces to make it happen. FreeBSD's tunnel-mode IPSEC seems
to interoperate quite well with Checkpoint's implementation.
You should be able to match tunneled traffic using SPD's like so:
spdadd 10.27.37.0/24 172.30.101.0/24 any -P in ipsec esp/tunnel/192.250.40.23-238.55.55.15/unique;
spdadd 172.30.101.0/24 10.27.37.0/24 any -P out ipsec esp/tunnel/238.55.55.15-192.250.40.23/unique;
With the matching 'sainfo' sections in racoon's config:
sainfo address 10.27.37.0/24 any address 172.30.101.0/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 172.30.101.0/24 any address 10.27.37.0/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
> All is working fine, but I get a strange behavior: outgoing packets go
> via enc0, while incoming packets arrive in gif0.
Admittedly, I had set all this up back in the FreeBSD 6.x days,
before the 'enc0' interface was invented, so I can't speak to how the
traffic flow works exactly, but it still seems to me that using gif is
needlessly complicating your setup, so you may want to simplify it.
--
David DeSimone == Network Admin == fox at verio.net
"I don't like spinach, and I'm glad I don't, because if I
liked it I'd eat it, and I just hate it." -- Clarence Darrow
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.