Hello Christopher,
On 11/06/2007 "Christopher Vance" <[EMAIL PROTECTED]> wrote:
I have several machines running OpenBSD 4.1, and am really impressed
by how easy it is to get IPSEC working between them these days. Thanks
people, it's great.
Unfortunately one other machine I'd dearly like to include is a MacOSX
10.4.9 machine, running racoon.
Yes I have googled, yes I have spent several days on this, and yes, I
do want to strangle the Mac.
Before I struggle too much longer trying to configure racoon to do the
right thing, or give in to using a package not in the OpenBSD base
system, is there someone out there actually running IPSEC with MacOSX
on one end and OpenBSD on the other, using racoon to do it? I'd
really appreciate it if you could share working config.
I am doing IPsec between OpenBSD 4.1 and MacOS X 10.4.9 using ISAKMP
and a pre-shared key. I couldn't get racoon to use blowfish
encryption despite the racoon documentation implying it was supported
so I'm using AES but besides that everything works.
I'm assuming you're adept with IPsec configuration on OpenBSD so for
brevity I'll just include the MacOS X configuration. For further info
see the MacOS X manual pages for racoon(8), racoon.conf(5) and setkey
(8) which surprisingly are quite good (though not up to the standard
of OpenBSD documentation, of course!) Apple adapted their IPsec
implementation from FreeBSD so documentation from/regarding that
project is worth a look as well.
% cat /etc/ipsec.conf
##
# ipsec.conf
##
# For use as argument to -f switch by setkey(8)
##
# NOTE:
# Hard-coded assumptions are as follows:
# - IPsec tunnel entry point is 192.168.1.2
# - IPsec tunnel end point is 192.168.1.1
# Consider using something similar to the script described at
# http://forums.macosxhints.com/showthread.php?t=51774 to more
# flexibly deal with dynamic host configuration.
##
# adapted from http://ezine.daemonnews.org/200401/wifi-ipsec.html
##
flush ;
spdflush ;
#
##
# Uncomment the below lines to permit DHCP outside of the tunnel
##
spdadd 0.0.0.0/32[68] 255.255.255.255/32[67] udp -P out none ;
spdadd 192.168.1.1[67] 192.168.1.0/24[68] udp -P in none ;
#
##
# Uncomment the below lines to permit SSH outside of the tunnel
##
#spdadd 192.168.1.2 192.168.1.1[22] tcp -P out none;
#spdadd 192.168.1.1[22] 192.168.1.2 tcp -P in none;
#
##
# Uncomment the below lines if this host is a gateway (router)
##
#spdadd 0.0.0.0/0 192.168.1.1 any -P out ipsec esp/tunnel/
192.168.1.2-192.168.1.1/unique ;
#spdadd 192.168.1.1 0.0.0.0/0 any -P in ipsec esp/tunnel/
192.168.1.1-192.168.1.2/unique ;
#
##
# Uncomment the below lines if this host is a node (end-point)
##
spdadd 192.168.1.2 192.168.1.1 any -P out ipsec esp/transport//unique ;
spdadd 192.168.1.1 192.168.1.2 any -P in ipsec esp/transport//unique ;
spdadd 192.168.1.2 0.0.0.0/0 any -P out ipsec esp/tunnel/
192.168.1.2-192.168.1.1/unique ;
spdadd 0.0.0.0/0 192.168.1.2 any -P in ipsec esp/tunnel/
192.168.1.1-192.168.1.2/unique ;
#
##
# end ipsec.conf
##
% cat /etc/racoon/racoon.conf
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to
confusing.
path include "/etc/racoon" ;
# Allow third parties the ability to specify remote and sainfo entries
# by including all files matching /etc/racoon/remote/*.conf
include "/etc/racoon/remote/*.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify",
"debug"
# or "debug2".
#log debug;
# "padding" defines some parameter of padding. You should not touch
these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
isakmp 192.168.1.2 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 10; # maximum trying count to send.
interval 3 sec; # interval to resend (retransmit)
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}
#
# anonymous entry is defined in /etc/racoon/remote/anonymous.conf
#
##
# end racoon.conf
##
% cat /etc/racoon/remote/anonymous.conf
remote anonymous
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
#my_identifier user_fqdn "[EMAIL PROTECTED]";
#peers_identifier user_fqdn "[EMAIL PROTECTED]";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
# lifetime time 1 min; # sec,min,hour
lifetime time 24 hour; # from man 5 racoon.conf
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
# encryption_algorithm 3des;
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
# lifetime time 30 sec;
lifetime time 12 hour ; # from man 5 racoon.conf
encryption_algorithm aes, 3des ;
# encryption_algorithm blowfish, aes, 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
##
# end anonymous.conf
##
