Easy way to make IPSec tunnel from FreeBSD to Cisco
Let's start with the fact that in the manus, where Racoon is recommended to install, racoon1 is mentioned, which in FreeBSD 7.x is now called ipsec-toos.
so
portinstall ipsec-tools
')
Do not forget to compile the kernel with ipsec support:
device crypto
option IPSEC
attention, with 7.x IPSEC_ESP do not need to specify!
create ipsec.conf
cat> /etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.50.0/24 192.168.0.0/24 any -P out ipsec esp / tunnel / 83.170.247.74-84.204.32.202 / unique;
spdadd 192.168.0.0/24 192.168.50.0/24 any -P in ipsec esp / tunnel / 84.204.32.202-83.170.247.74 / unique;
ctrl + d
we register this business in rc.conf
cat >> / etc / rc.conf
ipsec_enable = "YES"
ipsec_file = "/ etc / ipsec.conf"
ctrl + d
configuring racoon:
cat> /usr/local/etc/racoon/racoon.conf
path include "/ usr / local / etc / racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
remote anonymous
{
exchange_mode main, base, aggressive;
doi ipsec_doi;
#situation identity_only;
my_identifier address 83.170.247.74;
nonce_size 16;
lifetime time 6000 sec; # sec, min, hour
initial_contact on;
support_proxy on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 6000 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
ctrl + d
Note, in these sections, the important parameters are encryption_algorithm and authenticaton_algorythm, they must match the parameters in the remote system.
cat> /usr/local/etc/racoon/psk.txt
84.204.32.202 mysuperpass
ctrl + d
and we add start in rc.conf
cat >> / etc / rc.conf
racoon_enable = "yes"
ctrl + d
everything!
You can check the performance of the tunnel like this:
ping -S 192.168.50.1 192.168.0.1
the ping should go and the setkey -D command should show the established tunnels
84.204.32.202 83.170.247.74
esp mode = tunnel spi = 50593206 (0x0303fdb6) reqid = 16386 (0x00004002)
E: 3des-cbc 4ddd80ee 36d3d454 e3d60ec0 8683a8cc d4ac9b19 d0cec696
A: hmac-sha1 93681407 6f58fa41 e98a0a68 91b1f2f1 6433d1c0
seq = 0x00000256 replay = 4 flags = 0x00000000 state = mature
created: Aug 1 22:07:57 2008 current: Aug 1 22:17:58 2008
diff: 601 (s) hard: 3600 (s) soft: 2880 (s)
last: Aug 1 22:17:57 2008 hard: 0 (s) soft: 0 (s)
current: 62192 (bytes) hard: 0 (bytes) soft: 0 (bytes)
allocated: 598 hard: 0 soft: 0
sadb_seq = 1 pid = 21678 refcnt = 1
84.204.32.202 83.170.247.74
esp mode = tunnel spi = 213695417 (0x0cbcbbb9) reqid = 16386 (0x00004002)
E: 3des-cbc 26e917dd 39474c5e a6961f2f afe1383c 97e6471b ac84dee0
A: hmac-sha1 5e108c5d c8ee80f0 b04ac307 11470fd8 e518d44f
seq = 0x000006db replay = 4 flags = 0x00000000 state = mature
created: Aug 1 21:38:31 2008 current: Aug 1 22:17:58 2008
diff: 2367 (s) hard: 3600 (s) soft: 2880 (s)
last: Aug 1 22:07:57 2008 hard: 0 (s) soft: 0 (s)
current: 182520 (bytes) hard: 0 (bytes) soft: 0 (bytes)
allocated: 1755 hard: 0 soft: 0
sadb_seq = 0 pid = 21678 refcnt = 1
no static additional routes are required!
192.168.0.x will see 192.168.50.x completely transparent
Crosspost of my blog nexus.org.ua/weblog/message/874
so
portinstall ipsec-tools
')
Do not forget to compile the kernel with ipsec support:
device crypto
option IPSEC
attention, with 7.x IPSEC_ESP do not need to specify!
create ipsec.conf
cat> /etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.50.0/24 192.168.0.0/24 any -P out ipsec esp / tunnel / 83.170.247.74-84.204.32.202 / unique;
spdadd 192.168.0.0/24 192.168.50.0/24 any -P in ipsec esp / tunnel / 84.204.32.202-83.170.247.74 / unique;
ctrl + d
we register this business in rc.conf
cat >> / etc / rc.conf
ipsec_enable = "YES"
ipsec_file = "/ etc / ipsec.conf"
ctrl + d
configuring racoon:
cat> /usr/local/etc/racoon/racoon.conf
path include "/ usr / local / etc / racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
remote anonymous
{
exchange_mode main, base, aggressive;
doi ipsec_doi;
#situation identity_only;
my_identifier address 83.170.247.74;
nonce_size 16;
lifetime time 6000 sec; # sec, min, hour
initial_contact on;
support_proxy on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 6000 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
ctrl + d
Note, in these sections, the important parameters are encryption_algorithm and authenticaton_algorythm, they must match the parameters in the remote system.
cat> /usr/local/etc/racoon/psk.txt
84.204.32.202 mysuperpass
ctrl + d
and we add start in rc.conf
cat >> / etc / rc.conf
racoon_enable = "yes"
ctrl + d
everything!
You can check the performance of the tunnel like this:
ping -S 192.168.50.1 192.168.0.1
the ping should go and the setkey -D command should show the established tunnels
84.204.32.202 83.170.247.74
esp mode = tunnel spi = 50593206 (0x0303fdb6) reqid = 16386 (0x00004002)
E: 3des-cbc 4ddd80ee 36d3d454 e3d60ec0 8683a8cc d4ac9b19 d0cec696
A: hmac-sha1 93681407 6f58fa41 e98a0a68 91b1f2f1 6433d1c0
seq = 0x00000256 replay = 4 flags = 0x00000000 state = mature
created: Aug 1 22:07:57 2008 current: Aug 1 22:17:58 2008
diff: 601 (s) hard: 3600 (s) soft: 2880 (s)
last: Aug 1 22:17:57 2008 hard: 0 (s) soft: 0 (s)
current: 62192 (bytes) hard: 0 (bytes) soft: 0 (bytes)
allocated: 598 hard: 0 soft: 0
sadb_seq = 1 pid = 21678 refcnt = 1
84.204.32.202 83.170.247.74
esp mode = tunnel spi = 213695417 (0x0cbcbbb9) reqid = 16386 (0x00004002)
E: 3des-cbc 26e917dd 39474c5e a6961f2f afe1383c 97e6471b ac84dee0
A: hmac-sha1 5e108c5d c8ee80f0 b04ac307 11470fd8 e518d44f
seq = 0x000006db replay = 4 flags = 0x00000000 state = mature
created: Aug 1 21:38:31 2008 current: Aug 1 22:17:58 2008
diff: 2367 (s) hard: 3600 (s) soft: 2880 (s)
last: Aug 1 22:07:57 2008 hard: 0 (s) soft: 0 (s)
current: 182520 (bytes) hard: 0 (bytes) soft: 0 (bytes)
allocated: 1755 hard: 0 soft: 0
sadb_seq = 0 pid = 21678 refcnt = 1
no static additional routes are required!
192.168.0.x will see 192.168.50.x completely transparent
Crosspost of my blog nexus.org.ua/weblog/message/874
Source: https://habr.com/ru/post/30523/
All Articles