Subject: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server)
Hello all,
I hope you can understand how desperate I am to figure out what to do.
I need to enable tunnels from my laptop running Windows 2000 Pro to
my FreeBSD 4.6. I have a Cable Modem link to the Internet and for my
firewall and NAT router I use a D-Link 707 Residencial Router capable
of allowing VPN using IPsec 'only'.
----------
VPN Sever Gateway | |
----------- ----------- | |
192.168.0.3 -------- 192.168.0.1 ----------------------- Internet |
----------- ----------- | |
FreeBSD 4.6 xxx.xxx.xxx.xxx | |
----------
-IPsec Enabled IPsec: |
-Running Racoon -ESP mode |
-Setkey -In Tunnel Mode (DUH!) |
-OpenSSL Certificates -DES encryption |
-psk.txt -ESP mode with no encapsulation |
-VPN Sever: PoPToPt -no Integrity |
-Pre-Shared keys |
|
|
|
Client |
------------- |
192.168.0.226 ---------------------------------------|
-------------
Windows 2000 Pro
-IPsec enabled
-Certificate Install
As this diagram explains I'm running FreeBSD 4.6 with PoPToP, Racoon
for sharing keys and IPsec enabled in the Kernel. The gateway/NAT
router allows IPsec VPN with DES encryption in ESP mode with no
encapsulation, no Integrity, in Tunnel mode and using a pre-shared
key.
I don't know what "no Integrity" means neither why ESP
cannot "encapsulate".
Please, help me in anyway you can. Point me to any webpages you think
will help me.
THIS IS WHAT I HAVE DONE SO FAR:
- PoPToP works. In its bare bones without IPsec policies and racoon's
deamon turned off I can connect 'directly' to the server from within
the LAN.
- Racoon has been installed.
- I have searched the Internet and followed various HOWTO's but none
of the are based on the scheme I'm using. Usually they involve two
FreeBSD machines, a Windows 2000 Server, etc.
- I have read the FreeBSD Handbook Section on IPsec, setkey man pages
and racoon man pages.
- Tried several times to set the security policies in "both" machines
and connect but the results are worse everytime.
- A set of certificates have been made and installed. I followed a
guide that made me create OpenSSL certificates and installed them,
but I can't quite figure out when they come into play.
My major problem has been setting up the Security Policies in both
Machines. I think that's the step that's causing me all this trouble.
The most confusing thing to me is why there is no way of editing the
security policies in the Gateway.
Please, excuse my ignorance and I appreciate all the help I can
recieve.
MrWebby
--- Begin Message ---
Hello all,
I hope you can understand how desperate I am to figure out what to do.
I need to enable tunnels from my laptop running Windows 2000 Pro to
my FreeBSD 4.6. I have a Cable Modem link to the Internet and for my
firewall and NAT router I use a D-Link 707 Residencial Router capable
of allowing VPN using IPsec 'only'.
----------
VPN Sever Gateway | |
----------- ----------- | |
192.168.0.3 -------- 192.168.0.1 ----------------------- Internet |
----------- ----------- | |
FreeBSD 4.6 xxx.xxx.xxx.xxx | |
----------
-IPsec Enabled IPsec: |
-Running Racoon -ESP mode |
-Setkey -In Tunnel Mode (DUH!) |
-OpenSSL Certificates -DES encryption |
-psk.txt -ESP mode with no encapsulation |
-VPN Sever: PoPToPt -no Integrity |
-Pre-Shared keys |
|
|
|
Client |
------------- |
192.168.0.226 ----------------------------------------„£
-------------
Windows 2000 Pro
-IPsec enabled
-Certificate Install
As this diagram explains I'm running FreeBSD 4.6 with PoPToP, Racoon
for sharing keys and IPsec enabled in the Kernel. The gateway/NAT
router allows IPsec VPN with DES encryption in ESP mode with no
encapsulation, no Integrity, in Tunnel mode and using a pre-shared
key.
I don't know what "no Integrity" means neither why ESP
cannot "encapsulate".
Please, help me in anyway you can. Point me to any webpages you think
will help me.
THIS IS WHAT I HAVE DONE SO FAR:
- PoPToP works. In its bare bones without IPsec policies and racoon's
deamon turned off I can connect 'directly' to the server from within
the LAN.
- Racoon has been installed.
- I have searched the Internet and followed various HOWTO's but none
of the are based on the scheme I'm using. Usually they involve two
FreeBSD machines, a Windows 2000 Server, etc.
- I have read the FreeBSD Handbook Section on IPsec, setkey man pages
and racoon man pages.
- Tried several times to set the security policies in "both" machines
and connect but the results are worse everytime.
- A set of certificates have been made and installed. I followed a
guide that made me create OpenSSL certificates and installed them,
but I can't quite figure out when they come into play.
My major problem has been setting up the Security Policies in both
Machines. I think that's the step that's causing me all this trouble.
The most confusing thing to me is why there is no way of editing the
security policies in the Gateway.
Please, excuse my ignorance and I appreciate all the help I can
recieve.
MrWebby
--- End Message ---
