Filtering on IPSEC
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Thu Jan 12 10:15:14 UTC 2012
Hi.
On Wed, Jan 11, 2012 at 08:14:24PM -0600, David DeSimone wrote:
> Alex Dupre <ale at FreeBSD.org> wrote:
> >
> > I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint
> > VPN-1. I've used a gif interface for the tunnel, setkey for security
> > policies and racoon for ikev1.
>
> I've peered with Checkpoint VPN's using FreeBSD but I never needed to
> use gif interfaces to make it happen. FreeBSD's tunnel-mode IPSEC seems
> to interoperate quite well with Checkpoint's implementation.
>
> You should be able to match tunneled traffic using SPD's like so:
>
> spdadd 10.27.37.0/24 172.30.101.0/24 any -P in ipsec esp/tunnel/192.250.40.23-238.55.55.15/unique;
> spdadd 172.30.101.0/24 10.27.37.0/24 any -P out ipsec esp/tunnel/238.55.55.15-192.250.40.23/unique;
>
> With the matching 'sainfo' sections in racoon's config:
>
> sainfo address 10.27.37.0/24 any address 172.30.101.0/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
Just for information, since ipsec-tools 0.7.0, the sainfo for
"incoming SA" is not needed anymore: you just need a sainfo for
"local->peer" traffic.
> sainfo address 172.30.101.0/24 any address 10.27.37.0/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
So this one will be enough.
Yvan.
More information about the freebsd-net
mailing list