1
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-12-18 05:25:53 +01:00
wiki/ipsec-on-freebsd.md

72 lines
2.7 KiB
Markdown
Raw Normal View History

2013-02-28 18:00:40 +01:00
# IPsec on FreeBSD
2013-02-28 18:14:03 +01:00
These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.
2013-02-28 18:00:40 +01:00
## Requirements
2013-02-28 18:18:23 +01:00
* Root access to both endpoints.
2013-02-28 23:32:29 +01:00
* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
2013-02-28 18:14:03 +01:00
* At least one static IPv4 on at least one endpoint unless you hate yourself.
2013-02-28 18:00:40 +01:00
## Kernel configuration
2013-02-28 18:14:03 +01:00
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
```
options IPSEC #IP security
device crypto
```
Reboot into your new kernel.
2013-02-28 18:00:40 +01:00
2013-02-28 18:18:23 +01:00
## Userland configuration
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
2013-02-28 18:27:24 +01:00
```
path pre_shared_key "/usr/local/etc/racoon/psk";
path certificate "/usr/local/etc/racoon/certs";
log info;
listen {
isakmp a.b.c.d [500];
isakmp_natt a.b.c.d [4500];
}
padding {
strict_check on;
}
timer {
natt_keepalive 5 sec;
interval 3 sec;
phase1 45 sec; # give embedded CPUs time to finish RSA operations
phase2 45 sec;
}
remote b.c.d.e [500] {
exchange_mode main;
proposal_check strict;
my_identifier asn1dn;
peers_identifier asn1dn;
lifetime time 1 hour;
certificate_type x509 "self.crt" "self.key";
peers_certfile x509 "peer.crt";
ca_type x509 "ca.crt";
verify_cert on;
send_cert off; # neither send
send_cr off; # nor request a crt to be send
proposal {
encryption_algorithm aes 256;
hash_algorithm sha256;
authentication_method rsasig;
dh_group modp4096;
}
}
2013-02-28 18:30:12 +01:00
sainfo (address a.b.c.d gre address b.c.d.e gre) {
pfs_group modp4096;
lifetime time 1 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
}
2013-02-28 18:27:24 +01:00
```