search for: ipencap

...____|priv_int 192.168.122.254 | | | ------------------ 192.168.122.0/24 Here is what I have in ipsec.conf on VPN Gateway (1): flush; spdflsuh; spdadd A.A.A.A/32 B.B.B.B/32 ipencap -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd B.B.B.B/32 A.A.A.A/32 ipencap -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; ifconfig output: dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.121.253 netmask 0xffffff00 broadcast 192.168.121.255...

...net}.24/28 tlp1 192.168.0.1/24 gif0 ${mynet}.24 -> ${mynet}.27 tunnel 192.168.0.1 -> 192.168.0.2 I did this so I could test the tunneling and the firewalling, and then introduce IPSec after I knew all that was working. Fred's firewall at this point would pass only ipencap packets over ep0, and I filtered the untunneled traffic on gif0. That worked just fine; fred's firewall saw both incoming and outgoing traffic on gif0 and filtered it. But then I turned on IPSec AH between 192.168.0.1 and 192.168.0.2, and changed fred's firewall to pass ah instead of ipen...

Hello Greg, I am writing you, because I saw your responses to a couple of messages on the freebsd-security mailing list related to freebsd vpn and nat. My situations is rather unique, and I am needing an expert's eyes to glance at it and confirm whether it is doable or not. I have a simple diagram that illustrates what I am trying to do, and it is located here (about 40k):

...roto-4) >> 14:06:54.595071 IP 190.41.95.135 > >> client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq >> 1520, \ >> length 64 (ipip-proto-4) > > Firstly have you set your DSL routers up to nat the ipencap protocol > back to your FreeBSD box? (IPencap is a IP payload protocol, not a TCP > or UDP payload, so you will probably need a prity advanced router > to do > this). The packets you see here are not protected by IPSEC they are > just plain old IPENCAP packets. If they where IPSE...

...algorithm deflate; } </racoon.conf> My spdadd <spdadd> #! /bin/sh #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none; #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none; case "$1" in start) setkey -F setkey -FP setkey -c <<EOF spdadd 10.0.10.0/24 10.0.3.0/24 ipencap -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; spdadd 10.0.3.0/24 10.0.1.0/24 ipencap -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; EOF ;; stop) setkey -F setkey -FP ;; *) echo "Usage: `basename $0` {start|stop}" >&2 ;; esac exit 0 </spdadd> My racoon error.log...

I have a FreeBSD box acting as a firewall and NAT gateway I would like to set it up to transparently pass IPSec packets -- I have an IPSec VPN client running on another machine, connecting to a remote network. Is there a way to do this? I can't find any hints in the man pages.