************************** FreeBSD side **************************
rc.firewall:
${fwcmd} add 9201 allow log esp from any to any
${fwcmd} add 9202 allow log ah from any to any
${fwcmd} add 9203 allow log ipencap from any to any
${fwcmd} add 9204 allow log udp from any 500 to any
____________________________________________________
rc.conf (fuck knows if it works, set up manually):
gif_interfaces="gif0"
gifconfig_gif0="HERE_IP PEER_IP"
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
____________________________________________________
/usr/local/etc/racoon/psk.conf:
PEER_IP password
____________________________________________________
/usr/local/etc/racoon/racoon.conf:
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp HERE_IP [500];
}
sainfo anonymous
{
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
remote PEER_IP
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}
____________________________________________________
/usr/local/etc/racoon/setkey.conf:
flush;
spdflush;
spdadd PEER_IP HERE_IP any -P in ipsec esp/transport//require ah/transport//require;
spdadd HERE_IP PEER_IP any -P out ipsec esp/transport//require ah/transport//require;
____________________________________________________
# Actual commands
# ifconfig gif0 create
# ifconfig HERE_IP PEER_IP 255.255.255.0 (probably 255.255.255.255)
# setkey -f /usr/local/etc/racoon/setkey.conf
# racoon
____________________________________________________
************************** Linux Side **************************
/etc/sysconfig/network-scripts/ifcfg-ipsec0:
DEVICE=ipsec0
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRC=HERE_IP
DST=PEER_IP
____________________________________________________
/etc/sysconfig/network-scripts/keys-ipsec0:
IKE_PSK=password
# ifup ipsec0
That's it.
F*ck, freebsd.
F*ck freebsd f*cking manual.
F*ck google.
Ответ на:
комментарий
от hizel
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.