howto/ipsec-on-freebsd.md
... ...
@@ -0,0 +1,72 @@
1
+# IPsec on FreeBSD
2
+
3
+These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.
4
+
5
+## Requirements
6
+* Root access to both endpoints.
7
+* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
8
+* At least one static IPv4 on at least one endpoint unless you hate yourself.
9
+
10
+## Kernel configuration
11
+The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
12
+If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
13
+```
14
+ options IPSEC #IP security
15
+ device crypto
16
+```
17
+Reboot into your new kernel.
18
+
19
+## Userland configuration
20
+
21
+Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
22
+Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
23
+```
24
+path pre_shared_key "/usr/local/etc/racoon/psk";
25
+path certificate "/usr/local/etc/racoon/certs";
26
+log info;
27
+
28
+listen {
29
+ isakmp a.b.c.d [500];
30
+ isakmp_natt a.b.c.d [4500];
31
+}
32
+
33
+padding {
34
+ strict_check on;
35
+}
36
+
37
+timer {
38
+ natt_keepalive 5 sec;
39
+ interval 3 sec;
40
+ phase1 45 sec; # give embedded CPUs time to finish RSA operations
41
+ phase2 45 sec;
42
+}
43
+
44
+remote b.c.d.e [500] {
45
+ exchange_mode main;
46
+ proposal_check strict;
47
+ my_identifier asn1dn;
48
+ peers_identifier asn1dn;
49
+ lifetime time 1 hour;
50
+ certificate_type x509 "self.crt" "self.key";
51
+ peers_certfile x509 "peer.crt";
52
+ ca_type x509 "ca.crt";
53
+ verify_cert on;
54
+ send_cert off; # neither send
55
+ send_cr off; # nor request a crt to be send
56
+
57
+ proposal {
58
+ encryption_algorithm aes 256;
59
+ hash_algorithm sha256;
60
+ authentication_method rsasig;
61
+ dh_group modp4096;
62
+ }
63
+}
64
+
65
+sainfo (address a.b.c.d gre address b.c.d.e gre) {
66
+ pfs_group modp4096;
67
+ lifetime time 1 hour;
68
+ encryption_algorithm aes 256;
69
+ authentication_algorithm hmac_sha1;
70
+}
71
+
72
+```
... ...
\ No newline at end of file
ipsec-on-freebsd.md
... ...
@@ -1,72 +0,0 @@
1
-# IPsec on FreeBSD
2
-
3
-These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.
4
-
5
-## Requirements
6
-* Root access to both endpoints.
7
-* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
8
-* At least one static IPv4 on at least one endpoint unless you hate yourself.
9
-
10
-## Kernel configuration
11
-The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
12
-If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
13
-```
14
- options IPSEC #IP security
15
- device crypto
16
-```
17
-Reboot into your new kernel.
18
-
19
-## Userland configuration
20
-
21
-Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
22
-Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
23
-```
24
-path pre_shared_key "/usr/local/etc/racoon/psk";
25
-path certificate "/usr/local/etc/racoon/certs";
26
-log info;
27
-
28
-listen {
29
- isakmp a.b.c.d [500];
30
- isakmp_natt a.b.c.d [4500];
31
-}
32
-
33
-padding {
34
- strict_check on;
35
-}
36
-
37
-timer {
38
- natt_keepalive 5 sec;
39
- interval 3 sec;
40
- phase1 45 sec; # give embedded CPUs time to finish RSA operations
41
- phase2 45 sec;
42
-}
43
-
44
-remote b.c.d.e [500] {
45
- exchange_mode main;
46
- proposal_check strict;
47
- my_identifier asn1dn;
48
- peers_identifier asn1dn;
49
- lifetime time 1 hour;
50
- certificate_type x509 "self.crt" "self.key";
51
- peers_certfile x509 "peer.crt";
52
- ca_type x509 "ca.crt";
53
- verify_cert on;
54
- send_cert off; # neither send
55
- send_cr off; # nor request a crt to be send
56
-
57
- proposal {
58
- encryption_algorithm aes 256;
59
- hash_algorithm sha256;
60
- authentication_method rsasig;
61
- dh_group modp4096;
62
- }
63
-}
64
-
65
-sainfo (address a.b.c.d gre address b.c.d.e gre) {
66
- pfs_group modp4096;
67
- lifetime time 1 hour;
68
- encryption_algorithm aes 256;
69
- authentication_algorithm hmac_sha1;
70
-}
71
-
72
-```
... ...
\ No newline at end of file