# VPN between two networks



## nerozero (Jan 29, 2018)

Hello everyone,

I'm trying to build my first VPN tunnel between 2 gateways, both running FreeBSD 11.1.

my question, is this manual still consistent? 

Making a tunnel - its easy,but when I try to apply encryption as it shown in handbook - tunnel stops working ... 

according to that manual ipsec.conf on host1(public IP - A.B.C.D) and host 2 (oublic ip W.X.Y.Z)
host1:

```
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
```

host2:

```
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
```

both machines has appropriate ip key pair in psk.txt

the problem is that right after I run on both machines :
`# setkey -f ipsec.conf`

tunnel stops working. tcpdump shows nothing. Literally no packets passing thew gif0 nor between A.B.C.D W.X.Y.Z

What  am I doing wrong ? 

Thanks


----------



## nerozero (Jan 29, 2018)

Sorry somehow added second copy of this post (pressed backslash in edit and forward in browser ....), moderator  please remove this post...


----------



## sko (Jan 29, 2018)

Did you look at the URL you posted? This was written for 6.2-RELEASE so the answer to your question should be obvious....

Just use the current version of the Handbook:
https://www.freebsd.org/doc/handbook/ipsec.html


----------



## nerozero (Jan 29, 2018)

Thank you so much I didn't noticed that that was for 6.2 page  ...  ! I will try that tomorrow ..


----------



## ShelLuser (Jan 29, 2018)

Although IPSec support is quite solid my personal preference is not using the system libraries and featureset but instead rely on security/openvpn. This has _many_ advantages. For starters, the obvious one: if a problem is found somewhere then it will be a lot easier to rebuild a port than it is to rebuild your base system. OpenVPN utilizes OpenSSL and that too can be used in two different ways: either using the version in the base system or you can rely on the ports collection, for the same reasons given above.

Another major advantage is that OpenVPN provides better ways to set up VPN's, including (but not limited to) tunneling practices which can even create options to set up a VPN through a NAT connection.

The best part is that OpenVPN is available on basically every platform, which can make this a really versatile tool. Check out the website.


----------



## herrbischoff (Jan 29, 2018)

I second the recommendation for OpenVPN. I manage quite a few machines and networks and I use it everywhere. The cross-platform aspect makes for easy integration between different system.

To give it a go, you may be interested in a TL;DR style rundown I created some time ago of how to get it working on FreeBSD: https://github.com/herrbischoff/cheatsheets/blob/master/openvpn.md

An alternative for connecting several networks could be tinc (https://www.tinc-vpn.org). I had some success with it but setting it up is a little convoluted.


----------



## nerozero (Jan 30, 2018)

Guys ! Thank you so much!

Yesterday I'm already installed OpenVPN and its working! now I'm looking into network<->network tunneling.
My next question - will it be a good idea to reserve some IP range from base(internal) network on the server and give IP's from that range to VPN Clients to avoid NATing?


----------



## sko (Jan 30, 2018)

For multi-node VPNs where a mesh network is more suited I can also recommend tincd(8).
We're using it to connect our main site and branches e.g. for remote applications and telephony. Its very fast and (IMHO) easy to set up, automated deployment is extremely simple due to identical configuration except for ~3-4 values in the main config file. Tunnels can be routed (L3) or switched (L2), so it is easily possible to span VLANs over multiple sites.


----------



## nerozero (Feb 2, 2018)

Finally OpenVPN is configured and I have successfully connected two networks. Thank you guys!
Now my question is - what is the right way to add static routes on both sides after connection is established?


----------



## nerozero (Feb 2, 2018)

never mind, config parameters : up <script> / route-up <script> ... thanks


----------

