# IPsec on FreeBSD These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces. ## Requirements * Root access to both endpoints. * Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for raccon. * At least one static IPv4 on at least one endpoint unless you hate yourself. ## Kernel configuration The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel. If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook. ``` options IPSEC #IP security device crypto ``` Reboot into your new kernel. ## Userland configuration Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port. Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you. ``` path pre_shared_key "/usr/local/etc/racoon/psk"; path certificate "/usr/local/etc/racoon/certs"; log info; listen { isakmp a.b.c.d [500]; isakmp_natt a.b.c.d [4500]; } padding { strict_check on; } timer { natt_keepalive 5 sec; interval 3 sec; phase1 45 sec; # give embedded CPUs time to finish RSA operations phase2 45 sec; } remote b.c.d.e [500] { exchange_mode main; proposal_check strict; my_identifier asn1dn; peers_identifier asn1dn; lifetime time 1 hour; certificate_type x509 "self.crt" "self.key"; peers_certfile x509 "peer.crt"; ca_type x509 "ca.crt"; verify_cert on; send_cert off; # neither send send_cr off; # nor request a crt to be send proposal { encryption_algorithm aes 256; hash_algorithm sha256; authentication_method rsasig; dh_group modp4096; } } ```