HOWTO setup a simple IPSEC tunnel

Marc Fonvieille blackend at freebsd.org
Tue Jun 12 14:29:44 UTC 2007 

On Tue, Jun 12, 2007 at 09:21:35AM +0000, Poul-Henning Kamp wrote:
> 
> Feel free to use whereever...
> 
> How to set up an IPSEC tunnel between two FreeBSD machines.
> -----------------------------------------------------------
> 
> Replace these with your own parameters below:
> 	${MY_IP_ADDRESS}
> 	${OTHER_IP_ADDRESS}
> 	${MYHOSTNAME}
> 	${OTHERHOSTNAME}
> 
> Do the obvious MY<->OTHER flip in the other end of the tunnel.
> 
> Install ports/security/ipsec-tools
> 
> Add kernel options (or kldload):
> 
> 	device          gif
> 	device          crypto
> 	options         FAST_IPSEC
> 
> If you have a HiFn cryptoboard (ie: Soekris NET14xx) also add:
> 
> 	device          hifn
> 
> In your /etc/rc.conf:
> 
> 	gif_interfaces="gif0"
> 
> 	gifconfig_gif0="${MY_IP_ADDRESS} ${OTHER_IP_ADDRESS}"
> 	ifconfig_gif0="192.168.48.22 192.168.48.21 netmask 255.255.255.252"
> 
> 	ipsec_enable=YES
> 	ipsec_file=/etc/setkey.conf
> 
> 	racoon_enable=YES
> 
> You can use whatever addresses you want instead of 192.168.48.{21,22}, just
> make sure to select them as the middle two in a /30 network.  In other
> words, the last byte of the IP numbers must be "N * 4 + 1" and "N * 4 + 2".
> 
> If you do not plan on running a routing daemon (routed(8) and such)
> you can use any two IP# as long as you remove the "netmask 255..." bit.
> 
> Create /etc/setkey.conf containing:
> 
> 	spdflush;
> 	spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require;
> 	spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require;
> 
> This means: I want IPSEC on all IP-IP protocol packets.  IP-IP is what
> gif tunnels use and it has IP protocol 4 (see /etc/protocols).
> 
> Create /etc/racoon_psk.txt containing:
> 
> 	${MYHOSTNAME}		${PASSWORD}
> 	${OTHERHOSTNAME}	${PASSWORD}
> 
> Make sure it has mode r--:
> 
> 	chmod 400 /etc/racoon_psk.txt
> 
> It's ok to use the same password for both hosts, it's easier that way.
> 
> A good way to find passwords for this kind of stuff is:
> 	strings -16 < /dev/random 
> 
> Create /usr/local/etc/racoon/racoon.conf containing:
> 
> 	path pre_shared_key "/etc/racoon_psk.txt" ;
> 	 
> 	remote anonymous
> 	{
> 		exchange_mode aggressive;
> 		my_identifier fqdn ${MYHOSTNAME}
> 
> 		lifetime time 24 hour ;
> 		proposal {
> 			encryption_algorithm 3des;
> 			hash_algorithm sha1;
> 			authentication_method pre_shared_key ;
> 			dh_group 2 ;
> 		}
> 	}
> 	 
> 	sainfo anonymous
> 	{
> 		pfs_group 2;
> 		lifetime time 12 hour ;
> 		encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
> 		authentication_algorithm hmac_sha1, hmac_md5 ;
> 		compression_algorithm deflate ;
> 	}
>

Interesting.  One should look how this can be used with
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
(which I suspect to contain wrong/outdated infos).

-- 
Marc

More information about the freebsd-doc mailing list