Date: Fri, 17 Feb 2006 17:26:06 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-questions@freebsd.org Subject: Re: Setting up VPN+IPSec+Racoon Message-ID: <43F5F91E.5020005@t-hosting.hu> In-Reply-To: <r08av1dk6pikmg7ac9po76ho5k98jviol5@4ax.com> References: <43F4B5D2.6020303@t-hosting.hu> <r08av1dk6pikmg7ac9po76ho5k98jviol5@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote:
>On Thu, 16 Feb 2006 18:26:42 +0100, in sentex.lists.freebsd.questions
>you wrote:
>
>
>
>>Hello,
>>
>>it is the first time I have to set up such configuration. Could you tell
>>me some guidelines? What should I care about? I see there's a chapter in
>>the Handbook about VPN. It mentions the FAST_IPSEC kernel option in
>>
>>
>>>5.X. Should I use this implemetation or the KAME implementation? What
>>>
>>>
>>are the differencies, and what are the advantages, disadvantages of each?
>>If you know some other good tutorial or howto, please let me know.
>>
>>
>>
>
>
>FAST_IPSEC allows for hardware crypto offloading (see man 4 crypto).
>Even without it, the author claims its faster than KAME. However, its
>important to note FAST_IPSEC cannot work with INET6 in the kernel.
>Also, you want to use it mostly with RELENG_6 if possible. Also, dont
>use racoon, better to use ipsec-tools. Its also in the ports.
>
>
>
I meant that port, the binary called racoon there, too.
>As for tutorials, google around and read through various posts. There
>is lots of good info out there. Perhaps if you describe what you want
>to do, people can make specific suggestions.
>
> ---Mike
>
>
>
Unfortunately, I haven't found a good howto. The situation is the following:
This project will be some kind of SMS service. The serv will connect to
the SMS server and get the received SMSes, but the connection to the SMS
server is only allowed via VPN. Here are two IP addresses, one of them
is the VPN peers address. I have to set up a VPN connection to this host
with 3DES SHA IPsec and a DH pre-shared key. The other IP address is the
SMS servers adress but that is only accessible via VPN.
I've installed ipsec-tools, and tried to configure it, but I can't start
racoon and I get a configuration file parse error. I couldn't found out
which line is wrong. I just got this:
racoon: failed to parse configuration file.
Here is the racoon.conf:
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
path include "@sysconfdir_x@/racoon";
#include "remote.conf";
path pre_shared_key "@sysconfdir_x@/racoon/vodafone.psk";
path certificate "@sysconfdir_x@/cert";
log debug2;
# "padding" defines some padding parameters. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote 80.244.96.229
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "my.cert.pem" "my.key.pem";
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo 80.244.96.229
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
I've just modified what I considered necessary.
I haven't found anything useful with google. Please help me fixing this.
Thanks in advance,
Gabor Kovesdan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F5F91E.5020005>