Transport Mode IPSEC

Andrew Pantyukhin infofarmer at FreeBSD.org
Thu Jan 18 08:36:37 UTC 2007 

On 1/18/07, Dan Mahoney, System Admin <danm at prime.gushi.org> wrote:
> Hey all,
>
> I see the handbook has a nice howto on tunnel mode ipsec.  I just want to
> protect my NFS/NIS traffic between two hosts on a switch (neither NAT'd)
> -- is there a reference as to transport-mode ipsec anywhere, or has anyone
> done it that can outline it?  I would imagine it would be drastically
> simpler than tunnel mode, but I'm not sure where it would break off.

It's not that simple. The difficulty is in key exchange,
and it stays. I can show you how to implement it with
static keys:

====================================================================
= 192.168.17.1:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
        -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
        -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P in  ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P out ipsec ah/transport//require ;
====================================================================
= 192.168.17.69:/etc/ipsec.conf
====================================================================
flush ;
spdflush ;

add 192.168.17.69 192.168.17.1 ah 4567
        -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
add 192.168.17.1 192.168.17.69 ah 4567
        -A hmac-sha2-512
"Y38mKV6jWhmouiumhyiPXIbG6p8aSTBQ2peMedMwmh1tasd5yM9mjH8aVSsnWrLy" ;
spdadd 192.168.17.69 192.168.17.1 any -P out ipsec ah/transport//require ;
spdadd 192.168.17.1 192.168.17.69 any -P in  ipsec ah/transport//require ;
====================================================================

Then add ipsec_enable="YES" to rc.conf(5) on both hosts
and run /etc/rc.d/ipsec start. That should set up
authenticated relationship between the two hosts.

See setkey(8) for encryption and other options.

More information about the freebsd-questions mailing list