Re: Transport Mode IPSEC



On Thu, 18 Jan 2007, Andrew Pantyukhin wrote:

On 1/18/07, Dan Mahoney, System Admin <danm@xxxxxxxxxxxxxxx> wrote:

It's not that simple. The difficulty is in key exchange,
and it stays. I can show you how to implement it with
static keys:

As I read through the article (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)...I get the distinct impression the howto actually is somewhat adaptable -- one just needs to ignore everything it says about tunnels, and the GIF device.

I'd still install raccoon, still do everything like that -- the change comes in the lines in /etc/ipsec.conf

spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;

which would be I think modified to your lines below. I'm not sure if you still need the additional policy definition (between the slashes). Perhaps you can clarify for me?

I'm liking doing things with raccoon only because it allows you to use those nice non-static keys.

-Dan

====================================================================
= 192.168.17.1:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P in ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ;
====================================================================
= 192.168.17.69:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
-A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P in ipsec ah/transport//require ;
====================================================================

Then add ipsec_enable="YES" to rc.conf(5) on both hosts
and run /etc/rc.d/ipsec start. That should set up
authenticated relationship between the two hosts.

See setkey(8) for encryption and other options.


--

"Don't try to out-wierd me. I get stranger things than you free with my
breakfast cereal."

-Button seen at I-CON XVII (and subsequently purchased)

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"