IPsec on FreeBSD

These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.

Requirements

  • Root access to both endpoints.
  • Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
  • At least one static IPv4 on at least one endpoint unless you hate yourself.

Kernel configuration

The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel. If you're new to FreeBSD check Chapters 15.9.1 and 9 of the FreeBSD handbook.

  options   IPSEC        #IP security
  device    crypto

Reboot into your new kernel.

Userland configuration

Install the racoon daemon. It's included in the security/ipsec-tools port. Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.

path    pre_shared_key  "/usr/local/etc/racoon/psk";
path    certificate     "/usr/local/etc/racoon/certs";
log     info;

listen {
        isakmp          a.b.c.d [500];
        isakmp_natt     a.b.c.d [4500];
}

padding {
        strict_check    on;
}

timer {
        natt_keepalive   5 sec;
        interval         3 sec;
        phase1          45 sec; # give embedded CPUs time to finish RSA operations
        phase2          45 sec;
}

remote b.c.d.e [500] {
        exchange_mode           main;
        proposal_check          strict;
        my_identifier           asn1dn;
        peers_identifier        asn1dn;
        lifetime                time 1 hour;
        certificate_type        x509 "self.crt" "self.key";
        peers_certfile          x509 "peer.crt";
        ca_type                 x509 "ca.crt";
        verify_cert             on;
        send_cert               off; # neither send
        send_cr                 off; # nor request a crt to be send

        proposal {
                encryption_algorithm    aes 256;
                hash_algorithm          sha256;
                authentication_method   rsasig;
                dh_group                modp4096;
        }
}

sainfo (address a.b.c.d gre address b.c.d.e gre) {
        pfs_group                       modp4096;
        lifetime                        time 1 hour;
        encryption_algorithm            aes 256;
        authentication_algorithm        hmac_sha1;
}