The FreeBSD Diary
Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link.
VLAN with pipsecd 7 July 2000
Philip Hallstrom wrote with
this article on setting up a virtual LAN. It's also known as a VPN (virtual private
Thank you Philip.
|I've had to setup two secure VPN's between FreeBSD boxes now. The first
time I didn't document my steps -- figuring I'd remember :) -- which I didn't. I just
finished setting up the second one and as it happened I also noticed several posts to
c.u.b.f.m asking about setting up secure VPN's using FreeBSD so I thought I'd write up
what I did. So, here it is.
A VPN (virtual LAN) allows you to treat two physically separate networks as though they were on the same network. At least that's how I understand it. What's cool about this is that it allows my home network and my office network to appear to be one contiguous network allowing me to work from one or the other without a lot of differences.
I'm going to use the following fictitious networks to illustrate my steps. Below we have two separate networks whose gateways (or routers, or firewall/natd boxes ,etc.) are gw1 and gw2. Our goal is to make it appear to the machines on either LAN that it is one seamless network. Additionally we want any data that is transferred between the two networks to be secure (encrypted). We do that by setting up a secure tunnel.
(Note: In my case, gw1 is 3.4 and gw2 is 4.0. I believe there are other ways to do this using an all 4.0 solution, but that doesn' work for me)
___________ ___________ | | | | 10.0.0.1- gw1 -184.108.40.206 <---> 220.127.116.11- gw2 -10.1.0.1 (LAN) | | (Internet) (Internet) | | (LAN) |_________| |_________| | | 10.2.0.1 <------------ encrypted> 10.2.0.2 (tunnel) (tunnel)
At this point machines on either LAN should be able to connect to machines on the other LAN -- that is, host 10.0.0.2 should be able to ping 10.1.0.2 provided that they are both on.
For some reason the gateways themselves will not be able to talk to each other. When I setup my first VPN they could, but I must have changed something by accident and now they can't. But it's not that big of a deal because you shouldn't be connecting from/to your gateways very much anyway.
I max out the 512K DSL connection easily transferring b/n these servers (encryption and all). "Home 1" also runs Apache, Samba, netatalk, mysql, DNS, SMTP, POP, firewall, natd, and dhcp without problems.
In other words, you *don't* need beefy hardware.