IKEv2/IPSEC "Road Warrior" VPN Tunneling?

Fri Apr 12 05:28:09 UTC 2013

12.04.2013 05:31, Karl Denninger пишет:
> Is there a "cookbook" for setting this up?  There are examples for
> setting up a tunnel between two fixed-address networks (e.g. a remote
> LAN that needs to be "integrated" with a central LAN over IPSec but I
> can't find anything addressing the other situation -- remote user(s)
> where the connecting IPs are not known in advance, such as a person with
> a laptop or smartphone in a random hotel.
> 
> (And is there a better list for this in the freebsd-* paradigm for the
> question?)

Moving to freebsd-net@

You'll need to install the port security/ipsec-tools for IKE protocol support.
This port contains racoon daemon, here is sample racoon.conf:

path    pre_shared_key  "/usr/local/etc/racoon/psk.txt";
log     debug;

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen  # address [port] that racoon will listening on
{
        isakmp          X.X.X.X [500];
        isakmp          Y.Y.Y.Y [500];
#       isakmp_natt     Z.Z.Z.Z [4500];
        adminsock       "/var/db/racoon/racoon.sock" "root" "wheel" 0600;
}

remote  anonymous               # just template
{
        exchange_mode           aggressive,main,base;
        doi                     ipsec_doi;
        situation               identity_only;
        my_identifier           fqdn "mydomain.net";
        verify_identifier       on;
        mode_cfg                off;
        lifetime                time 1 hour;
        ike_frag                on;
        passive                 on;
        proposal_check          obey;
        generate_policy         unique;
#       script "/usr/local/etc/racoon/phase1" phase1_up;
#       script "/usr/local/etc/racoon/phase1" phase1_down;

        proposal {
                encryption_algorithm    3des;
                hash_algorithm          md5;
                authentication_method   pre_shared_key;
                lifetime time           12 hour;
                dh_group                1;
        }
        proposal {
                encryption_algorithm    aes 256;
                hash_algorithm          sha1;
                authentication_method   pre_shared_key;
                lifetime time           1 hour;
                dh_group                1;
        }
}

sainfo anonymous
{
        pfs_group                       1;
        lifetime time                   1 hour;
        encryption_algorithm            aes,3des,des;
        authentication_algorithm        hmac_sha1,hmac_md5;
        compression_algorithm           deflate;
}