Posted in IPSec VPN

IPSec on FreeBSD – Part 3

   Published Date: June 15, 2017

Configuration file  /usr/local/etc/raccoon/raccoon.conf

On FreeBSD1

path pre_shared_key "/usr/local/etc/racoon/psk.txt";
# "log" specifies logging level.  It is followed by either "notify", "debug" or "debug2".
#log debug;
padding
{
    maximum_length 20;   # maximum padding length.
    randomize off;       # enable randomize length.
    strict_check off;    # enable strict check.
    exclusive_tail off;  # extract last one octet.
}
listen
{
    isakmp 10.27.62.169 [500];
}
timer
{
    # These value can be changed per remote node.
    counter 5;      # maximum trying count to send.
    interval 20 sec;     # maximum interval to resend.
    persend 1;      # the number of packets per send.
    # maximum time to wait for completing each phase.
    phase1 30 sec;
    phase2 15 sec;
}
remote 10.27.62.18 [500]
{
   exchange_mode main,aggressive;
   doi ipsec_doi;
   situation identity_only;
   my_identifier address 10.27.62.169;
   peers_identifier  address 10.27.62.18;
   nonce_size 16;
   initial_contact on;
   proposal_check obey; # obey, strict, or claim
   proposal {
        #encryption_algorithm 3des;
        encryption_algorithm aes128;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
         }
}
sainfo (address 10.1.1.0/24 any address 10.2.1.0/24 any)
{
    pfs_group 2;
    lifetime time 3600 sec;
    #encryption_algorithm 3des;
    encryption_algorithm aes128;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

On FreeBSD2

path pre_shared_key "/usr/local/etc/racoon/psk.txt";
# "log" specifies logging level.  It is followed by either "notify", "debug" or "debug2".
#log debug;
padding
{
   maximum_length 20;   # maximum padding length.
   randomize off;       # enable randomize length.
   strict_check off;    # enable strict check.
   exclusive_tail off;  # extract last one octet.
}
listen
{
  isakmp 10.27.62.18 [500];
}
timer
{
   # These value can be changed per remote node.
   counter 5;      # maximum trying count to send.
   interval 20 sec;     # maximum interval to resend.
   persend 1;      # the number of packets per send.
   # maximum time to wait for completing each phase.
   phase1 30 sec;
   phase2 15 sec;
}
remote 10.27.62.169 [500]
{
   exchange_mode main,aggressive;
   doi ipsec_doi;
   situation identity_only;
   my_identifier address 10.27.62.18;
   peers_identifier  address 10.27.62.169;
   nonce_size 16;
   initial_contact on;
   proposal_check obey; # obey, strict, or claim
   proposal {
         #encryption_algorithm 3des;
         encryption_algorithm aes128;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 2;
   }
}
sainfo (address 10.2.1.0/24 any address 10.1.1.0/24 any)
{
   pfs_group 2;
   lifetime time 3600 sec;
   #encryption_algorithm 3des;
   encryption_algorithm aes128;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

Configuration file  /usr/local/etc/raccoon/psk.txt

#chmod 600 /usr/local/etc/raccoon/psk.txt

On FreeBSD1

10.27.62.18 this_is_the_psk_put_your_own

On FreeBSD2

10.27.62.169 this_is_the_psk_put_your_own

Configuration file  /usr/local/etc/raccoon/setkey.conf

 On FreeBSD1

flush;
spdflush;
spdadd 10.1.1.0/24 10.2.1.0/24 any -P out ipsec esp/tunnel/10.27.62.169-10.27.62.18/use;
spdadd 10.2.1.0/24 10.1.1.0/24 any -P in ipsec esp/tunnel/10.27.62.18-10.27.62.169/use;

On FreeBSD2

flush;
spdflush;
spdadd 10.2.1.0/24 10.1.1.0/24 any -P out ipsec esp/tunnel/10.27.62.18-10.27.62.169/use;
spdadd 10.1.1.0/24 10.2.1.0/24 any -P in ipsec esp/tunnel/10.27.62.169-10.27.62.18/use;

Reboot

Reboot both machines to see if IPSec starts automatically on boot.

 

Back   IPSec on FreeBSD – Part 2                                   Next IPSec on FreeBSD – Part 4.

 

Author: techwritter