On 1/18/07, Dan Mahoney, System Admin <[EMAIL PROTECTED]> wrote:
Hey all,

I see the handbook has a nice howto on tunnel mode ipsec.  I just want to
protect my NFS/NIS traffic between two hosts on a switch (neither NAT'd)
-- is there a reference as to transport-mode ipsec anywhere, or has anyone
done it that can outline it?  I would imagine it would be drastically
simpler than tunnel mode, but I'm not sure where it would break off.

It's not that simple. The difficulty is in key exchange,
and it stays. I can show you how to implement it with
static keys:

====================================================================
= 192.168.17.1:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
       -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
       -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P in  ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ;
====================================================================
= 192.168.17.69:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
       -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
       -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P in  ipsec ah/transport//require ;
====================================================================

Then add ipsec_enable="YES" to rc.conf(5) on both hosts
and run /etc/rc.d/ipsec start. That should set up
authenticated relationship between the two hosts.

See setkey(8) for encryption and other options.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to