Настройка VPN с использованием IPSec на FreeBSD

04.01.2003 15:25

"Configuring IPSec" - пошаговое руководство по настройке IPSec тунеля на FreeBSD (с использованем Racoon IKE демона).

Ниже, краткий пересказ:

 Ядро:  options IPSEC  options IPSEC_ESP  options IPSEC_DEBUG  pseudo-device gif  Ставим для управления секретными ключами - Racoon IKE:  cd /usr/ports/security/racoon  make install clean  vi /usr/local/etc/racoon/racoon.conf  path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug;  # "padding" defines some parameter of padding. You should not touch these. padding {  maximum_length 20; # maximum padding length.  randomize off; # enable randomize length.  strict_check off; # enable strict check.  exclusive_tail off; # extract last one octet. }  # if no listen directive is specified, racoon will listen to all # available interface addresses. listen {  isakmp A.A.A.A [500]; }  # Specification of default various timer. timer {  # These value can be changed per remote node.  counter 5; # maximum trying count to send.  interval 20 sec; # maximum interval to resend.  persend 1; # the number of packets per a send.   # timer for waiting to complete each phase.  phase1 30 sec;  phase2 15 sec; }  remote B.B.B.B {  #exchange_mode main,aggressive;  exchange_mode aggressive,main;  doi ipsec_doi;  situation identity_only;   nonce_size 16;  lifetime time 60 min; # sec,min,hour  initial_contact on;  support_mip6 on;  proposal_check obey; # obey, strict or claim   proposal {  encryption_algorithm blowfish;  hash_algorithm sha1;  authentication_method pre_shared_key ;  dh_group 5 ;  } }  sainfo B.B.B.B {  pfs_group 5;  lifetime time 24 hour;  encryption_algorithm blowfish ;  authentication_algorithm hmac_sha1;  compression_algorithm deflate ; }  --------------------------  Запускаем Racoon:  /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l  Поднимаем маршрутизацию:   /sbin/route add -net 192.168.1.0/24 10.0.0.1  /sbin/route add -net 10.0.0.0/8 192.168.1.1  Правим /etc/rc.conf  ipsec_enable="YES"  ipsec_file="/etc/ipsec.conf"  gif_interfaces="gif0"  ifconfig_gif0="10.0.0.1 netmask 255.0.0.0 192.168.1.1 netmask 255.255.255.0"  gifconfig_gif0="A.A.A.A netmask 255.255.240.0 B.B.B.B netmask 255.255.240.0"   Настраиваем параметры для setkey (man setkey), для управления IPsec SA/SP базой.  vi /etc/ipsec.conf  flush; spdflush; #add the policy to the SPD database spdadd 10.0.0.0/8 192.168.1.0/24 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require;  spdadd 192.168.1.0/24 10.0.0.0/8 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require;