Date: Thu, 18 Jan 2007 11:36:35 +0300 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org> Cc: questions@freebsd.org Subject: Re: Transport Mode IPSEC Message-ID: <cb5206420701180036l4dbc7bax952a674905c94489@mail.gmail.com> In-Reply-To: <20070118022306.Q26349@prime.gushi.org> References: <20070118022306.Q26349@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/18/07, Dan Mahoney, System Admin <danm@prime.gushi.org> wrote:
> Hey all,
>
> I see the handbook has a nice howto on tunnel mode ipsec. I just want to
> protect my NFS/NIS traffic between two hosts on a switch (neither NAT'd)
> -- is there a reference as to transport-mode ipsec anywhere, or has anyone
> done it that can outline it? I would imagine it would be drastically
> simpler than tunnel mode, but I'm not sure where it would break off.
It's not that simple. The difficulty is in key exchange,
and it stays. I can show you how to implement it with
static keys:
====================================================================
= 192.168.17.1:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;
add 192.168.17.69 192.168.17.1 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P in ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ;
====================================================================
= 192.168.17.69:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;
add 192.168.17.69 192.168.17.1 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P in ipsec ah/transport//require ;
====================================================================
Then add ipsec_enable="YES" to rc.conf(5) on both hosts
and run /etc/rc.d/ipsec start. That should set up
authenticated relationship between the two hosts.
See setkey(8) for encryption and other options.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420701180036l4dbc7bax952a674905c94489>