Re: OpenVPN vs IPSec

Eugene Grosbein writes: Hi > That's way too outdated. No additional patches needed today. Good news FreeBSD has usually really good docs, but those ipsec related have always been somewhat out of standard (gif on tunnel mode in handbook for example). -- Il n'est pas nécessaire de me faire re

Re: OpenVPN vs IPSec

Victor Sudakov writes: Hi, > That is, if you use kernel IPsec. But StrongSwan is completely > userland AFAIK. Nope, StrongSwan provides a userland ipsec stack but clearly states it's not intended to be used on security gateways. Its typical use case is when the kernel stack misses a required al

Re: OpenVPN vs IPSec

Victor Sudakov writes: Hi, > Because it's in the kernel? But many use (and recommend) StrongSwan > which is a userland implementation. Key exchange (ike) is managed by a userland process, but, in FreeBSD, ipsec transform is kernel domain. > IPsec in itself maybe a standard, but IKE does not se

Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated

"John W. O'Brien" writes: Hi John, > I haven't done the mind meld with "reverse" yet. > Could you comment on why you need to operate in a reversed NAT > environment? In this particular case, this is a test lab. The purpose of this kind of setup is the following : - administrator of the remote

Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated

Philipp Schmid writes: Hi Philipp, > FreeBSD 10 seems to have problems with IPSec and filtering/nat. > Maybe your problem is related to: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 I've rebuilt a kernel with the last patch available in the PR. It doesn't work (return nat rule in

Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated

Philipp Schmid writes: Hi Philipp, > FreeBSD 10 seems to have problems with IPSec and filtering/nat. > Maybe your problem is related to: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 I'll try the patch enclosed asap (overwhelmed by paid work these days). Regards Éric -- voila

Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated

"John W. O'Brien" writes: Hi John, > You also need to perform NAT processing on the traffic that returns to > gateway1 from gateway2. > > $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1 I've been privately told about the return rule (I'm used to pf not ipfw), but no luck. Seems

Re: IPSec, nat on enc device

Eric Masson writes: Hi Bjoern, > Ok, I've never used ipfw so shot in the dark. > > If I had to nat 192.168.85.0/24 to 10.0.0.1 to access 192.168.201.0/24, > I would have to setup the following : > > ipfw add divert natd all from 192.168.85.0/24 to 192.168.201.0/24 i

Re: IPSec, nat on enc device

"Bjoern A. Zeeb" writes: Hi Bjoern, > What I said before and will repeat is that if you want to use NAT and > VPN you want to do inside NAT (addmittingly handling the local machine > is a different story). I have done that years ago with ipfw. Then your > SA works on the NAT IP. I used it to avo

Re: IPSec, nat on enc device

vanhu writes: 'Lut Yvan, > Another way to have this feature is to implement what we call "NAT > before VPN": you can configure your kernel (or do it for specific NAT > rules if you want to do a more flexible implementation) to do NAT > process before doing IPsec stuff. I've used it last week on

Re: IPSec, nat on enc device

Ermal Luçi writes: Hello Ermal, > I think you should send this email to ipsec-tool mailing list! > Basically the daemon should be modified for this and FreeBSD > is not the owner of such code. I know ;) I'll bug them regarding ${suject} as well (some ipsec-tools devs lurk there too) I'm not su

IPSec, nat on enc device

Hello, OpenBSD has support for this kind of setup since last January : http://undeadly.org/cgi?action=article&sid=20090127205841 The commit : http://marc.info/?l=openbsd-cvs&m=123246256228242&w=2 >From what I've understood, pf, depending on version in FreeBSD, could already support natting on enc

ipsec tunnels & conflicting networks

Hello, Has anybody seen this entry on undeadly ? http://undeadly.org/cgi?action=article&sid=20090127205841 Is there some similar feature on FreeBSD (nat on enc0 & support in ike daemon) ? TIA Regards Éric Masson -- >Sais-tu pourquoi les bidasses n'ont pas le droit de marcher au pas >sur le

Re: FreeBSD NAT-T patch integration

Julian Elischer <[EMAIL PROTECTED]> writes: Hi, > where is the patch? It seems that the last patch to -current is available here : http://vanhu.free.fr/FreeBSD/patch-natt-freebsd-HEAD-2008-03-19.diff Maybe Yvan has a more recent patch available (CCed) -- Ce ne sont que des propositions. Je n

Re: ospf over IPSec

"Eric W. Bates" <[EMAIL PROTECTED]> writes: Hi, > Has anyone successfully used OSPF over a tunnel? Just look here : http://rfc-ref.org/RFC-TEXTS/3884/ -- S> Je cherche aussi des adresses de lieux contenant des fossiles dans S> la région parisienne http://www.senat.fr/ -+- DP in

Re: pf rdr statement & ipsec processing interaction

Eric Masson <[EMAIL PROTECTED]> writes: Hello, > So outgoing l2tp packets should be esp transformed, right ? I've been able to reproduce the problem on a -current box (sources from yesterday), should I file a PR ? Regards Éric Masson -- C'est vrai peut t'on renconte

Re: pf rdr statement & ipsec processing interaction

"Bjoern A. Zeeb" <[EMAIL PROTECTED]> writes: > ifconfig enc0 | grep UP > > if not, ifconfig enc0 up Ok, this is better as mpd4 receives l2tp packets, thanks :) [EMAIL PROTECTED]:~> sudo /usr/local/sbin/mpd4 Multi-link PPP daemon for FreeBSD process 1586 started, version 4.2.2 ([EMAIL PROTECTED]

Re: pf rdr statement & ipsec processing interaction

"Bjoern A. Zeeb" <[EMAIL PROTECTED]> writes: Hello Bjoern & all, > this is expected behavior. You want to read about the > IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) kernel option and > enc(4). I've compiled a new kernel with IPSEC_FILTERGIF, tcpdump now can see unencrypted L2TP packets on extern

Re: pf rdr statement & ipsec processing interaction

"Bjoern A. Zeeb" <[EMAIL PROTECTED]> writes: Hi Bjoern, > this is expected behavior. Fine, > You want to read about the IPSEC_FILTERTUNNEL (fka. IPSEC_FILTERGIF) > kernel option and enc(4). Ok, thanks for your help Regards Éric Masson -- DP>à partir de quand n'est-on plus un neuneu? est-c

pf rdr statement & ipsec processing interaction

Hello, I'm trying to setup a FreeBSD 6.2 box as l2tp/ipsec server for MS workstations (FAST_IPSEC + Yvan's NAT-T patch) Thanks to mpd4, the l2tp part works fine, as the box could in fine have only a dynamic ip address, I've made mpd listen on a loopback interface on the box and then redirected in

Re: SSTP support?

Brett Glass <[EMAIL PROTECTED]> writes: Hi, > It seems as if it would be easy to cobble together an SSTP client and > server using code already available on FreeBSD. (It'd require a daemon > for userland PPP and probably an SSL Netgraph node -- which, > surprisingly, doesn't seem to exist already

Re: Applying NAT-T patch

VANHULLEBUS Yvan <[EMAIL PROTECTED]> writes: Hi, > There is always some hope :-) :) > I know that some FreeBSD developpers have expressed some interest in > this patch, I had some discussions with some of them since some months > ago, but actually, I can just wait for a commit or for some > fee

Re: Applying NAT-T patch

VANHULLEBUS Yvan <[EMAIL PROTECTED]> writes: Hi Yvan, > rebuilding/reinstalling world may be very interesting as some system > programs uses some structs which size are changed by the patch. Is there any hope to see NATT support, based on your patches, included in -current before 7.0-RELEASE en

Re: which windows software can communicate with ipsec(racoon)?

"Zhao Tongyi" <[EMAIL PROTECTED]> writes: Hi, > I have tested cisco vpn software,found build the phase ONE successfully,but > phase two can't build up. Probably a setup problem, I've been able to setup l2tp/ipsec tunnels between an XP box and a FreeBSD 6.1-RELEASE box (ipsec-tools racoon-0.6.x)

Re: Where is IPSec NAT-T support?

"Scott Ullrich" <[EMAIL PROTECTED]> writes: Hi, > Maybe it is because I am including FAST_IPSEC? I have attempted to > build and use a NAT-T kernel on atleast 7 attempts now. Last of which > was a couple months ago. Yvan's patch addresses NATT only with KAME stack. He's been talking about wo

Re: FreeBSD as a VPN Client Gateway ...

VANHULLEBUS Yvan <[EMAIL PROTECTED]> writes: Hi, > nat-t support detection is quite bad actually (and not only with > FreeBSD), as it just detects NAT-T support in kernel includes, not in > compiled kernel. Rhahhh, le boulet, le boulet, le boulet... I forgot to install includes... so config f

Re: FreeBSD as a VPN Client Gateway ...

VANHULLEBUS Yvan <[EMAIL PROTECTED]> writes: Hi Yvan, > It should work (I'm compiling it with a modified 6.1-PRERELEASE, but > did not tried for now with just 6.1-PRERELEASE+NAT6T patch). I've forced natt support in the Makefile. > Could you send me the logs ? Asap, I have to make some place o

Re: FreeBSD as a VPN Client Gateway ...

Matthew Grooms <[EMAIL PROTECTED]> writes: Hi, Nice work. > If you are interested in using NAT-T, you should have a look at > Yvans kernel patch which offers everything but transport > pre-fragmentation support ... > > http://ipsec-tools.sf.net/freebsd6-natt.diff I tried to

Re: IPSEC documentation

"Clark Gaylord" <[EMAIL PROTECTED]> writes: > Yeah, what is the story with that anyway? Is anyone working on it? Is > there hope? Iirc, Yvan made a patch (don't remember the target branch, sorry), but it seems that NAT-T might be patent encumbered (*). Anyway, Net & Open included NAT-T in their

Re: IPSEC documentation

Brian Candler <[EMAIL PROTECTED]> writes: Hi, > security/vpnc works fine for me as a client for talking to a Cisco VPN > concentrator. I think that's IPSEC tunnel mode + PSK + XAUTH (which can also > assign an IP address and insert routes into your forwarding table) Ok, you just need a vpn3000 o

Re: IPSEC documentation

Brian Candler <[EMAIL PROTECTED]> writes: Hi, > OK, I'll buy gif + IPSEC transport mode as an option. Seems there's a rfc about this kind of setup : http://rfc.net/rfc3884.html -- Juste un truc, ca te ferait mal au cerveau de lire les messages auxquels tu reponds ? -+-RMD in :

Re: IPSEC documentation

VANHULLEBUS Yvan <[EMAIL PROTECTED]> writes: Hi Yvan, > Did someone tried such a setup ? I plan to do so. Just have to find ios images that support l2tp and ipsec for my 1601R or 2611 and bigger flash modules (I've been given them two weeks ago, hardware upgrade is the easy part, for software,

Re: IPSEC documentation

Brian Candler <[EMAIL PROTECTED]> writes: > OK, I'll buy gif + IPSEC transport mode as an option. [Although in that > case, perhaps what you want is an external IPSEC tunnel mode implementation > which attaches to a 'tun' device. That's yet another category which I hadn't > even considered] Any u

Re: IPSEC documentation

Brian Candler <[EMAIL PROTECTED]> writes: Hi, > The IPSEC documentation at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is > pretty weird. It suggests that you encapsulate your packets in IP-IP (gif) > encapsulation and THEN encapsulate that again using IPSEC tunnel mode

Re: xl(4) & polling

> "Ruslan" == Ruslan Ermilov <[EMAIL PROTECTED]> writes: Hi Ruslan, Ruslan> Do you want to donate a card? I have only one left, but can order another one and get it shipped to you. Éric Masson -- un mec qui n'a pas d'emoluments de la part d'Aple qui gagne son argent de poche en crayona

xl(4) & polling

Hi, Has anyone wip regarding ${subject} area ? I've found this, but the project seem to have stalled : http://listserver.uk.freebsd.org/pipermail/freebsd-users/2002-April/005666.html Thanks in advance Regards Éric Masson -- Bientôt, Apple ne va plus que fournir les plans sous microfilms coi

Re: NAT-T Implementation

d(8) daemon in ports Crist> supports it, but AFAIK, the kernel does not. Yvan Vanhullebus is working on patchset for both 4.11 & 5.3, work has been done on USAGI racoon to make it support NAT-T. Don't know if IP rights issues have been solved, if not, official NAT-T support from th

Re: pf & clonable devices

> "Max" == Max Laier <[EMAIL PROTECTED]> writes: Hi Max, Max> Just guessing, but I assume you forgot to use round brackets Max> around your NAT and from/to addresses. It should look like the Max> following: Don't think so but maybe, I'm wrong : # macros int_if = "xl0" ext_if = "ppp0" tun

pf & clonable devices

Hi, uname -a : FreeBSD srvbsdnanssv.interne.kisoft-services.com 5.3-STABLE FreeBSD 5.3-STABLE #0: Tue Jan 11 11:44:56 CET 2005 [EMAIL PROTECTED]:/vol0/build/usr/src/sys/K6II i386 kldstat : Id Refs AddressSize Name 1 19 0xc040 2f6a20 kernel 21 0xc06f7000 14f08if_pp

Re: gif4) & AltQ

ax> for if_snd and modifying it according to the rules in altq(9). I'll have a look. Max> Not sure how *exactly* gif(4) works, but I'll put it on my list Max> (just not a high priority, right now). Ok, thanks to you and Brooks for explanations. Regards Eric Masson --

gif4) & AltQ

gards Eric Masson -- «Je suis en train de peaufiner les definitions de locales pour le vietnamien; est-ce que pour l'ordre alphabetique les lettres A(, A^, DD, E^, O^, O+ et U+ sont bien considerées comme des lettres à part ?» Pablo in Guide du linuxien pervers : "Les locales

Re: HEADS UP: pf import

f, pflog, pfsync} Nice to hear, is Altq integration in the plan too ? Eric Masson -- BS> Tavergiste, c'est ma tournée ! Je prendrais une girafe. -+- TT in www.le-gnu.net : Pressée ou frappée -+- ___ [EMAIL PROTECTED] mailing list http://l

Re: DLink DWL-G650

ckport of cardbus support is likely to happen now. Eric Masson -- si c bien le k -+-YT in GNU: mon clavier est kc -+- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: gre tunnel & ipsec transport mode

ed, Bruce> I'm all ears. All my production machines here are 4.8-RELEASE-p13 or 4.9-RELEASE, I can duplicate the faulty setup on these machines and give you a shell access to them if it can help you to diagnose the problem (not before Friday cause I'm at a customer's office tomo

Re: gre tunnel & ipsec transport mode

ope atm, the archives of this list show a similar case in June 2003 with no answer. >From section 3.4 of the following document, encapsulating gre tunnels in ipsec transport should "just work" http://decoy.khaotic.net/~say/files/FreeBSD-WIN2K-IPSEC-HOWTO.html Thanks for your help. Er

gre tunnel & ipsec transport mode

_input.c, /sys/net/in_gif.c & /sys/net/ip_gre.c to understand the case, as gif tunnels get encapsulated correctly, but no immediate fix came to my mind but I must say I'm no C guru nor kernel hacker :/ Has anyone any idea or fix on this case ? TIA Regards Eric Masson -- je pense pas que c

FreeBSD, ipnat & timeouts while loading page

g about bad nic, so swap is the next thing I'll do but has anyone seen such symptoms . Regards Eric Masson -- où se trouve la boîte aux lettre de Outlook Express ? J'en ai besoin pour configurer mon modem Olitec smart memory, lorsqu'il daignera fonctionner correctement !! -+-

Re: Telecom Italia, ADSL SMART & FreeBSD

they say. External DSL modems in general hide the Barney> RFC1483-ness of the DSL link, and look like a bridge leading to Barney> the ISP's network. Just set your IP addr and add a default Barney> route to the ISP's router's address (usually .1 on whatever net Barney>

Re: Telecom Italia, ADSL SMART & FreeBSD

n the freebsd side. I use this setup in France too. When the DLink is configured in pppoe, mpd complains that it can't take the link up (sorry, I'm not in front of the box, only 1000 kms from it and can't have access to the logs) Thanks Eric Masson -- c'est qui tous

Re: Telecom Italia, ADSL SMART & FreeBSD

>>>>> "Emss" == Eric Masson <[EMAIL PROTECTED]> writes: [Follow-up to myself] Emss> Telecom Italia ships an ADSL SMART solution (fixed ip adress) Emss> which is "Classical IP (RFC1483/1577)" compliant. Dsl modem is DLink DSL300G+ Eric Masson --

Telecom Italia, ADSL SMART & FreeBSD

such a setup working ? Regards Eric Masson -- RECHERCHE DES INGENIEURS DANS Linformatique IMPORTANT !! Envoyez moi vos cV -+- in Guide du Neuneu sur Usenet : Linformatique pour les nuls -+- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mail

Re: ipsec tunnels & packet length issues

(thanks to M. Sierchio) Hope your draft will be adopted. Thanks a lot Eric Masson -- B > Ah ben bravo ! a quand l'html dans les entetes ? CB> Hein ? tu lis pas l'iso-8859-1 dans le champ approved ?? Elle répond. Comment veux-tu qu'en plus elle ait le temps de lire

Re: ipsec tunnels & packet length issues

oo long" icmp packet returned to originator (nothing in tcpdump on internal interface nor in FW1 logs) Regards Eric Masson -- > Quant à ma mauvaise quote de mail , désolé, c'est Outlook qui coupe tout > seul à 76. (pour ton répertoire de neuneuX, si tu veux) > (comme les lig

Re: ipsec tunnels & packet length issues

send back an icmp packet type 3 code 4 when the packet is too long to be encapsulated. Is this plain dumb or does it present any interest ? Regards Eric Masson -- comment fait on pour craker un logiciel car j'ai le logiciel et le crack, et quand je lance le crack ca m'ouvre une se

ipsec tunnels & packet length issues

Host" to approximately 1450, the tunnel works fine, so it seems that "Tunnel Endpoint" can't process correctly packets with a size of 1500 bytes. If more information regarding this issue is needed, just ask. Is this a known issue ? Except playing with mtu, is there a f

Re: options FAST_IPSEC & tunnels

ggestion to work. In this case, I don't even know if a pix can use transport mode and gre tunnels. I'll dig in the docs asap. Thanks for the detailled explanation. Regards Eric Masson -- CJ> Les censeurs agitent plus de vent que les moulins des Pays Bas. Tiens, je savais pas que

Re: options FAST_IPSEC & tunnels

te_mask echo -n ' tunnel' ;; stop) ifconfig gif0 destroy echo -n ' tunnel' ;; *) echo "Usage: `basename $0` {start|stop}" >&2 exit 64 ;; esac exit 0 Next time, after a reboot (kernel switch) no packets

Re: options FAST_IPSEC & tunnels

with something like: Ok patch against 4.8-RELEASE attached. Sam> Long term, I intend is to associate packets with an enc device so Sam> there's a way to identify these packets when writing firewall Sam> rules. Fine. Thanks a lot Eric Masson -- > Nous recherchons une str

options FAST_IPSEC & tunnels

or FAST_IPSEC (I've dug thru the code, but no luck atm) ? Regards. Eric Masson -- je me suis créé un tas d'amis virtuels. Pourquoi cette sympathie? le flux peut-être magnétique que je dégage, vu que je guéris les brûlures par pression de mes mains sur les plaies et cloques. Et

Re: IPsec / ipfw interaction in 4.7-STABLE: a proposed change

ixing with routing isn't a good idea : http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=fa.llg8ghv.1l0skqv%40ifi.uio.no Eric Masson -- 70% de frjv sont des newbies ? Et une fois qu'ils ne le sont plus que font-ils ? Ils quittent frjv parce que c'est trop à c

Re: IPsec / ipfw interaction in 4.7-STABLE: a proposed change

tch. I'd like to know whether there would be any interest in associating a different interface to each incoming SPD entry or just use only one interface for all incoming SPD entries ? Regards Eric Masson -- «Comme annoncé dans fr.usenet.forums.annonces récemment, le vote pour la d

Re: mpd only let outbound packets flowing

>>>>> "Emss" == Eric Masson <[EMAIL PROTECTED]> writes: Emss> Followup to myself, sorry Once more, Braino on my side, ipnat configuration file hasn't been updated to the new interface, sorry for the noise. Eric Masson PS: mpd works damn fine here,

Re: mpd only let outbound packets flowing

>>>>> "Emss" == Eric Masson <[EMAIL PROTECTED]> writes: Followup to myself, sorry Emss> Any idea, or required information ? > uname -a FreeBSD rtrbsdnantsr.nantes.kisoft-services.com 4.7-STABLE FreeBSD 4.7-STABLE #2: Tue Dec 31 21:42:55 CET 2002 [

mpd only let outbound packets flowing

he link, I only see outbound packets on ng0 (tcpdump) but no responses. I've dug the list archives but haven't found any similar case. Any idea, or required information ? TIA Eric Masson -- On m'a souvent dit que Club-Internet censurait les groupes (des abonnés de Wan

Re: Cjc's Ipfilter/Bridge patch

>>>>> "Crist" == Crist J Clark <[EMAIL PROTECTED]> writes: Crist> No, it's not there. I've just been way to busy with my day-job Crist> to do much FreeBSD work for the last few months. Welcome to the real world :) Crist> But I'll

Re: Cjc's Ipfilter/Bridge patch

And found the following comment in /sys/net/bridge.c #if 0 /* XXX bridge+ipfilter not yet supported in RELENG_4 */ #include/* for ipfilter */ #endif But maybe I'm wrong. Regards Eric Masson -- B > Ah ben bravo ! a quand l'html dans les entetes ? CB> Hein ? tu lis pas l'

Cjc's Ipfilter/Bridge patch

Hello, I'd like to know whether the ipf/bridge patch located at : http://people.freebsd.org/~cjc/ could be merged in the tree (-current then MFC) ? Is there any showstopper ? TIA Eric Masson -- (...) mais le niveau des eaux a été l'oeuvre de grandes vallée dut aux glissements d

Re: FEC : ng_fec & ng_one2many

net), as soon as it's possible for me to get at the office where the box is located (Real Work overhead at the moment). Julian> it needs someone to write a man page.. Never done that before, but I could take a look. Eric Masson -- hier j ai sans le vouloirs j'ai envoyé un v

FEC : ng_fec & ng_one2many

_fec support been dropped ? If not, could it be imported in the main source tree ? If yes, is there any plan to support FEC in ng_one2many ? Thanks in advance Eric Masson -- Je laisse le poste au complet ... Dite moi un peut ou il a répondu ??? Pourquoi remettre un poste sans commentaire ... avait