From owner-freebsd-questions@FreeBSD.ORG Thu Jan 18 08:36:37 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7DF8316A412 for ; Thu, 18 Jan 2007 08:36:37 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id 1A2E013C442 for ; Thu, 18 Jan 2007 08:36:36 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so106815uge for ; Thu, 18 Jan 2007 00:36:36 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=gqHRvAgS57I5ASYPHwcvSzXjO3aYnAYZa26Z9SukTcmR0FITZ1omw1iS409t3ObQc9Dug1q6EOzldMS0mEHxqUwqIZWhpd32beWw8kmBN3vVf+Y0sgCBXOl14iYkO0TPMxgYs+4F4rC+h3ldHuBfulja9e10dWlJnfM3GDTjEfk= Received: by 10.78.150.7 with SMTP id x7mr639550hud.1169109395953; Thu, 18 Jan 2007 00:36:35 -0800 (PST) Received: by 10.78.164.20 with HTTP; Thu, 18 Jan 2007 00:36:35 -0800 (PST) Message-ID: Date: Thu, 18 Jan 2007 11:36:35 +0300 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Dan Mahoney, System Admin" In-Reply-To: <20070118022306.Q26349@prime.gushi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070118022306.Q26349@prime.gushi.org> X-Google-Sender-Auth: 74d16b11bf7cd7c0 Cc: questions@freebsd.org Subject: Re: Transport Mode IPSEC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 08:36:37 -0000 On 1/18/07, Dan Mahoney, System Admin wrote: > Hey all, > > I see the handbook has a nice howto on tunnel mode ipsec. I just want to > protect my NFS/NIS traffic between two hosts on a switch (neither NAT'd) > -- is there a reference as to transport-mode ipsec anywhere, or has anyone > done it that can outline it? I would imagine it would be drastically > simpler than tunnel mode, but I'm not sure where it would break off. It's not that simple. The difficulty is in key exchange, and it stays. I can show you how to implement it with static keys: ==================================================================== = 192.168.17.1:/etc/ipsec.conf ==================================================================== flush ; spdflush ; add 192.168.17.69 192.168.17.1 ah 4567 -A hmac-sha2-512 "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; add 192.168.17.1 192.168.17.69 ah 4567 -A hmac-sha2-512 "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; spdadd 192.168.17.69 192.168.17.1 any -P in ipsec ah/transport//require ; spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ; ==================================================================== = 192.168.17.69:/etc/ipsec.conf ==================================================================== flush ; spdflush ; add 192.168.17.69 192.168.17.1 ah 4567 -A hmac-sha2-512 "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; add 192.168.17.1 192.168.17.69 ah 4567 -A hmac-sha2-512 "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ; spdadd 192.168.17.1 192.168.17.69 any -P in ipsec ah/transport//require ; ==================================================================== Then add ipsec_enable="YES" to rc.conf(5) on both hosts and run /etc/rc.d/ipsec start. That should set up authenticated relationship between the two hosts. See setkey(8) for encryption and other options.