-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Christian" == Christian Palomino <zakhrin@freeshell.org> writes:
    Christian> I'd like to be able set up some mobile users with NetBSD
    Christian> also. I've got IPSec with racoon IKE working properly, but I
    Christian> can't get the point in how to set up the "virtual" internal IP
    Christian> to be "inside" my company's WAN.  Should I set up routed in my
    Christian> laptop and route myself through the tunnel, setting my
    Christian> "virtual" IP address as an alias in my ifconfig?

  Yes, set up the "virtual" address as an alias on the 'lo0' device.
  Then, configure the route with "setkey":

  In this case, my IP is 192.168.1.24, and remote network is 192.168.1.0/24.
  The gateway is XXXX, and ${myip} is set by dhclient through some scripts.

spdadd 192.168.1.24/32 192.168.1.0/24 any -P out ipsec esp/tunnel/${myip}-XXXX/require;
spdadd 192.168.1.0/24 192.168.1.24/32 any -P in ipsec  esp/tunnel/XXXX-${myip}/require;

  then... and here is the *tricky bit* (you wind the film backwards...)

  route add -net 192.168.1.0 -iface 192.168.1.24 -mtu 1400

  This means that when you talk to 192.168.1.0/24, you'll use 192.168.1.24
as the source address.

] Train travel features AC outlets with no take-off restrictions|  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP4YOm4qHRg3pndX9AQFx3gQAg7fslkXj2vikQC4yt9bDtq0ZExBatO19
f3UdLDq50jh5MZzv83lgRQPRMomCN5QHSn3S4GC9FfZX2CRzbS/mla/P34I8zJ/0
++19nfzZglBRKKW2YpunVzRdVw6XAkLGxgCqTNDowz3uM4yPq6d6d8Mv1QNIcfr/
eZLiHKKBn/I=
=QYLl
-----END PGP SIGNATURE-----