Re: Transport Mode IPSEC

From: "Andrew Pantyukhin" <infofarmer@xxxxxxxxxxx>
Date: Thu, 18 Jan 2007 11:36:35 +0300

On 1/18/07, Dan Mahoney, System Admin <danm@xxxxxxxxxxxxxxx> wrote:

Hey all,

I see the handbook has a nice howto on tunnel mode ipsec. I just want to
protect my NFS/NIS traffic between two hosts on a switch (neither NAT'd)
-- is there a reference as to transport-mode ipsec anywhere, or has anyone
done it that can outline it? I would imagine it would be drastically
simpler than tunnel mode, but I'm not sure where it would break off.

It's not that simple. The difficulty is in key exchange,
and it stays. I can show you how to implement it with
static keys:

====================================================================
= 192.168.17.1:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P in ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ;
====================================================================
= 192.168.17.69:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P in ipsec ah/transport//require ;
====================================================================

Then add ipsec_enable="YES" to rc.conf(5) on both hosts
and run /etc/rc.d/ipsec start. That should set up
authenticated relationship between the two hosts.

See setkey(8) for encryption and other options.
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: Transport Mode IPSEC
  - From: Dan Mahoney, System Admin

References:
- Transport Mode IPSEC
  - From: Dan Mahoney, System Admin

Prev by Date: Re: Transport Mode IPSEC
Next by Date: Re: FreeBSD challenged by Internet
Previous by thread: Re: Transport Mode IPSEC
Next by thread: Re: Transport Mode IPSEC
Index(es):
- Date
- Thread

Relevant Pages

Transport Mode IPSEC
... I see the handbook has a nice howto on tunnel mode ipsec. ... I just want to protect my NFS/NIS traffic between two hosts on a switch -- is there a reference as to transport-mode ipsec anywhere, or has anyone done it that can outline it? ... I would imagine it would be drastically simpler than tunnel mode, but I'm not sure where it would break off. ...
(freebsd-questions)
IPSEC tunnel without gif?
... I've been setting up a VPN with tunnel mode IPSEC and things are going ... OK so far but in searching the list archives, ... seems to imply that gif tunnels are not needed for tunnel mode. ...
(FreeBSD-Security)