Again, I saw this question asked in my searches through google and mention
of it on the vendor website, but I had not seen the answer.

Question: How do I setup a netopia 910R router to do an IPSEC ESP tunnel to
a FreeBSD box.

An Answer:

I was a little disappointed with the throughput results, but never the less
it does work.

My setup was as follows

workstation------910R----........---FreeBSDIPSec----workstation
172.16.0.1/24 96.0.0.1 1.1.1.1 10.0.0.2/24
             172.16.0.2/24 10.0.0.1/24

Note, with this setup, I was only able to get 180Kbps using DES and under
100Kbps using 3des as the netopia maxed out its little CPU. I called
netopia support and spoke with a Ben. He tried 2 units back to back and
got roughly the same numbers, so that does seem to be the limiting factor.

Anyways, the setup

On the netopia,
Go to the quick menus
Ike Phase 1 config
Add IKE profile
Call it FreeBSDIKE
Mode=main
Auth method, Shared Sec. with the key faqdemo, enc = des, Hash=md5, Group 2.
Under Advanced, Negotiation = normal, SA=Newest, Allow Dangling=Yes, Phase
1 SA Lifetime=28000,Send Initial Contact Message:Yes, Include Vendor ID
Payload:Yes,Independent Phase 2 Re-keys: Yes,Strict Port Policy:No

Back up to quick menu
Add Connection Profile
Profile name = FreeBSD
Prof enabable=Yes
Encaps= IPSEC
Go to Encaps options
Key management = IKE
IKE Phase 1 Profile, choose the one you created before (FreeBSDIKE)
Encapse = ESP
ESP Transform = DES
ESP Authtransform = HMAC-MD5-96

Up one level and down to IP Profile Params.
          Remote Tunnel Endpoint: 1.1.1.1
          Remote Member Format... Subnet
          Remote Member Address: 10.0.0.0
          Remote Member Mask: 255.255.255.0
          Local Member Format... Subnet
          Local Member Address: 172.16.0.0
          Local Member Mask: 255.255.255.0
          Address Translation Enabled: No
          Filter Set... <<None>>
          Remove Filter Set
          NetBIOS Proxy Enabled No

On the FreeBSD side of things,

         setkey -F
         setkey -FP
         setkey -c <<EOF
        spdadd 10.0.0.0/24 172.16.0.0/24 any -P out ipsec
esp/tunnel/1.1.1.1-96.0.0.1/use ;
        spdadd 172.16.0.0/24 10.0.0.0/24 any -P in ipsec
esp/tunnel/96.0.0.1-1.1.1.1/use ;

EOF

And the racoon.conf entry.

remote 96.0.0.1
{
         exchange_mode main;
         doi ipsec_doi;
         #situation identity_only;
         my_identifier address 1.1.1.1;
         #generate_policy off;
         nonce_size 16;
         lifetime time 28000 sec; # sec,min,hour
         initial_contact on;
         support_mip6 on;
         proposal_check obey; # obey, strict or claim

         proposal {
                 encryption_algorithm des;
                 hash_algorithm md5;
                 authentication_method pre_shared_key ;
                 dh_group 2 ;
         }
}

sainfo anonymous
{
         pfs_group 1;
         lifetime time 60 sec;
         encryption_algorithm des ;
         authentication_algorithm hmac_md5;
         compression_algorithm deflate;
}

        ---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mikesentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]