rc.d:
Код: Выделить всё
gateway_enable="YES"
sshd_enable="YES"
hostname="ipsec.my"
ifconfig_de0=" inet aaa.aaa.aaa.57 netmask 255.255.254.0"
ifconfig_de1=" inet bbb.bbb.bbb.85 netmask 255.255.255.240"
defaultrouter="bbb.bbb.bbb.81"
firewall_enable="YES"
firewall_script="/home/firewall.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
racoon_create_dirs="YES"
Код: Выделить всё
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/cert/psk.txt";
path certificate "/usr/local/etc/racoon/cert/";
log debug2;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
isakmp bbb.bbb.bbb.85 [500];
isakmp_natt bbb.bbb.bbb.85 [4500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
lifetime time 24 hours;
generate_policy on;
nat_traversal on;
ike_frag on;
dpd_delay 10;
dpd_retry 5;
dpd_maxfail 5;
situation identity_only;
nonce_size 16;
initial_contact on;
proposal_check strict; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
lifetime time 1 hour;
compression_algorithm deflate;
}
firewall.conf:
Код: Выделить всё
fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} add allow ip from any to any via de1
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add allow icmp from any to any
${fwcmd} add allow log esp from any to any
${fwcmd} add allow log ah from any to any
${fwcmd} add allow log ipencap from any to any
${fwcmd} add allow log udp from any 500 to any
${fwcmd} add allow ip from ccc.ccc.ccc.0/24 to aaa.aaa.aaa.0/23
${fwcmd} add allow ip from aaa.aaa.aaa.0/23 to ccc.ccc.ccc.0/24
P.S. Как очищать повисшие тоннели, а то setkey -D показывает старые тоннели?