User Tools

Site Tools


IPsec BSD to BSD

V1: ipsec tunnel

U03

sysrc cloned_interfaces=ipsec0
sysrc ifconfig_ipsec0="inet 10.8.1.2/32 10.8.1.1 tunnel 195.191.50.68 116.203.229.50"
service netif restart ipsec0

V7

sysrc cloned_interfaces=ipsec0
sysrc ifconfig_ipsec0="inet 10.8.1.1/32 10.8.1.2 tunnel 116.203.229.50 195.191.50.68"
service netif restart ipsec0

V2: gre tunnel

v7

sysrc cloned_interfaces="gre0"
sysrc ifconfig_gre0="inet 10.8.1.1 10.8.1.2 netmask 255.255.255.255 tunnel 116.203.229.50 195.191.50.68"
service netif restart gre0

u03

sysrc cloned_interfaces="gre0"
sysrc ifconfig_gre0="inet 10.8.1.2 10.8.1.1 netmask 255.255.255.255 tunnel 195.191.50.68 116.203.229.50"
service netif restart gre0

IPsec security policy

u03

ipsec.conf
flush;
spdflush;
spdadd 195.191.50.68/32 116.203.229.50/32 gre -P out ipsec esp/transport//require;
spdadd 116.203.229.50/32 195.191.50.68/32 gre -P in ipsec esp/transport//require;

v7

ipsec.conf
flush;
spdflush;
spdadd 116.203.229.50/32 195.191.50.68/32  gre -P out ipsec esp/transport//require;
spdadd 195.191.50.68/32 116.203.229.50/32 gre -P in ipsec esp/transport//require;

ISAKMP with racoon

racoon.conf
path pre_shared_key  "/usr/local/etc/racoon/psk.txt";
log info;
 
padding {
  maximum_length 20;
  randomize off;
  strict_check off;
  exclusive_tail off;
}
 
remote anonymous {
    exchange_mode main;
    lifetime time 24 hour;
    proposal {
        encryption_algorithm aes 256;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 1;
    }
}
 
sainfo anonymous {
    pfs_group 1;
    lifetime time 24 hour;
    encryption_algorithm aes 256;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}
service ipsec enable
service ipsec restart

service racoon enable
service racoon restart

Sample SAD/SPD

# setkey -DP
195.191.50.68[any] 116.203.229.50[any] gre
	in ipsec
	esp/transport//require
	spid=8 seq=1 pid=2689 scope=global 
	refcnt=1
116.203.229.50[any] 195.191.50.68[any] gre
	out ipsec
	esp/transport//require
	spid=7 seq=0 pid=2689 scope=global 
	refcnt=1

# setkey -D
116.203.229.50 195.191.50.68
	esp mode=transport spi=98773994(0x05e32bea) reqid=0(0x00000000)
	E: rijndael-cbc  67ac893a ed2c972b c8eee0ee 62e2fdfa f9fea310 0f46ef3c ca22e590 61a7f62b
	A: hmac-sha1  9fd270da f17d633f db1563af c816089b 689e093a
	seq=0x0002d777 replay=4 flags=0x00000000 state=mature 
	created: Sep 17 11:54:38 2019	current: Sep 17 12:07:03 2019
	diff: 745(s)	hard: 86400(s)	soft: 69120(s)
	last: Sep 17 11:54:39 2019	hard: 0(s)	soft: 0(s)
	current: 22620296(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 186231	hard: 0	soft: 0
	sadb_seq=1 pid=2664 refcnt=1
195.191.50.68 116.203.229.50
	esp mode=transport spi=156634846(0x09560ede) reqid=0(0x00000000)
	E: rijndael-cbc  62ef5b88 c489e96b a9d05840 292f6c6a b7e17fab 920d7831 4a90261f bd7b9570
	A: hmac-sha1  21c4a9b2 6602af39 3d8064c5 fbda6765 07997ab2
	seq=0x000582e6 replay=4 flags=0x00000000 state=mature 
	created: Sep 17 11:54:38 2019	current: Sep 17 12:07:03 2019
	diff: 745(s)	hard: 86400(s)	soft: 69120(s)
	last: Sep 17 11:54:39 2019	hard: 0(s)	soft: 0(s)
	current: 540582370(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 361190	hard: 0	soft: 0
	sadb_seq=0 pid=2664 refcnt=1

First PagePrevious PageBack to overviewNext PageLast Page