70af5b16e403c9eb2b04817dbc6ae4361f4abb9d
ipsec-on-freebsd.md
| ... | ... | @@ -20,4 +20,46 @@ Reboot into your new kernel. |
| 20 | 20 | |
| 21 | 21 | Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port. |
| 22 | 22 | Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you. |
| 23 | - x |
|
| ... | ... | \ No newline at end of file |
| 0 | +``` |
|
| 1 | +path pre_shared_key "/usr/local/etc/racoon/psk"; |
|
| 2 | +path certificate "/usr/local/etc/racoon/certs"; |
|
| 3 | +log info; |
|
| 4 | + |
|
| 5 | +listen { |
|
| 6 | + isakmp a.b.c.d [500]; |
|
| 7 | + isakmp_natt a.b.c.d [4500]; |
|
| 8 | +} |
|
| 9 | + |
|
| 10 | +padding { |
|
| 11 | + strict_check on; |
|
| 12 | +} |
|
| 13 | + |
|
| 14 | +timer { |
|
| 15 | + natt_keepalive 5 sec; |
|
| 16 | + interval 3 sec; |
|
| 17 | + phase1 45 sec; # give embedded CPUs time to finish RSA operations |
|
| 18 | + phase2 45 sec; |
|
| 19 | +} |
|
| 20 | + |
|
| 21 | +remote b.c.d.e [500] { |
|
| 22 | + exchange_mode main; |
|
| 23 | + proposal_check strict; |
|
| 24 | + my_identifier asn1dn; |
|
| 25 | + peers_identifier asn1dn; |
|
| 26 | + lifetime time 1 hour; |
|
| 27 | + certificate_type x509 "self.crt" "self.key"; |
|
| 28 | + peers_certfile x509 "peer.crt"; |
|
| 29 | + ca_type x509 "ca.crt"; |
|
| 30 | + verify_cert on; |
|
| 31 | + send_cert off; # neither send |
|
| 32 | + send_cr off; # nor request a crt to be send |
|
| 33 | + |
|
| 34 | + proposal { |
|
| 35 | + encryption_algorithm aes 256; |
|
| 36 | + hash_algorithm sha256; |
|
| 37 | + authentication_method rsasig; |
|
| 38 | + dh_group modp4096; |
|
| 39 | + } |
|
| 40 | +} |
|
| 41 | + |
|
| 42 | +``` |
|
| ... | ... | \ No newline at end of file |