IPSec 設定筆記

1.0Jui-Nan Lin's Bloghttps://jnlin.orgjnlinhttps://jnlin.org/author/jnlin/IPSec 設定筆記參考 <a href="http://taosecurity.blogspot.com/2005/01/ipsec-tunnels-with-freebsd-although.html">http://taosecurity.blogspot.com/2005/01/ipsec-tunnels-with-freebsd-although.html</a>。 <ol> <li>修改 Kernel，加上 <blockquote><code>options FAST_IPSEC device crypto </code></blockquote> 並且重開機。</li> <li>安裝 <code>security/ipsec-tools</code>。</li> <li>設定 <code>/usr/local/etc/racoon/racoon.conf</code>: <blockquote><code>path pre_shared_key "/usr/local/etc/racoon/psk.txt"; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. }</code> listen { isakmp (MY_IP) [500]; } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 30 sec; phase2 15 sec; } remote [500] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } </blockquote> </li> <li>設定 <code>/usr/local/share/psk.txt: </code></li> <li>設定 /etc/ipsec.conf: flush; spdflush;spdadd any -P out ipsec esp/tunnel/-/require; spdadd any -P in ipsec esp/tunnel/-/require; spdadd / any -P out ipsec esp/tunnel/-/require; spdadd / any -P in ipsec esp/tunnel/-/require; </li> <li>/usr/local/etc/rc.d/racoon.sh start; /etc/rc.d/ipsec start;</li> </ol> P.S. racoon 的範例設定檔在 <code>/usr/local/share/examples/ipsec-tools</code> 裡面。rich