參考
http://taosecurity.blogspot.com/2005/01/ipsec-tunnels-with-freebsd-although.html。
- 修改 Kernel,加上
options FAST_IPSEC
device crypto
並且重開機。
- 安裝
security/ipsec-tools。 - 設定
/usr/local/etc/racoon/racoon.conf:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}listen
{
isakmp (MY_IP) [500];
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote [500]
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;my_identifier user_fqdn “sakane@kame.net”;
peers_identifier user_fqdn “sakane@kame.net”;
#certificate_type x509 “mycert” “mypriv”;nonce_size 16;
lifetime time 1 min; # sec,min,hourproposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
} - 設定
/usr/local/share/psk.txt: - 設定 /etc/ipsec.conf:
flush;
spdflush;spdadd any -P out ipsec
esp/tunnel/-/require; spdadd any -P in ipsec
esp/tunnel/-/require;spdadd / any -P out ipsec
esp/tunnel/-/require;spdadd / any -P in ipsec
esp/tunnel/-/require; - /usr/local/etc/rc.d/racoon.sh start; /etc/rc.d/ipsec start;
P.S.
racoon 的範例設定檔在 /usr/local/share/examples/ipsec-tools 裡面。