http://www.freebsd.org/doc/en_US.ISO885 ... ipsec.html
Разворачивал на Virtualbox
###############
Первая точка
###############
rc.conf
Код: Выделить всё
ifconfig_em1="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_em0="inet 10.0.0.19 netmask 255.255.255.0"
defaultrouter="10.0.0.1"
hostname="vpn1.local"
cloned_interfaces="gif0"
gif_interfaces="gif0"
gifconfig_gif0="10.0.0.19 10.0.0.20"
ifconfig_gif0="inet 192.168.0.1 192.168.1.1 netmask 0xffffffff"
static_routes="RemoteLan"
route_RemoteLan="192.168.1.0/24 -interface gif0"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"
Код: Выделить всё
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp 10.0.0.19 [500];
# isakmp_natt 10.0.0.19 [4500];
}
remote 10.0.0.20 [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 10.0.0.19;
peers_identifier address 10.0.0.20;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
sainfo (address 192.168.0.0/24 any address 192.168.1.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{ # $network must be the two internal networks you are joining.
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm blowfish,3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
Код: Выделить всё
10.0.0.20 sometext
Код: Выделить всё
flush;
spdflush;
# To the home network
spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/10.0.0.19-10.0.0.20/use;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/10.0.0.20-10.0.0.19/use;
Вторая точка
###############
rc.conf
Код: Выделить всё
ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_em0="inet 10.0.0.20 netmask 255.255.255.0"
defaultrouter="10.0.0.1"
hostname="vpn2.local"
cloned_interfaces="gif0"
gif_interfaces="gif0"
gifconfig_gif0="10.0.0.20 10.0.0.19"
ifconfig_gif0="inet 192.168.1.1 192.168.0.1 netmask 0xffffffff"
static_routes="RemoteLan"
route_RemoteLan="192.168.0.1/24 -interface gif0"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"
Код: Выделить всё
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp 10.0.0.20 [500];
# isakmp_natt 10.0.0.20 [4500];
}
remote 10.0.0.19 [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 10.0.0.20;
peers_identifier address 10.0.0.19;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
sainfo (address 192.168.1.0/24 any address 192.168.0.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{ # $network must be the two internal networks you are joining.
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm blowfish,3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
Код: Выделить всё
10.0.0.19 sometext
Код: Выделить всё
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/10.0.0.20-10.0.0.19/use;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/10.0.0.19-10.0.0.20/use;
/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
На первой точке
cat /var/log/racoon.log
Код: Выделить всё
2010-07-14 03:11:57: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2010-07-14 03:11:57: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
2010-07-14 03:11:57: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2010-07-14 03:11:57: DEBUG: hmac(modp768)
2010-07-14 03:11:57: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-07-14 03:11:57: DEBUG: getsainfo params: loc='192.168.0.0/24', rmt='192.168.1.0/24', peer='NULL', id=0
2010-07-14 03:11:57: DEBUG: getsainfo pass #2
2010-07-14 03:11:57: ERROR: (null):0: "2010-07-14 03:11:57: DEBUG: getsainfo pass #2
loc='192.168.0.0/24', rmt='192.168.1.0/24', peer='NULL', id=0
og verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive2010-07-14 03:11:57: ERROR: fatal parse failure (1 errors)
Пытаюсь проверить содержимое политик:
#setkey -D
No SAD entries.