From owner-freebsd-doc@FreeBSD.ORG  Tue Jun 12 14:29:44 2007
Return-Path: <owner-freebsd-doc@FreeBSD.ORG>
X-Original-To: doc@freebsd.org
Delivered-To: freebsd-doc@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6724D16A400
	for <doc@freebsd.org>; Tue, 12 Jun 2007 14:29:44 +0000 (UTC)
	(envelope-from marc@blackend.org)
Received: from abigail.blackend.org (ns0.blackend.org [82.227.222.164])
	by mx1.freebsd.org (Postfix) with ESMTP id D48E913C484
	for <doc@freebsd.org>; Tue, 12 Jun 2007 14:29:43 +0000 (UTC)
	(envelope-from marc@blackend.org)
Received: from gothic.blackend.org (gothic.blackend.org [192.168.1.203])
	by abigail.blackend.org (8.13.4/8.13.3) with ESMTP id l5CETbRR054404;
	Tue, 12 Jun 2007 16:29:38 +0200 (CEST)
	(envelope-from marc@abigail.blackend.org)
Received: from gothic.blackend.org (localhost.blackend.org [127.0.0.1])
	by gothic.blackend.org (8.14.1/8.13.8) with ESMTP id l5CETao4001053;
	Tue, 12 Jun 2007 16:29:36 +0200 (CEST)
	(envelope-from marc@gothic.blackend.org)
Received: (from marc@localhost)
	by gothic.blackend.org (8.14.1/8.13.8/Submit) id l5CETWLh001052;
	Tue, 12 Jun 2007 16:29:32 +0200 (CEST) (envelope-from marc)
Date: Tue, 12 Jun 2007 16:29:32 +0200
From: Marc Fonvieille <blackend@freebsd.org>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Message-ID: <20070612142932.GA995@gothic.blackend.org>
References: <40691.1181640095@critter.freebsd.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40691.1181640095@critter.freebsd.dk>
X-Useless-Header: blackend.org
X-Operating-System: FreeBSD 6.2-STABLE
User-Agent: Mutt/1.5.15 (2007-04-06)
Cc: gnn@freebsd.org, doc@freebsd.org
Subject: Re: HOWTO setup a simple IPSEC tunnel
X-BeenThere: freebsd-doc@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Documentation project <freebsd-doc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-doc>
List-Post: <mailto:freebsd-doc@freebsd.org>
List-Help: <mailto:freebsd-doc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2007 14:29:44 -0000

On Tue, Jun 12, 2007 at 09:21:35AM +0000, Poul-Henning Kamp wrote:
> 
> Feel free to use whereever...
> 
> How to set up an IPSEC tunnel between two FreeBSD machines.
> -----------------------------------------------------------
> 
> Replace these with your own parameters below:
> 	${MY_IP_ADDRESS}
> 	${OTHER_IP_ADDRESS}
> 	${MYHOSTNAME}
> 	${OTHERHOSTNAME}
> 
> Do the obvious MY<->OTHER flip in the other end of the tunnel.
> 
> Install ports/security/ipsec-tools
> 
> Add kernel options (or kldload):
> 
> 	device          gif
> 	device          crypto
> 	options         FAST_IPSEC
> 
> If you have a HiFn cryptoboard (ie: Soekris NET14xx) also add:
> 
> 	device          hifn
> 
> In your /etc/rc.conf:
> 
> 	gif_interfaces="gif0"
> 
> 	gifconfig_gif0="${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS}"
> 	ifconfig_gif0="192.168.48.22 192.168.48.21 netmask 255.255.255.252"
> 
> 	ipsec_enable=YES
> 	ipsec_file=/etc/setkey.conf
> 
> 	racoon_enable=YES
> 
> You can use whatever addresses you want instead of 192.168.48.{21,22}, just
> make sure to select them as the middle two in a /30 network.  In other
> words, the last byte of the IP numbers must be "N * 4 + 1" and "N * 4 + 2".
> 
> If you do not plan on running a routing daemon (routed(8) and such)
> you can use any two IP# as long as you remove the "netmask 255..." bit.
> 
> Create /etc/setkey.conf containing:
> 
> 	spdflush;
> 	spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require;
> 	spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require;
> 
> This means: I want IPSEC on all IP-IP protocol packets.  IP-IP is what
> gif tunnels use and it has IP protocol 4 (see /etc/protocols).
> 
> Create /etc/racoon_psk.txt containing:
> 
> 	${MYHOSTNAME}		${PASSWORD}
> 	${OTHERHOSTNAME}	${PASSWORD}
> 
> Make sure it has mode r--:
> 
> 	chmod 400 /etc/racoon_psk.txt
> 
> It's ok to use the same password for both hosts, it's easier that way.
> 
> A good way to find passwords for this kind of stuff is:
> 	strings -16 < /dev/random 
> 
> Create /usr/local/etc/racoon/racoon.conf containing:
> 
> 	path pre_shared_key "/etc/racoon_psk.txt" ;
> 	 
> 	remote anonymous
> 	{
> 		exchange_mode aggressive;
> 		my_identifier fqdn ${MYHOSTNAME}
> 
> 		lifetime time 24 hour ;
> 		proposal {
> 			encryption_algorithm 3des;
> 			hash_algorithm sha1;
> 			authentication_method pre_shared_key ;
> 			dh_group 2 ;
> 		}
> 	}
> 	 
> 	sainfo anonymous
> 	{
> 		pfs_group 2;
> 		lifetime time 12 hour ;
> 		encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
> 		authentication_algorithm hmac_sha1, hmac_md5 ;
> 		compression_algorithm deflate ;
> 	}
>

Interesting.  One should look how this can be used with
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
(which I suspect to contain wrong/outdated infos).

-- 
Marc