wiki/howto/IPsec-on-FreeBSD.md

# IPsec on FreeBSD

These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.

## Requirements
* Root access to both endpoints.
* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
* At least one static IPv4 on at least one endpoint unless you hate yourself.

## Kernel configuration
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
```
  options   IPSEC        #IP security
  device    crypto
```
Reboot into your new kernel.

## Userland configuration

Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
```
path    pre_shared_key  "/usr/local/etc/racoon/psk";
path    certificate     "/usr/local/etc/racoon/certs";
log     info;

listen {
        isakmp          a.b.c.d [500];
        isakmp_natt     a.b.c.d [4500];
}

padding {
        strict_check    on;
}

timer {
        natt_keepalive   5 sec;
        interval         3 sec;
        phase1          45 sec; # give embedded CPUs time to finish RSA operations
        phase2          45 sec;
}

remote b.c.d.e [500] {
        exchange_mode           main;
        proposal_check          strict;
        my_identifier           asn1dn;
        peers_identifier        asn1dn;
        lifetime                time 1 hour;
        certificate_type        x509 "self.crt" "self.key";
        peers_certfile          x509 "peer.crt";
        ca_type                 x509 "ca.crt";
        verify_cert             on;
        send_cert               off; # neither send
        send_cr                 off; # nor request a crt to be send

        proposal {
                encryption_algorithm    aes 256;
                hash_algorithm          sha256;
                authentication_method   rsasig;
                dh_group                modp4096;
        }
}

sainfo (address a.b.c.d gre address b.c.d.e gre) {
        pfs_group                       modp4096;
        lifetime                        time 1 hour;
        encryption_algorithm            aes 256;
        authentication_algorithm        hmac_sha1;
}

```
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:00:40 +01:00			`# IPsec on FreeBSD`

Updated ipsec-on-freebsd (markdown) 2013-02-28 18:14:03 +01:00			`These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.`

Updated ipsec-on-freebsd (markdown) 2013-02-28 18:00:40 +01:00			`## Requirements`
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:18:23 +01:00			`* Root access to both endpoints.`
Updated ipsec-on-freebsd (markdown) 2013-02-28 23:32:29 +01:00			`* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.`
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:14:03 +01:00			`* At least one static IPv4 on at least one endpoint unless you hate yourself.`
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:00:40 +01:00
			`## Kernel configuration`
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:14:03 +01:00			`The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.`
			`If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.`
			```
			`options IPSEC #IP security`
			`device crypto`
			```
			`Reboot into your new kernel.`
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:00:40 +01:00
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:18:23 +01:00			`## Userland configuration`

			`Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.`
			`Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.`
Updated ipsec-on-freebsd (markdown) 2013-02-28 18:27:24 +01:00			```
			`path pre_shared_key "/usr/local/etc/racoon/psk";`
			`path certificate "/usr/local/etc/racoon/certs";`
			`log info;`

			`listen {`
			`isakmp a.b.c.d [500];`
			`isakmp_natt a.b.c.d [4500];`
			`}`

			`padding {`
			`strict_check on;`
			`}`

			`timer {`
			`natt_keepalive 5 sec;`
			`interval 3 sec;`
			`phase1 45 sec; # give embedded CPUs time to finish RSA operations`
			`phase2 45 sec;`
			`}`

			`remote b.c.d.e [500] {`
			`exchange_mode main;`
			`proposal_check strict;`
			`my_identifier asn1dn;`
			`peers_identifier asn1dn;`
			`lifetime time 1 hour;`
			`certificate_type x509 "self.crt" "self.key";`
			`peers_certfile x509 "peer.crt";`
			`ca_type x509 "ca.crt";`
			`verify_cert on;`
			`send_cert off; # neither send`
			`send_cr off; # nor request a crt to be send`

			`proposal {`
			`encryption_algorithm aes 256;`
			`hash_algorithm sha256;`
			`authentication_method rsasig;`
			`dh_group modp4096;`
			`}`
			`}`

Updated ipsec-on-freebsd (markdown) 2013-02-28 18:30:12 +01:00			`sainfo (address a.b.c.d gre address b.c.d.e gre) {`
			`pfs_group modp4096;`
			`lifetime time 1 hour;`
			`encryption_algorithm aes 256;`
			`authentication_algorithm hmac_sha1;`
			`}`

Updated ipsec-on-freebsd (markdown) 2013-02-28 18:27:24 +01:00			```