mirror of
https://git.dn42.dev/wiki/wiki.git
synced 2024-12-09 22:13:08 +01:00
72 lines
2.7 KiB
Markdown
72 lines
2.7 KiB
Markdown
# IPsec on FreeBSD
|
|
|
|
These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.
|
|
|
|
## Requirements
|
|
* Root access to both endpoints.
|
|
* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
|
|
* At least one static IPv4 on at least one endpoint unless you hate yourself.
|
|
|
|
## Kernel configuration
|
|
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
|
|
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
|
|
```
|
|
options IPSEC #IP security
|
|
device crypto
|
|
```
|
|
Reboot into your new kernel.
|
|
|
|
## Userland configuration
|
|
|
|
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
|
|
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
|
|
```
|
|
path pre_shared_key "/usr/local/etc/racoon/psk";
|
|
path certificate "/usr/local/etc/racoon/certs";
|
|
log info;
|
|
|
|
listen {
|
|
isakmp a.b.c.d [500];
|
|
isakmp_natt a.b.c.d [4500];
|
|
}
|
|
|
|
padding {
|
|
strict_check on;
|
|
}
|
|
|
|
timer {
|
|
natt_keepalive 5 sec;
|
|
interval 3 sec;
|
|
phase1 45 sec; # give embedded CPUs time to finish RSA operations
|
|
phase2 45 sec;
|
|
}
|
|
|
|
remote b.c.d.e [500] {
|
|
exchange_mode main;
|
|
proposal_check strict;
|
|
my_identifier asn1dn;
|
|
peers_identifier asn1dn;
|
|
lifetime time 1 hour;
|
|
certificate_type x509 "self.crt" "self.key";
|
|
peers_certfile x509 "peer.crt";
|
|
ca_type x509 "ca.crt";
|
|
verify_cert on;
|
|
send_cert off; # neither send
|
|
send_cr off; # nor request a crt to be send
|
|
|
|
proposal {
|
|
encryption_algorithm aes 256;
|
|
hash_algorithm sha256;
|
|
authentication_method rsasig;
|
|
dh_group modp4096;
|
|
}
|
|
}
|
|
|
|
sainfo (address a.b.c.d gre address b.c.d.e gre) {
|
|
pfs_group modp4096;
|
|
lifetime time 1 hour;
|
|
encryption_algorithm aes 256;
|
|
authentication_algorithm hmac_sha1;
|
|
}
|
|
|
|
``` |