Re: Setting up VPN+IPSec+Racoon
Kövesdán Gábor wrote: Hello, it is the first time I have to set up such configuration. Could you tell me some guidelines? What should I care about? I see there's a chapter in the Handbook about VPN. It mentions the FAST_IPSEC kernel option in >5.X. Should I use this implemetation or the KAME implementation? What are the differencies, and what are the advantages, disadvantages of each? If you know some other good tutorial or howto, please let me know. Thanks in advance, Gabor Kovesdan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" You can try my VPN setup script, I created it largely just for my self so I could easily remember all the knobs of VPN with out needing any notes. But thought it would be nice to try and make it easier on other people as well, and thought it would be good to try and make it comparable easy to all the super easy and cheap SOHO equipment you can get these days. http://roq.com/projects/vpnsetup/index.html http://www.roq.com/projects/vpnsetup/vpnsetup.pl It does the racoon(ipsec-tools) configuration the ipsec.conf and the needed routes. Everything you should need excluding ip configuration in /etc/rc.conf and firewall rules I haven't had that much feed back on it except the slack code :P Regards, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Setting up VPN+IPSec+Racoon
Mike Tancsa wrote: At 11:26 AM 17/02/2006, Kövesdán Gábor wrote: Mike Tancsa wrote: As for tutorials, google around and read through various posts. There is lots of good info out there. Perhaps if you describe what you want to do, people can make specific suggestions. ---Mike Unfortunately, I haven't found a good howto. The situation is the following: freebsd ipsec tutorial in google comes up with a number of starting points including http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html This project will be some kind of SMS service. The serv will connect to the SMS server and get the received SMSes, but the connection to the SMS server is only allowed via VPN. Here are two IP addresses, one of them is the VPN peers address. I have to set up a VPN connection to this host with 3DES SHA IPsec and a DH pre-shared key. The other IP address is the SMS servers adress but that is only accessible via VPN. First, you need to show what your policy is. typical setup described is internalNet_AexternalIP_A---internet-externalIP_BinternalNet_B Where internalNet_A needs to talk to internalNet_B in a safe and secure way. So, identify what those parts of the policy are. Put it in a shell script like Bsubnet=172.24.0.17/29 BexternalIP=80.244.96.229 Asubnet=192.168.2.186/32 AexternalIP=80.98.231.227 setkey -F setkey -FP /usr/sbin/setkey -c
Re: Setting up VPN+IPSec+Racoon
At 11:26 AM 17/02/2006, Kövesdán Gábor wrote: Mike Tancsa wrote: As for tutorials, google around and read through various posts. There is lots of good info out there. Perhaps if you describe what you want to do, people can make specific suggestions. ---Mike Unfortunately, I haven't found a good howto. The situation is the following: freebsd ipsec tutorial in google comes up with a number of starting points including http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html This project will be some kind of SMS service. The serv will connect to the SMS server and get the received SMSes, but the connection to the SMS server is only allowed via VPN. Here are two IP addresses, one of them is the VPN peers address. I have to set up a VPN connection to this host with 3DES SHA IPsec and a DH pre-shared key. The other IP address is the SMS servers adress but that is only accessible via VPN. First, you need to show what your policy is. typical setup described is internalNet_AexternalIP_A---internet-externalIP_BinternalNet_B Where internalNet_A needs to talk to internalNet_B in a safe and secure way. So, identify what those parts of the policy are. Put it in a shell script like Bsubnet=172.24.0.17/29 BexternalIP=80.244.96.229 Asubnet=192.168.2.186/32 AexternalIP=80.98.231.227 setkey -F setkey -FP /usr/sbin/setkey -c
Re: Setting up VPN+IPSec+Racoon
Mike Tancsa wrote:
On Thu, 16 Feb 2006 18:26:42 +0100, in sentex.lists.freebsd.questions
you wrote:
Hello,
it is the first time I have to set up such configuration. Could you tell
me some guidelines? What should I care about? I see there's a chapter in
the Handbook about VPN. It mentions the FAST_IPSEC kernel option in
5.X. Should I use this implemetation or the KAME implementation? What
are the differencies, and what are the advantages, disadvantages of each?
If you know some other good tutorial or howto, please let me know.
FAST_IPSEC allows for hardware crypto offloading (see man 4 crypto).
Even without it, the author claims its faster than KAME. However, its
important to note FAST_IPSEC cannot work with INET6 in the kernel.
Also, you want to use it mostly with RELENG_6 if possible. Also, dont
use racoon, better to use ipsec-tools. Its also in the ports.
I meant that port, the binary called racoon there, too.
As for tutorials, google around and read through various posts. There
is lots of good info out there. Perhaps if you describe what you want
to do, people can make specific suggestions.
---Mike
Unfortunately, I haven't found a good howto. The situation is the following:
This project will be some kind of SMS service. The serv will connect to
the SMS server and get the received SMSes, but the connection to the SMS
server is only allowed via VPN. Here are two IP addresses, one of them
is the VPN peers address. I have to set up a VPN connection to this host
with 3DES SHA IPsec and a DH pre-shared key. The other IP address is the
SMS servers adress but that is only accessible via VPN.
I've installed ipsec-tools, and tried to configure it, but I can't start
racoon and I get a configuration file parse error. I couldn't found out
which line is wrong. I just got this:
racoon: failed to parse configuration file.
Here is the racoon.conf:
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
path include "@sysconfdir_x@/racoon";
#include "remote.conf";
path pre_shared_key "@sysconfdir_x@/racoon/vodafone.psk";
path certificate "@sysconfdir_x@/cert";
log debug2;
# "padding" defines some padding parameters. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address;# requires that all addresses must be bound.
}
# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec;# maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote 80.244.96.229
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "my.cert.pem" "my.key.pem";
nonce_size 16;
initial_contact on;
proposal_check obey;# obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo 80.244.96.229
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
I've just modified what I considered necessary.
I haven't found anything useful with google. Please help me fixing this.
Thanks in advance,
Gabor Kovesdan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Setting up VPN+IPSec+Racoon
On Thu, 16 Feb 2006 18:26:42 +0100, in sentex.lists.freebsd.questions you wrote: >Hello, > >it is the first time I have to set up such configuration. Could you tell >me some guidelines? What should I care about? I see there's a chapter in >the Handbook about VPN. It mentions the FAST_IPSEC kernel option in > >5.X. Should I use this implemetation or the KAME implementation? What >are the differencies, and what are the advantages, disadvantages of each? >If you know some other good tutorial or howto, please let me know. > FAST_IPSEC allows for hardware crypto offloading (see man 4 crypto). Even without it, the author claims its faster than KAME. However, its important to note FAST_IPSEC cannot work with INET6 in the kernel. Also, you want to use it mostly with RELENG_6 if possible. Also, dont use racoon, better to use ipsec-tools. Its also in the ports. As for tutorials, google around and read through various posts. There is lots of good info out there. Perhaps if you describe what you want to do, people can make specific suggestions. ---Mike Mike Tancsa, Sentex communications http://www.sentex.net Providing Internet Access since 1994 [EMAIL PROTECTED], (http://www.tancsa.com) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Setting up VPN+IPSec+Racoon
Hello, it is the first time I have to set up such configuration. Could you tell me some guidelines? What should I care about? I see there's a chapter in the Handbook about VPN. It mentions the FAST_IPSEC kernel option in >5.X. Should I use this implemetation or the KAME implementation? What are the differencies, and what are the advantages, disadvantages of each? If you know some other good tutorial or howto, please let me know. Thanks in advance, Gabor Kovesdan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
