From owner-freebsd-net@FreeBSD.ORG Fri Apr 12 05:28:09 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 566FA440 for ; Fri, 12 Apr 2013 05:28:09 +0000 (UTC) (envelope-from egrosbein@rdtc.ru) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id F1BF0FF5 for ; Fri, 12 Apr 2013 05:28:08 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.6/8.14.6) with ESMTP id r3C5RrBb018995; Fri, 12 Apr 2013 12:27:54 +0700 (NOVT) (envelope-from egrosbein@rdtc.ru) Message-ID: <51679B54.2060908@rdtc.ru> Date: Fri, 12 Apr 2013 12:27:48 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.13) Gecko/20110112 Thunderbird/3.1.7 MIME-Version: 1.0 To: Karl Denninger Subject: Re: IKEv2/IPSEC "Road Warrior" VPN Tunneling? References: <516739C9.4080902@denninger.net> In-Reply-To: <516739C9.4080902@denninger.net> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Cc: freebsd-net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2013 05:28:09 -0000 12.04.2013 05:31, Karl Denninger пишет: > Is there a "cookbook" for setting this up? There are examples for > setting up a tunnel between two fixed-address networks (e.g. a remote > LAN that needs to be "integrated" with a central LAN over IPSec but I > can't find anything addressing the other situation -- remote user(s) > where the connecting IPs are not known in advance, such as a person with > a laptop or smartphone in a random hotel. > > (And is there a better list for this in the freebsd-* paradigm for the > question?) Moving to freebsd-net@ You'll need to install the port security/ipsec-tools for IKE protocol support. This port contains racoon daemon, here is sample racoon.conf: path pre_shared_key "/usr/local/etc/racoon/psk.txt"; log debug; padding # options are not to be changed { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer # timing options. change as needed { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } listen # address [port] that racoon will listening on { isakmp X.X.X.X [500]; isakmp Y.Y.Y.Y [500]; # isakmp_natt Z.Z.Z.Z [4500]; adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0600; } remote anonymous # just template { exchange_mode aggressive,main,base; doi ipsec_doi; situation identity_only; my_identifier fqdn "mydomain.net"; verify_identifier on; mode_cfg off; lifetime time 1 hour; ike_frag on; passive on; proposal_check obey; generate_policy unique; # script "/usr/local/etc/racoon/phase1" phase1_up; # script "/usr/local/etc/racoon/phase1" phase1_down; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 12 hour; dh_group 1; } proposal { encryption_algorithm aes 256; hash_algorithm sha1; authentication_method pre_shared_key; lifetime time 1 hour; dh_group 1; } } sainfo anonymous { pfs_group 1; lifetime time 1 hour; encryption_algorithm aes,3des,des; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; }