{"version":"1.0","provider_name":"Jui-Nan Lin&#039;s Blog","provider_url":"https:\/\/jnlin.org","author_name":"jnlin","author_url":"https:\/\/jnlin.org\/author\/jnlin\/","title":"IPSec \u8a2d\u5b9a\u7b46\u8a18","html":"\u53c3\u8003\r\n\r\n<a href=\"http:\/\/taosecurity.blogspot.com\/2005\/01\/ipsec-tunnels-with-freebsd-although.html\">http:\/\/taosecurity.blogspot.com\/2005\/01\/ipsec-tunnels-with-freebsd-although.html<\/a>\u3002\r\n<ol>\r\n\t<li>\u4fee\u6539 Kernel\uff0c\u52a0\u4e0a\r\n<blockquote><code>options FAST_IPSEC\r\ndevice crypto\r\n<\/code><\/blockquote>\r\n\u4e26\u4e14\u91cd\u958b\u6a5f\u3002<\/li>\r\n\t<li>\u5b89\u88dd <code>security\/ipsec-tools<\/code>\u3002<\/li>\r\n\t<li>\u8a2d\u5b9a <code>\/usr\/local\/etc\/racoon\/racoon.conf<\/code>:\r\n<blockquote><code>path pre_shared_key \"\/usr\/local\/etc\/racoon\/psk.txt\";\r\npadding\r\n{\r\nmaximum_length 20;      # maximum padding length.\r\nrandomize off;          # enable randomize length.\r\nstrict_check off;       # enable strict check.\r\nexclusive_tail off;     # extract last one octet.\r\n}<\/code>\r\n\r\nlisten\r\n{\r\nisakmp (MY_IP) [500];\r\n}\r\ntimer\r\n{\r\n# These value can be changed per remote node.\r\ncounter 5;              # maximum trying count to send.\r\ninterval 20 sec;        # maximum interval to resend.\r\npersend 1;              # the number of packets per send.\r\n\r\n<em> <\/em><em># maximum time to wait for completing each phase.\r\nphase1 30 sec;\r\nphase2 15 sec;\r\n}\r\nremote <\/em><em>[500]\r\n{\r\n#exchange_mode main,aggressive;\r\nexchange_mode aggressive,main;\r\ndoi ipsec_doi;\r\nsituation identity_only;<\/em>\r\n\r\n<em> <\/em><em> <\/em> <em><\/em><em>my_identifier user_fqdn \"sakane@kame.net\";\r\npeers_identifier user_fqdn \"sakane@kame.net\";\r\n#certificate_type x509 \"mycert\" \"mypriv\";<\/em>\r\n\r\n<em> <\/em><em> <\/em> <em><\/em><em>nonce_size 16;\r\nlifetime time 1 min;    # sec,min,hour<\/em>\r\n\r\n<em> <\/em><em> <\/em> <em><\/em><em>proposal {\r\nencryption_algorithm 3des;\r\nhash_algorithm sha1;\r\nauthentication_method pre_shared_key;\r\ndh_group 2;\r\n}\r\n}<\/em>\r\n\r\n<em> <\/em><em> <\/em><\/blockquote>\r\n<em> <\/em><em> <\/em><\/li>\r\n<em> <\/em><em> \t<\/em> \t\r\n\t<li><em><\/em><em>\u8a2d\u5b9a <code>\/usr\/local\/share\/psk.txt: <\/code><\/em><\/li>\r\n<em> <\/em><em> \t<\/em> \t\r\n\t<li><em><\/em><em>\u8a2d\u5b9a \/etc\/ipsec.conf:\r\nflush;\r\nspdflush;spdadd   any -P out ipsec\r\nesp\/tunnel\/-\/require; <\/em> <em><\/em><em>spdadd   any -P in ipsec\r\nesp\/tunnel\/-\/require;<\/em>\r\n\r\n<em> <\/em><em> <\/em> <em><\/em><em>spdadd  \/ any -P out ipsec\r\nesp\/tunnel\/-\/require;<\/em>\r\n\r\n<em> <\/em><em> <\/em> <em><\/em><em>spdadd \/  any -P in ipsec\r\nesp\/tunnel\/-\/require;<\/em>\r\n\r\n<em> <\/em><em> <\/em><\/li>\r\n<em> <\/em><em> \t<\/em> \t\r\n\t<li><em><\/em><em>\/usr\/local\/etc\/rc.d\/racoon.sh start; \/etc\/rc.d\/ipsec start;<\/em><\/li>\r\n<em> <\/em><em> <\/em><\/ol>\r\n<em> <\/em><em> <\/em> <em><\/em><em>P.S.\r\nracoon \u7684\u7bc4\u4f8b\u8a2d\u5b9a\u6a94\u5728 <code>\/usr\/local\/share\/examples\/ipsec-tools<\/code> \u88e1\u9762\u3002<\/em>","type":"rich"}