"Configuring IPSec" - пошаговое руководство по настройке IPSec тунеля на FreeBSD (с использованем Racoon IKE демона). Ниже, краткий пересказ:
Ядро:
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
pseudo-device gif
Ставим для управления секретными ключами - Racoon IKE:
cd /usr/ports/security/racoon
make install clean
vi /usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
isakmp A.A.A.A [500];
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote B.B.B.B
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 60 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 5 ;
}
}
sainfo B.B.B.B
{
pfs_group 5;
lifetime time 24 hour;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
--------------------------
Запускаем Racoon:
/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l
Поднимаем маршрутизацию:
/sbin/route add -net 192.168.1.0/24 10.0.0.1
/sbin/route add -net 10.0.0.0/8 192.168.1.1
Правим /etc/rc.conf
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
gif_interfaces="gif0"
ifconfig_gif0="10.0.0.1 netmask 255.0.0.0 192.168.1.1 netmask 255.255.255.0"
gifconfig_gif0="A.A.A.A netmask 255.255.240.0 B.B.B.B netmask 255.255.240.0"
Настраиваем параметры для setkey (man setkey), для управления IPsec SA/SP базой.
vi /etc/ipsec.conf
flush;
spdflush;
#add the policy to the SPD database
spdadd 10.0.0.0/8 192.168.1.0/24 any -P out ipsec
esp/tunnel/A.A.A.A-B.B.B.B/require;
spdadd 192.168.1.0/24 10.0.0.0/8 any -P in ipsec
esp/tunnel/B.B.B.B-A.A.A.A/require;
|