Re: Linkproof or Fatpipe with FreeBSD?

From: Julian Elischer (julian_at_elischer.org)
Date: 05/28/03

  • Next message: Barney Wolff: "Re: ipfw rules vs routes to localhost?" 
    Date: Wed, 28 May 2003 14:05:06 -0700 (PDT)
To: "BRA-SAO-Verzolla,David" <dverzolla@impsat.com.br>

    On Wed, 28 May 2003, BRA-SAO-Verzolla,David wrote:

    > Hi, Does anybody know if there is possible to make a clone of these
    > hardwares with a FreeBSD box? (set of scripts + ipfw + ... )?
    >
    > http://www.westlakecom.com/linkproof.htm
    > http://www.fatpipeinc.com
    >

    Yes I have done similar:

    Basically:

    set up two machines. one at each end of the vpn.

    order two links to the internet, from two different national ISPS Say
    for example, that we use Sprint and AT&T, then packets going from the
    sprint connection at one site will stay totally within the sprint
    network while traversing to the sprint connection at the other site.
    Similarly the AT&T packests will stay within AT&T whe whole path.

    The I set up ipsec so that there is a security association between
    each pair of matching interfaces. I run racoon, set up to keep the
    conections running on different keys. I only allow UDP packets
    to teh far end to be encrypted. all else discarded.

    Now I set the firewall (ipfw) to block ALL packets in and out of the
    interfaces except for IPSEC (ESP) packets (and udp-500.. IKE)
    that are going to or coming from teh other end.. all other packets are
    rejected.

    I then run mpd (from ports) running in multilink mode
    and I set its link type to be via UDP sockets. The UDP sockets are
    'connected' to fixed ports at the far end. Mpd creates
    an 'ng0' interface. I assign an 10.x.x.x address to each ng interface
    and set up the routes in teh mpd setup so that the route to each site is
    via the ng0 interface....

    Mpd will automatically fail-over to using only one of the links if the
    other goes down, and it will start using it again when it comes back
    again. If I wanted to use mpd's encryption, then I would have double
    encryption..

                        /-[udp-socket]---[IPSEC]--[ISP1]---
    [local-net]<-->[mpd]
                        \-[udp-socket]---[IPSEC]--[ISP2]---

    I started to write a netgraph node to do the job of mpd
    but I never got good enough behaviour out of it..
    it would be possible but I ran out of time.. Mpd does the job ok
    and it does things like set up the routes..

    Julian

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Barney Wolff: "Re: ipfw rules vs routes to localhost?"

    Relevant Pages