Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPSec Q

0 views
Skip to first unread message

Alex Samad

unread,
May 1, 2002, 7:36:26 PM5/1/02
to
Hi,

I am trying to set up a secure vpn connection between a Telstra cable user
and a Optus cable user. I have currently got ipip tunnel working between
the two places, with static routes. Will look into gated later.

The next step I want to do is encrypt this tunnel. I am presuming that I
would use IPSEC on the tun devices used for the tunnel.

Why would I not do it at the eth devices an make it only between the two
Linux boxes or should I be doing it here. Do I need to have tunnelling once
I have IPSEC between the two boxes. Or is IPSEC just for the encryption of
IP data and not for actual tunnelling ?

I will be using freeswan, with preshared key's

Thanxs
Alex Samad


MoRpHinE79

unread,
May 7, 2002, 7:26:16 AM5/7/02
to
"Alex Samad" <asa...@NOSPAMbigpond.net.au> wrote in message
news:_Z_z8.72412$o66.2...@news-server.bigpond.net.au...
I have a similar setup using OpenBSD and the IPsecadm utility (again using
preshared secret keys).

Depending on the way you configure IPsec, you shouldnt need the tunelling.
For your scenario I would advise using ESP in Tunnel mode (see below)

Encrypted Tunnel between Gateways
TelstraBox---[GW]==[modem]==Internet==[modem]==[GW]---OptusBox

Effectively what IPsecadm does is set up a static route between the IP
associated to your gateways external interface (by the cable modem dhcp) and
the Optus guys gateway external interface (similar method). Once this is
configured the kernel knows to encrypt and encapsulate all traffic using
that route.

IPSec will then encrypt packets originating from an internal machine. They
are then wrapped with a new IP header and destination (SRC:=YourGW and
DST:=OptusGW). The packet is sent across the public domain and received at
the Optus Gateway, which unwraps and decrypts the packet. It is then passed
to the Internal machine on the Optus Guy's network.

The downside here is that the two networks connecting over the IPsec tunnel
MUST be using different network allocations. This simply means one side
runs 192.168.0.0/24 and the other runs 192.168.1.0/24

Then write a couple of shell scripts (for cron) that test whether the
connection is up, and if not flush and reapply the IPsecadm settings and
Bob's your uncle. You have a VPN :)

Performance tip - dont run further encrypted applications (like sftp) as the
link will chug on crappy machines :)

MoRpHinE


Darren Mackay

unread,
May 7, 2002, 8:56:06 AM5/7/02
to
HI,

| Will look into gated later.

To run routing protocol over the link, you will need some sort of point to
point link. This can be acheived using:

- ipip
- gre
- ppp over ssl
- ppp over ssh
- etc.....

Routing protocols are necessary for resilience (eg - meshed / multiple
paths between sites) and scalability.

That said, gre over ipsec appears to be the accepted standard for
propogating routing protocols - this gives you vendor independance between
sites.

If you policy is that all remote sites must terminate the vpn at a central
site (ie - hub and spoke arrangement), you will also need an ipip/ gre
tunnel between each remote site if you want 2 remote sites to be able to
router ebtween each other through your central site.

You also have the advantage of using the point to point link created by the
ipip / gre / ppp tunnel for troubleshooting - eg, you can traceroute
through your internal address range as if it were a regular wan link.

If you only have a few sites, then running an ip or gre tunnel over ipsec
is probably not necessary - ipsec alone will be ok. That said, going
through the exercise of gre over ipsec (or similar) is probably worth while
for a small site so that you have the experience behind you (including
knowing hwo to troubleshoot the links).

| The next step I want to do is encrypt this tunnel. I am presuming that I
| would use IPSEC on the tun devices used for the tunnel.
|
| Why would I not do it at the eth devices an make it only between the two
| Linux boxes or should I be doing it here. Do I need to have tunnelling
once
| I have IPSEC between the two boxes. Or is IPSEC just for the encryption
of
| IP data and not for actual tunnelling ?
|
| I will be using freeswan, with preshared key's

have you considered using rsa or dh authentication? - once again, probably
not necessary, but gaingin experience on a small site can eb worthwhile

Enjoy,

Darren Mackay


Rob B

unread,
May 7, 2002, 5:36:30 PM5/7/02
to
[posted and mailed]

"Alex Samad" <asa...@NOSPAMbigpond.net.au> wrote in

news:_Z_z8.72412$o66.2...@news-server.bigpond.net.au:

I don't think you need ipip tunnels to run FreeS/WAN, as IPSec is a method of authenticating and encrypting traffic.
Once a Security Association is set up between sites - we have a tunnel

The FreeS/WAN pages have complete documtentation ( http://www.freeswan.org/freeswan_trees/freeswan-
1.95/doc/index.html )

Cheers,
Rob

aVANTGUARD

unread,
Jun 5, 2002, 4:56:29 AM6/5/02
to
http://allard.nu/openbsd/
http://vpn.ebootis.de/

/avant

"Alex Samad" <asa...@NOSPAMbigpond.net.au> wrote in message
news:_Z_z8.72412$o66.2...@news-server.bigpond.net.au...

0 new messages