Steve Lake wrote:
At 10:53 PM 5/18/2008 +0200, Mister Olli wrote:first you should consider the following questions: - what kind of VPN do you wanna use? (SSL or IPSec based)From what I remember of my security training years ago, IPSec was always better. So I'd likely go with that.- what kind of authentication? (user or certificate based)Definitely user, unless you think certificate is better.- what kind of traffic do you wanna protect?Everything if possible. Basically I'm trying to create a protected Internet connection by using the VPN to allow me to connect to my vpn server at my home office over an insecure public connection. I would then use that vpn connection to securely securely surf the web from anywhere in the US or the world.- do you wanna transport data between two host, from host-to-network or networ-to-network?I'm not sure which would be best. Can you suggest one based on the previous answer? Thanks.
If you're going to do this with IPSec it should be fairly simple to set up the connection. Given that you control both ends of the IPSectunnel, you can just use a shared secret. You need to set up some security policy definitions using setkey(1) -- the man page is full of
acronyms and jargon but what setkey does is define what traffic should be encrypted based on the end point IPs, port numbers and some other data. [Note: in order for setkey to work, you need a kernel config with OPTIONS IPSEC added]. Finally, the third part of setting up an IPSec connection is to configure a method of key exchange -- this is the only part not actually built into the system, so you should install ipsec-tools or equivalent from ports. On the question of tunnel vs transport mode -- most of the tutorials you can find on the net are all about setting up /tunnel/ mode -- ie. to use a pair of routers as IPSec endpoints to connect two private networks. In your case, I think you do need tunnel mode, despite it requiring a degenerate form of network with only one host at each end -- something that naturally screams transport mode -- since you need the capability to route traffic from elsewhere via the VPN link. Two handy references: Setting up a simple transport mode tunnel between two hosts: http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html Step by step guide to setting up a tunnel. http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html It's a bit dated now, as the kernel configuration instructions apply to pre-6.x systems. In 7.0+ (which uses what was previously called FAST_IPSEC), all you need is to add the following: device crypto device cryptodev options IPSEC Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
