HOWTO setup a simple IPSEC tunnel

看板FB_doc作者時間18年前 (2007/06/12 18:15), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/4 (看更多)
Feel free to use whereever... How to set up an IPSEC tunnel between two FreeBSD machines. ----------------------------------------------------------- Replace these with your own parameters below: ${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS} ${MYHOSTNAME} ${OTHERHOSTNAME} Do the obvious MY<->OTHER flip in the other end of the tunnel. Install ports/security/ipsec-tools Add kernel options (or kldload): device gif device crypto options FAST_IPSEC If you have a HiFn cryptoboard (ie: Soekris NET14xx) also add: device hifn In your /etc/rc.conf: gif_interfaces="gif0" gifconfig_gif0="${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS}" ifconfig_gif0="192.168.48.22 192.168.48.21 netmask 255.255.255.252" ipsec_enable=YES ipsec_file=/etc/setkey.conf racoon_enable=YES You can use whatever addresses you want instead of 192.168.48.{21,22}, just make sure to select them as the middle two in a /30 network. In other words, the last byte of the IP numbers must be "N * 4 + 1" and "N * 4 + 2". If you do not plan on running a routing daemon (routed(8) and such) you can use any two IP# as long as you remove the "netmask 255..." bit. Create /etc/setkey.conf containing: spdflush; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require; This means: I want IPSEC on all IP-IP protocol packets. IP-IP is what gif tunnels use and it has IP protocol 4 (see /etc/protocols). Create /etc/racoon_psk.txt containing: ${MYHOSTNAME} ${PASSWORD} ${OTHERHOSTNAME} ${PASSWORD} Make sure it has mode r--: chmod 400 /etc/racoon_psk.txt It's ok to use the same password for both hosts, it's easier that way. A good way to find passwords for this kind of stuff is: strings -16 < /dev/random Create /usr/local/etc/racoon/racoon.conf containing: path pre_shared_key "/etc/racoon_psk.txt" ; remote anonymous { exchange_mode aggressive; my_identifier fqdn ${MYHOSTNAME} lifetime time 24 hour ; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } That should do it... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. _______________________________________________ freebsd-doc@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-doc To unsubscribe, send any mail to "freebsd-doc-unsubscribe@freebsd.org"
更多 phk. 的文章
文章代碼(AID): #16Rd8e00 (FB_doc)
更多 phk. 的文章
文章代碼(AID): #16Rd8e00 (FB_doc)