Date: Tue, 12 Jun 2007 16:29:32 +0200 From: Marc Fonvieille <blackend@freebsd.org> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: gnn@freebsd.org, doc@freebsd.org Subject: Re: HOWTO setup a simple IPSEC tunnel Message-ID: <20070612142932.GA995@gothic.blackend.org> In-Reply-To: <40691.1181640095@critter.freebsd.dk> References: <40691.1181640095@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 12, 2007 at 09:21:35AM +0000, Poul-Henning Kamp wrote: > > Feel free to use whereever... > > How to set up an IPSEC tunnel between two FreeBSD machines. > ----------------------------------------------------------- > > Replace these with your own parameters below: > ${MY_IP_ADDRESS} > ${OTHER_IP_ADDRESS} > ${MYHOSTNAME} > ${OTHERHOSTNAME} > > Do the obvious MY<->OTHER flip in the other end of the tunnel. > > Install ports/security/ipsec-tools > > Add kernel options (or kldload): > > device gif > device crypto > options FAST_IPSEC > > If you have a HiFn cryptoboard (ie: Soekris NET14xx) also add: > > device hifn > > In your /etc/rc.conf: > > gif_interfaces="gif0" > > gifconfig_gif0="${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS}" > ifconfig_gif0="192.168.48.22 192.168.48.21 netmask 255.255.255.252" > > ipsec_enable=YES > ipsec_file=/etc/setkey.conf > > racoon_enable=YES > > You can use whatever addresses you want instead of 192.168.48.{21,22}, just > make sure to select them as the middle two in a /30 network. In other > words, the last byte of the IP numbers must be "N * 4 + 1" and "N * 4 + 2". > > If you do not plan on running a routing daemon (routed(8) and such) > you can use any two IP# as long as you remove the "netmask 255..." bit. > > Create /etc/setkey.conf containing: > > spdflush; > spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require; > spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require; > > This means: I want IPSEC on all IP-IP protocol packets. IP-IP is what > gif tunnels use and it has IP protocol 4 (see /etc/protocols). > > Create /etc/racoon_psk.txt containing: > > ${MYHOSTNAME} ${PASSWORD} > ${OTHERHOSTNAME} ${PASSWORD} > > Make sure it has mode r--: > > chmod 400 /etc/racoon_psk.txt > > It's ok to use the same password for both hosts, it's easier that way. > > A good way to find passwords for this kind of stuff is: > strings -16 < /dev/random > > Create /usr/local/etc/racoon/racoon.conf containing: > > path pre_shared_key "/etc/racoon_psk.txt" ; > > remote anonymous > { > exchange_mode aggressive; > my_identifier fqdn ${MYHOSTNAME} > > lifetime time 24 hour ; > proposal { > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method pre_shared_key ; > dh_group 2 ; > } > } > > sainfo anonymous > { > pfs_group 2; > lifetime time 12 hour ; > encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; > authentication_algorithm hmac_sha1, hmac_md5 ; > compression_algorithm deflate ; > } > Interesting. One should look how this can be used with http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html (which I suspect to contain wrong/outdated infos). -- Marc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070612142932.GA995>