Date: Fri, 12 Mar 2004 12:00:16 +0300 From: "Kostikov V.I." <victor@mcc.elektra.ru> To: <freebsd-questions@FreeBSD.org> Subject: GRE IRSec for FreeBSD Message-ID: <001501c40810$70854e60$60f211ac@vic>
next in thread | raw e-mail | index | archive | help
Hellow!
Can you help me?
I set IPSec accross GRE from Cisco to FreeBSD.
My sets for Freebsd 5.1:
---------------------
rc.conf
# IPSec
ipsec_enable=3D"YES"
ipsec_file=3D"/etc/ipsec.conf"
# Tunnel GRE
ifconfig gre0 create
ifconfig gre0 x.x.x.x y.y.y.y link1
ifconfig gre0 tunnel a.a.a.a b.b.b.b
--------------------
recoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log notify;
# "padding" defines some parameter of padding. You should not touch =
these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 7200 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 1 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 7200 sec;
encryption_algorithm des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
-----------------------
ipsec.conf
flush;
spdflush;
spdadd a.a.a.a b.b.b.b any -P out ipsec =
esp/transport/a.a.a.a-b.b.b.b/require;
spdadd b.b.b.b a.a.a.a any -P in ipsec =
esp/transport/b.b.b.b-a.a.a.a/require;
-----------------------
Don`t work.
This configuration (recoon.conf and ipsec.conf) works with IPSec accross =
IPIP from Cisco to FreeBSD.
Best regards!
victor@mcc.elektra.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501c40810$70854e60$60f211ac>