From owner-freebsd-questions@FreeBSD.ORG Thu Jan 18 08:47:26 2007 Return-Path: X-Original-To: questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 525DF16A415 for ; Thu, 18 Jan 2007 08:47:26 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (prime.gushi.org [72.9.101.130]) by mx1.freebsd.org (Postfix) with ESMTP id 25B6813C4A7 for ; Thu, 18 Jan 2007 08:47:25 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (localhost [127.0.0.1]) by prime.gushi.org (8.13.8/8.13.8) with ESMTP id l0I8lPjm002199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Jan 2007 03:47:25 -0500 (EST) (envelope-from danm@prime.gushi.org) DKIM-Signature: a=rsa-sha1; c=simple/simple; d=prime.gushi.org; s=primegushiorg; t=1169110045; bh=aAPFdMY0guBHARVgz4uuptKP+UM=; h=DomainKey-Signature: Received:Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=f4GMHNjqpdOSKOKLdNPG1n9pIy9ZE29jMAW29d jsZshjgaXpbjRC2ydr0jN7pdIW7TPkm+gT2pnxqRdt0ZMnDQ== DomainKey-Signature: a=rsa-sha1; s=primegushiorg; d=prime.gushi.org; c=nofws; q=dns; h=received:date:from:to:cc:subject:in-reply-to:message-id: references:mime-version:content-type; b=fGy845V34oW1BSP+L0rtBf/BFgbrBiOcKW8mo9YcZL98LcL3HvFCCcK/9OvZb4WYq MPznECBkAehTwnHph21ag== Received: (from danm@localhost) by prime.gushi.org (8.13.8/8.13.6/Submit) id l0I8lPTc002193; Thu, 18 Jan 2007 03:47:25 -0500 (EST) (envelope-from danm) Date: Thu, 18 Jan 2007 03:47:24 -0500 (EST) From: "Dan Mahoney, System Admin" To: Andrew Pantyukhin In-Reply-To: Message-ID: <20070118033808.I55095@prime.gushi.org> References: <20070118022306.Q26349@prime.gushi.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: questions@FreeBSD.org Subject: Re: Transport Mode IPSEC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 08:47:26 -0000 On Thu, 18 Jan 2007, Andrew Pantyukhin wrote: > On 1/18/07, Dan Mahoney, System Admin wrote: > > It's not that simple. The difficulty is in key exchange, > and it stays. I can show you how to implement it with > static keys: As I read through the article (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...I get the distinct impression the howto actually is somewhat adaptable -- one just needs to ignore everything it says about tunnels, and the GIF device. I'd still install raccoon, still do everything like that -- the change comes in the lines in /etc/ipsec.conf spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; which would be I think modified to your lines below. I'm not sure if you still need the additional policy definition (between the slashes). Perhaps you can clarify for me? I'm liking doing things with raccoon only because it allows you to use those nice non-static keys. -Dan > ==================================================================== > = 192.168.17.1:/etc/ipsec.conf > ==================================================================== > flush ; > spdflush ; > > add 192.168.17.69 192.168.17.1 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > add 192.168.17.1 192.168.17.69 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > spdadd 192.168.17.69 192.168.17.1 any -P in ipsec ah/transport//require ; > spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ; > ==================================================================== > = 192.168.17.69:/etc/ipsec.conf > ==================================================================== > flush ; > spdflush ; > > add 192.168.17.69 192.168.17.1 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > add 192.168.17.1 192.168.17.69 ah 4567 > -A hmac-sha2-512 > "Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ; > spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ; > spdadd 192.168.17.1 192.168.17.69 any -P in ipsec ah/transport//require ; > ==================================================================== > > Then add ipsec_enable="YES" to rc.conf(5) on both hosts > and run /etc/rc.d/ipsec start. That should set up > authenticated relationship between the two hosts. > > See setkey(8) for encryption and other options. > -- "Don't try to out-wierd me. I get stranger things than you free with my breakfast cereal." -Button seen at I-CON XVII (and subsequently purchased) --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------