Re: Transport Mode IPSEC

Dan Mahoney, System Admin Thu, 18 Jan 2007 00:49:52 -0800

On Thu, 18 Jan 2007, Andrew Pantyukhin wrote:

On 1/18/07, Dan Mahoney, System Admin <[EMAIL PROTECTED]> wrote:


It's not that simple. The difficulty is in key exchange,
and it stays. I can show you how to implement it with
static keys:

As I read through the article(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...Iget the distinct impression the howtoactually is somewhat adaptable -- one just needs to ignore everything itsays about tunnels, and the GIF device.

I'd still install raccoon, still do everything like that -- the changecomes in the lines in /etc/ipsec.conf

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsecesp/tunnel/W.X.Y.Z-A.B.C.D/require;spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsecesp/tunnel/A.B.C.D-W.X.Y.Z/require;

which would be I think modified to your lines below. I'm not sure if youstill need the additional policy definition (between the slashes).Perhaps you can clarify for me?

I'm liking doing things with raccoon only because it allows you to usethose nice non-static keys.


-Dan

====================================================================
= 192.168.17.1:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
      -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
      -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P in  ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ;
====================================================================
= 192.168.17.69:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
      -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
      -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P in  ipsec ah/transport//require ;
====================================================================

Then add ipsec_enable="YES" to rc.conf(5) on both hosts
and run /etc/rc.d/ipsec start. That should set up
authenticated relationship between the two hosts.

See setkey(8) for encryption and other options.


--

"Don't try to out-wierd me.  I get stranger things than you free with my
breakfast cereal."

-Button seen at I-CON XVII (and subsequently purchased)

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Transport Mode IPSEC

Reply via email to