HOWTO setup a simple IPSEC tunnel

Poul-Henning Kamp phk at phk.freebsd.dk
Tue Jun 12 10:14:35 UTC 2007 

Feel free to use whereever...

How to set up an IPSEC tunnel between two FreeBSD machines.
-----------------------------------------------------------

Replace these with your own parameters below:
	${MY_IP_ADDRESS}
	${OTHER_IP_ADDRESS}
	${MYHOSTNAME}
	${OTHERHOSTNAME}

Do the obvious MY<->OTHER flip in the other end of the tunnel.

Install ports/security/ipsec-tools

Add kernel options (or kldload):

	device          gif
	device          crypto
	options         FAST_IPSEC

If you have a HiFn cryptoboard (ie: Soekris NET14xx) also add:

	device          hifn

In your /etc/rc.conf:

	gif_interfaces="gif0"

	gifconfig_gif0="${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS}"
	ifconfig_gif0="192.168.48.22 192.168.48.21 netmask 255.255.255.252"

	ipsec_enable=YES
	ipsec_file=/etc/setkey.conf

	racoon_enable=YES

You can use whatever addresses you want instead of 192.168.48.{21,22}, just
make sure to select them as the middle two in a /30 network.  In other
words, the last byte of the IP numbers must be "N * 4 + 1" and "N * 4 + 2".

If you do not plan on running a routing daemon (routed(8) and such)
you can use any two IP# as long as you remove the "netmask 255..." bit.

Create /etc/setkey.conf containing:

	spdflush;
	spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require;
	spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require;

This means: I want IPSEC on all IP-IP protocol packets.  IP-IP is what
gif tunnels use and it has IP protocol 4 (see /etc/protocols).

Create /etc/racoon_psk.txt containing:

	${MYHOSTNAME}		${PASSWORD}
	${OTHERHOSTNAME}	${PASSWORD}

Make sure it has mode r--:

	chmod 400 /etc/racoon_psk.txt

It's ok to use the same password for both hosts, it's easier that way.

A good way to find passwords for this kind of stuff is:
	strings -16 < /dev/random 

Create /usr/local/etc/racoon/racoon.conf containing:

	path pre_shared_key "/etc/racoon_psk.txt" ;
	 
	remote anonymous
	{
		exchange_mode aggressive;
		my_identifier fqdn ${MYHOSTNAME}

		lifetime time 24 hour ;
		proposal {
			encryption_algorithm 3des;
			hash_algorithm sha1;
			authentication_method pre_shared_key ;
			dh_group 2 ;
		}
	}
	 
	sainfo anonymous
	{
		pfs_group 2;
		lifetime time 12 hour ;
		encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
		authentication_algorithm hmac_sha1, hmac_md5 ;
		compression_algorithm deflate ;
	}

That should do it...
-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

More information about the freebsd-doc mailing list