Description
In this post I’ll show you how to install, configure and test IPSec on FreeBSD.
All tests were made on two machines running FreeBSD version 10.1-RC3 with following specifications:
CPU- 4 cores.
Memory – 5 GB.
Scenario
In order to have IPSec support in kernel we need to recompile it with following options:
# cd /usr/src/sys/amd64/conf # cp GENERIC GENERIC_BKP
Edit Generic kernel and add following lines at the end of the file:
###IPSEC, PF, CARP, AESNI section ##1. IPSEC options IPSEC device crypto options IPSEC_DEBUG ##2. ALTQ #### - This is optional. Is not for our purpose, but it's good to have it. options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ ##3. Enable pf, pflog devices ### this is for firewall in freebsd device pf device pflog device pfsync ##4. CARP ### this is for HA. It's optional, but good to have. device carp ##5. AESN if exists ### This is for hardware acceleration of IPSec using Intel Aes. device aesni
Now it’s time to build the new kernel.
# cd /usr/src # make buildkernel KERNCONF=GENERIC # make installkernel KERNCONF=GENERIC
Reboot the machine in order to load the new kernel. If something goes wrong, you can use the old kernel. Simply choose the kernel to boot from at the FreeBSD boot loader. This can be accessed from system boot menu by selecting the “Escape to a loader prompt” option. At the prompt, type boot kernel.old, or the name of any other kernel that is known to boot properly.
Now we have support for IPSec in kernel and it’s time to move on.
