Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Apr 2013 12:27:48 +0700
From:      Eugene Grosbein <egrosbein@rdtc.ru>
To:        Karl Denninger <karl@denninger.net>
Cc:        freebsd-net <freebsd-net@freebsd.org>
Subject:   Re: IKEv2/IPSEC "Road Warrior" VPN Tunneling?
Message-ID:  <51679B54.2060908@rdtc.ru>
In-Reply-To: <516739C9.4080902@denninger.net>
References:  <516739C9.4080902@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
12.04.2013 05:31, Karl Denninger пишет:
> Is there a "cookbook" for setting this up?  There are examples for
> setting up a tunnel between two fixed-address networks (e.g. a remote
> LAN that needs to be "integrated" with a central LAN over IPSec but I
> can't find anything addressing the other situation -- remote user(s)
> where the connecting IPs are not known in advance, such as a person with
> a laptop or smartphone in a random hotel.
> 
> (And is there a better list for this in the freebsd-* paradigm for the
> question?)

Moving to freebsd-net@

You'll need to install the port security/ipsec-tools for IKE protocol support.
This port contains racoon daemon, here is sample racoon.conf:

path    pre_shared_key  "/usr/local/etc/racoon/psk.txt";
log     debug;

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen  # address [port] that racoon will listening on
{
        isakmp          X.X.X.X [500];
        isakmp          Y.Y.Y.Y [500];
#       isakmp_natt     Z.Z.Z.Z [4500];
        adminsock       "/var/db/racoon/racoon.sock" "root" "wheel" 0600;
}

remote  anonymous               # just template
{
        exchange_mode           aggressive,main,base;
        doi                     ipsec_doi;
        situation               identity_only;
        my_identifier           fqdn "mydomain.net";
        verify_identifier       on;
        mode_cfg                off;
        lifetime                time 1 hour;
        ike_frag                on;
        passive                 on;
        proposal_check          obey;
        generate_policy         unique;
#       script "/usr/local/etc/racoon/phase1" phase1_up;
#       script "/usr/local/etc/racoon/phase1" phase1_down;

        proposal {
                encryption_algorithm    3des;
                hash_algorithm          md5;
                authentication_method   pre_shared_key;
                lifetime time           12 hour;
                dh_group                1;
        }
        proposal {
                encryption_algorithm    aes 256;
                hash_algorithm          sha1;
                authentication_method   pre_shared_key;
                lifetime time           1 hour;
                dh_group                1;
        }
}

sainfo anonymous
{
        pfs_group                       1;
        lifetime time                   1 hour;
        encryption_algorithm            aes,3des,des;
        authentication_algorithm        hmac_sha1,hmac_md5;
        compression_algorithm           deflate;
}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51679B54.2060908>