Halaman utama Jelajahi Bantuan
Masuk
mark22k
/
dn42-wiki
cermin dari https://codeberg.org/mark22k/dn42-wiki.git
Liatin 1
Bintangi 0
Fork 0
Berkas Masalah 0 Wiki
Cabang: pages
Ranting Tag
dn42-wiki
/
howto
/
IPsec-on-FreeBSD.html

IPsec-on-FreeBSD.html 11 KB
Permalink Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220 
  1. <!DOCTYPE html>
    2. 

  2. <html lang="en">
    3. 

  3.     <head>
    4. 

  4. <meta charset="UTF-8">
    5. 

  5. 

  6. 

  7. 

  8. <title>IPsec on FreeBSD | dn42 wiki</title>
    9. 

  9. 

  10. <meta name="viewport" content="width=device-width, initial-scale=1.0">
    11. 

  11. <meta name="robots" content="index, follow">
    12. 

  12. <meta name="keywords" content="dn42,wiki,routing,bgp">
    13. 

  13. 

  14. <link rel="canonical" href="https://dn42.obl.ong/howto/IPsec-on-FreeBSD.html">
    15. 

  15. <link rel="icon" type="image/x-icon" href="/favicon.ico">
    16. 

  16. <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico">
    17. 

  17. 

  18. <link rel="author" type="text/html" href="/docs/people">
    19. 

  19. 

  20. <link rel="stylesheet" href="/css/normalize.css">
    21. 

  21. <link rel="stylesheet" href="/css/simple.min.css">
    22. 

  22. <link rel="stylesheet" href="/css/style.css">
    23. 

  23. <link rel="stylesheet" href="/css/menu.css">
    24. 

  24. 

  25. 

  26. </head>
    27. 

  27.     
    28. 

  28.     <body>
    29. 

  29. 

  30.         <header>
    31. 

  31. 

  32. 

  33. <b>dn42 wiki / IPsec on FreeBSD</b>
    34. 

  34. 

  35. <div id="dn42_header">
    36. 

  36.     
    37. 

  37.     <p><a href="/"><img src="/dn42.png" alt="dn42" /></a></p>
    38. 

  38. 

  39. </div>
    40. 

  40. </header>
    41. 

  41. 

  42.         <main>
    43. 

  43.             <h1 id="ipsec-on-freebsd">IPsec on FreeBSD</h1>
    44. 

  44. 

  45. <p>These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.</p>
    46. 

  46. 

  47. <h2 id="requirements">Requirements</h2>
    48. 

  48. <ul>
    49. 

  49.   <li>Root access to both endpoints.</li>
    50. 

  50.   <li>Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.</li>
    51. 

  51.   <li>At least one static IPv4 on at least one endpoint unless you hate yourself.</li>
    52. 

  52. </ul>
    53. 

  53. 

  54. <h2 id="kernel-configuration">Kernel configuration</h2>
    55. 

  55. <p>The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
    56. 

  56. If you’re new to FreeBSD check Chapters <a href="http://www.freebsd.org/doc/handbook/ipsec.html">15.9.1</a> and <a href="http://www.freebsd.org/doc/handbook/kernelconfig.html">9</a> of the FreeBSD handbook.</p>
    57. 

  57. <div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">options</span>   <span class="n">IPSEC</span>        <span class="c">#IP security
    58. 

  58. </span><span class="n">device</span>    <span class="n">crypto</span>
    59. 

  59. </code></pre></div></div>
    60. 

  60. <p>Reboot into your new kernel.</p>
    61. 

  61. 

  62. <h2 id="userland-configuration">Userland configuration</h2>
    63. 

  63. 

  64. <p>Install the racoon daemon. It’s included in the <a href="http://www.freshports.org/security/ipsec-tools/">security/ipsec-tools</a> port.
    65. 

  65. Racoon is pain in the ass to configure the first time because it’s error messages aren’t helping and the complexity of IPsec. Don’t let this stop you.</p>
    66. 

  66. <div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">path</span>    <span class="n">pre_shared_key</span>  <span class="s2">"/usr/local/etc/racoon/psk"</span>;
    67. 

  67. <span class="n">path</span>    <span class="n">certificate</span>     <span class="s2">"/usr/local/etc/racoon/certs"</span>;
    68. 

  68. <span class="n">log</span>     <span class="n">info</span>;
    69. 

  69. 

  70. <span class="n">listen</span> {
    71. 

  71.         <span class="n">isakmp</span>          <span class="n">a</span>.<span class="n">b</span>.<span class="n">c</span>.<span class="n">d</span> [<span class="m">500</span>];
    72. 

  72.         <span class="n">isakmp_natt</span>     <span class="n">a</span>.<span class="n">b</span>.<span class="n">c</span>.<span class="n">d</span> [<span class="m">4500</span>];
    73. 

  73. }
    74. 

  74. 

  75. <span class="n">padding</span> {
    76. 

  76.         <span class="n">strict_check</span>    <span class="n">on</span>;
    77. 

  77. }
    78. 

  78. 

  79. <span class="n">timer</span> {
    80. 

  80.         <span class="n">natt_keepalive</span>   <span class="m">5</span> <span class="n">sec</span>;
    81. 

  81.         <span class="n">interval</span>         <span class="m">3</span> <span class="n">sec</span>;
    82. 

  82.         <span class="n">phase1</span>          <span class="m">45</span> <span class="n">sec</span>; <span class="c"># give embedded CPUs time to finish RSA operations
    83. 

  83. </span>        <span class="n">phase2</span>          <span class="m">45</span> <span class="n">sec</span>;
    84. 

  84. }
    85. 

  85. 

  86. <span class="n">remote</span> <span class="n">b</span>.<span class="n">c</span>.<span class="n">d</span>.<span class="n">e</span> [<span class="m">500</span>] {
    87. 

  87.         <span class="n">exchange_mode</span>           <span class="n">main</span>;
    88. 

  88.         <span class="n">proposal_check</span>          <span class="n">strict</span>;
    89. 

  89.         <span class="n">my_identifier</span>           <span class="n">asn1dn</span>;
    90. 

  90.         <span class="n">peers_identifier</span>        <span class="n">asn1dn</span>;
    91. 

  91.         <span class="n">lifetime</span>                <span class="n">time</span> <span class="m">1</span> <span class="n">hour</span>;
    92. 

  92.         <span class="n">certificate_type</span>        <span class="n">x509</span> <span class="s2">"self.crt"</span> <span class="s2">"self.key"</span>;
    93. 

  93.         <span class="n">peers_certfile</span>          <span class="n">x509</span> <span class="s2">"peer.crt"</span>;
    94. 

  94.         <span class="n">ca_type</span>                 <span class="n">x509</span> <span class="s2">"ca.crt"</span>;
    95. 

  95.         <span class="n">verify_cert</span>             <span class="n">on</span>;
    96. 

  96.         <span class="n">send_cert</span>               <span class="n">off</span>; <span class="c"># neither send
    97. 

  97. </span>        <span class="n">send_cr</span>                 <span class="n">off</span>; <span class="c"># nor request a crt to be send
    98. 

  98. </span>
    99. 

  99.         <span class="n">proposal</span> {
    100. 

  100.                 <span class="n">encryption_algorithm</span>    <span class="n">aes</span> <span class="m">256</span>;
    101. 

  101.                 <span class="n">hash_algorithm</span>          <span class="n">sha256</span>;
    102. 

  102.                 <span class="n">authentication_method</span>   <span class="n">rsasig</span>;
    103. 

  103.                 <span class="n">dh_group</span>                <span class="n">modp4096</span>;
    104. 

  104.         }
    105. 

  105. }
    106. 

  106. 

  107. <span class="n">sainfo</span> (<span class="n">address</span> <span class="n">a</span>.<span class="n">b</span>.<span class="n">c</span>.<span class="n">d</span> <span class="n">gre</span> <span class="n">address</span> <span class="n">b</span>.<span class="n">c</span>.<span class="n">d</span>.<span class="n">e</span> <span class="n">gre</span>) {
    108. 

  108.         <span class="n">pfs_group</span>                       <span class="n">modp4096</span>;
    109. 

  109.         <span class="n">lifetime</span>                        <span class="n">time</span> <span class="m">1</span> <span class="n">hour</span>;
    110. 

  110.         <span class="n">encryption_algorithm</span>            <span class="n">aes</span> <span class="m">256</span>;
    111. 

  111.         <span class="n">authentication_algorithm</span>        <span class="n">hmac_sha1</span>;
    112. 

  112. }
    113. 

  113. 

  114. </code></pre></div></div>
    115. 

  115. 

  116. 

  117. 

  118.             <div id="menu-container" class="menu-container">
    119. 

  119.                 <hr>
    120. 

  120.                 <div id="menu" class="menu">
    121. 

  121.                     
    122. 

  122.                     <ul>
    123. 

  123.   <li><a href="/Home">Home</a>
    124. 

  124.     <ul>
    125. 

  125.       <li><a href="/howto/Getting-Started">Getting Started</a></li>
    126. 

  126.       <li><a href="/howto/Registry-Authentication">Registry Authentication</a></li>
    127. 

  127.       <li><a href="/howto/Address-Space">Address Space</a></li>
    128. 

  128.       <li><a href="/howto/BGP-communities">BGP communities</a></li>
    129. 

  129.       <li><a href="/FAQ">FAQ</a></li>
    130. 

  130.     </ul>
    131. 

  131.   </li>
    132. 

  132.   <li>How-To
    133. 

  133.     <ul>
    134. 

  134.       <li><a href="/howto/wireguard">Wireguard</a></li>
    135. 

  135.       <li><a href="/howto/openvpn">Openvpn</a></li>
    136. 

  136.       <li><a href="/howto/IPsec-with-PublicKeys">IPsec With Public Keys</a></li>
    137. 

  137.       <li><a href="/howto/tinc">Tinc</a></li>
    138. 

  138.       <li><a href="/howto/GRE-on-FreeBSD">GRE on FreeBSD</a></li>
    139. 

  139.       <li><a href="/howto/GRE-on-OpenBSD">GRE on OpenBSD</a></li>
    140. 

  140.       <li><a href="/howto/IPv6-Multicast">IPv6 Multicast (PIM-SM)</a></li>
    141. 

  141.       <li><a href="/howto/multicast">SSM Multicast</a></li>
    142. 

  142.       <li><a href="/howto/mpls">MPLS</a></li>
    143. 

  143.       <li><a href="/howto/Bird2">Bird2</a></li>
    144. 

  144.       <li><a href="/howto/frr">FRRouting</a></li>
    145. 

  145.       <li><a href="/howto/OpenBGPD">OpenBGPD</a></li>
    146. 

  146.       <li><a href="/howto/mikrotik">Mikrotik RouterOS</a></li>
    147. 

  147.       <li><a href="/howto/EdgeOS-Config">EdgeRouter</a></li>
    148. 

  148.       <li><a href="/howto/Static-routes-on-Windows">Static routes on Windows</a></li>
    149. 

  149.       <li><a href="/howto/networksettings">Universal Network Requirements</a></li>
    150. 

  150.       <li><a href="/howto/vyos1.4.x">VyOS</a></li>
    151. 

  151.       <li><a href="/howto/nixos">NixOS</a></li>
    152. 

  152.     </ul>
    153. 

  153.   </li>
    154. 

  154.   <li>Services
    155. 

  155.     <ul>
    156. 

  156.       <li><a href="/services/IRC">IRC</a></li>
    157. 

  157.       <li><a href="/services/Whois">Whois registry</a></li>
    158. 

  158.       <li><a href="/services/DNS">DNS</a></li>
    159. 

  159.       <li><a href="/services/IX-Collection">IX Collection</a></li>
    160. 

  160.       <li><a href="/services/Clearnet-Domains">Public DNS</a></li>
    161. 

  161.       <li><a href="/services/Looking-Glasses">Looking Glasses</a></li>
    162. 

  162.       <li><a href="/services/Automatic-Peering">Automatic Peering</a></li>
    163. 

  163.       <li><a href="/services/Repository-Mirrors">Repository Mirrors</a></li>
    164. 

  164.       <li><a href="/services/Distributed-Wiki">Distributed Wiki</a></li>
    165. 

  165.       <li><a href="/services/Certificate-Authority">Certificate Authority</a></li>
    166. 

  166.       <li><a href="/services/Route-Collector">Route Collector</a></li>
    167. 

  167.     </ul>
    168. 

  168.   </li>
    169. 

  169.   <li>Internal
    170. 

  170.     <ul>
    171. 

  171.       <li><a href="/internal/Internal-Services">Internal services</a></li>
    172. 

  172.       <li><a href="/internal/Interconnections">Interconnections</a></li>
    173. 

  173.       <li><a href="/internal/APIs">APIs</a></li>
    174. 

  174.       <li><a href="/internal/ShowAndTell">Show and Tell</a></li>
    175. 

  175.       <li><a href="/internal/Historical-Services">Historical services</a></li>
    176. 

  176.     </ul>
    177. 

  177.   </li>
    178. 

  178.   <li>Historical
    179. 

  179.     <ul>
    180. 

  180.       <li><a href="/historical/Bird">Bird 1</a></li>
    181. 

  181.       <li><a href="/historical/Quagga">Quagga</a></li>
    182. 

  182.     </ul>
    183. 

  183.   </li>
    184. 

  184.   <li>External Tools
    185. 

  185.     <ul>
    186. 

  186.       <li><a href="https://paste.dn42.us">Paste Board</a></li>
    187. 

  187.       <li><a href="https://git.dn42.dev">Git Repositories</a></li>
    188. 

  188.     </ul>
    189. 

  189.   </li>
    190. 

  190. </ul>
    191. 

  191. 

  192. <hr />
    193. 

  193. 

  194. 

  195.                 </div>
    196. 

  196.             </div>
    197. 

  197.         </main>
    198. 

  198.         
    199. 

  199.         <footer><div class="center">
    200. 

  200.     <div id="dn42_footer">
    201. 

  201.         
    202. 

  202.         <table>
    203. 

  203.   <tbody>
    204. 

  204.     <tr>
    205. 

  205.       <td>Hosted by: <a href="mailto:dn42@burble.com">BURBLE-MNT</a>, <a href="mailto:nurtic-vibe@grmml.net">GRMML-MNT</a>, <a href="mailto:xuu@dn42.us">XUU-MNT</a>, <a href="mailto:janeric@ortgies.it">JAN-MNT</a>, <a href="mailto:lare@lare.cc">LARE-MNT</a>, <a href="mailto:danny@saru.moe">SARU-MNT</a>, <a href="mailto:androw95220@gmail.com">ANDROW-MNT</a>, <a href="mailto:dn42@mk16.de">MARK22K-MNT</a></td>
    206. 

  206.       <td>Accessible via: <a href="https://wiki.dn42">dn42</a>, <a href="https://dn42.dev/">dn42.dev</a>, <a href="https://dn42.eu/">dn42.eu</a>, <a href="https://wiki.dn42.us/">wiki.dn42.us</a>, <a href="https://dn42.de/">dn42.de</a> (IPv6-only), <a href="https://dn42.cc/">dn42.cc</a> (wiki-ng), <a href="https://dn42.wiki/">dn42.wiki</a>, <a href="https://dn42.pp.ua/">dn42.pp.ua</a>, <a href="https://dn42.obl.ong/">dn42.obl.ong</a></td>
    207. 

  207.     </tr>
    208. 

  208.   </tbody>
    209. 

  209. </table>
    210. 

  210. 

  211.     </div>
    212. 

  212. </div>
    213. 

  213. </footer>
    214. 

  214. 

  215.         
    216. 

  216. 

  217.     </body>
    218. 

  218. 

  219. </html>
    220. 

  220.