Date: Thu, 18 Jan 2007 03:47:24 -0500 (EST) From: "Dan Mahoney, System Admin" <danm@prime.gushi.org> To: Andrew Pantyukhin <infofarmer@FreeBSD.org> Cc: questions@FreeBSD.org Subject: Re: Transport Mode IPSEC Message-ID: <20070118033808.I55095@prime.gushi.org> In-Reply-To: <cb5206420701180036l4dbc7bax952a674905c94489@mail.gmail.com> References: <20070118022306.Q26349@prime.gushi.org> <cb5206420701180036l4dbc7bax952a674905c94489@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Jan 2007, Andrew Pantyukhin wrote: > On 1/18/07, Dan Mahoney, System Admin <danm@prime.gushi.org> wrote: > > It's not that simple. The difficulty is in key exchange, > and it stays. I can show you how to implement it with > static keys: As I read through the article (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...I get the distinct impression the howto actually is somewhat adaptable -- one just needs to ignore everything it says about tunnels, and the GIF device. I'd still install raccoon, still do everything like that -- the change comes in the lines in /etc/ipsec.conf spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; which would be I think modified to your lines below. I'm not sure if you still need the additional policy definition (between the slashes). Perhaps you can clarify for me? I'm liking doing things with raccoon only because it allows you to use those nice non-static keys. -Dan > ==================================================================== > = 192.168.17.1:/etc/ipsec.conf > ==================================================================== > flush ; > spdflush ; > > add 192.168.17.69 192.168.17.1 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > add 192.168.17.1 192.168.17.69 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > spdadd 192.168.17.69 192.168.17.1 any -P in ipsec ah/transport//require ; > spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ; > ==================================================================== > = 192.168.17.69:/etc/ipsec.conf > ==================================================================== > flush ; > spdflush ; > > add 192.168.17.69 192.168.17.1 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > add 192.168.17.1 192.168.17.69 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ; > spdadd 192.168.17.1 192.168.17.69 any -P in ipsec ah/transport//require ; > ==================================================================== > > Then add ipsec_enable="YES" to rc.conf(5) on both hosts > and run /etc/rc.d/ipsec start. That should set up > authenticated relationship between the two hosts. > > See setkey(8) for encryption and other options. > -- "Don't try to out-wierd me. I get stranger things than you free with my breakfast cereal." -Button seen at I-CON XVII (and subsequently purchased) --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070118033808.I55095>