From owner-freebsd-doc@FreeBSD.ORG Tue Jun 12 10:14:35 2007 Return-Path: X-Original-To: doc@freebsd.org Delivered-To: freebsd-doc@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9660216A46B for ; Tue, 12 Jun 2007 10:14:35 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 58A4613C45B for ; Tue, 12 Jun 2007 10:14:35 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id 368BF17380; Tue, 12 Jun 2007 09:53:14 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.1/8.14.1) with ESMTP id l5C9LaXv040692; Tue, 12 Jun 2007 09:21:36 GMT (envelope-from phk@critter.freebsd.dk) To: doc@freebsd.org From: Poul-Henning Kamp Date: Tue, 12 Jun 2007 09:21:35 +0000 Message-ID: <40691.1181640095@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: gnn@freebsd.org Subject: HOWTO setup a simple IPSEC tunnel X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 10:14:35 -0000 Feel free to use whereever... How to set up an IPSEC tunnel between two FreeBSD machines. ----------------------------------------------------------- Replace these with your own parameters below: ${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS} ${MYHOSTNAME} ${OTHERHOSTNAME} Do the obvious MY<->OTHER flip in the other end of the tunnel. Install ports/security/ipsec-tools Add kernel options (or kldload): device gif device crypto options FAST_IPSEC If you have a HiFn cryptoboard (ie: Soekris NET14xx) also add: device hifn In your /etc/rc.conf: gif_interfaces="gif0" gifconfig_gif0="${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS}" ifconfig_gif0="192.168.48.22 192.168.48.21 netmask 255.255.255.252" ipsec_enable=YES ipsec_file=/etc/setkey.conf racoon_enable=YES You can use whatever addresses you want instead of 192.168.48.{21,22}, just make sure to select them as the middle two in a /30 network. In other words, the last byte of the IP numbers must be "N * 4 + 1" and "N * 4 + 2". If you do not plan on running a routing daemon (routed(8) and such) you can use any two IP# as long as you remove the "netmask 255..." bit. Create /etc/setkey.conf containing: spdflush; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require; This means: I want IPSEC on all IP-IP protocol packets. IP-IP is what gif tunnels use and it has IP protocol 4 (see /etc/protocols). Create /etc/racoon_psk.txt containing: ${MYHOSTNAME} ${PASSWORD} ${OTHERHOSTNAME} ${PASSWORD} Make sure it has mode r--: chmod 400 /etc/racoon_psk.txt It's ok to use the same password for both hosts, it's easier that way. A good way to find passwords for this kind of stuff is: strings -16 < /dev/random Create /usr/local/etc/racoon/racoon.conf containing: path pre_shared_key "/etc/racoon_psk.txt" ; remote anonymous { exchange_mode aggressive; my_identifier fqdn ${MYHOSTNAME} lifetime time 24 hour ; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } That should do it... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.