GRE IRSec for FreeBSD

Kostikov V.I. victor at mcc.elektra.ru
Fri Mar 12 00:59:30 PST 2004 

Hellow!
Can you help me?
I set IPSec accross GRE from Cisco to FreeBSD.
My sets for Freebsd 5.1:
---------------------
rc.conf

#  IPSec
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
#  Tunnel GRE
ifconfig gre0 create
ifconfig gre0 x.x.x.x y.y.y.y link1
ifconfig gre0 tunnel a.a.a.a b.b.b.b
--------------------
recoon.conf

path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log notify;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
        #isakmp ::1 [7000];
        #isakmp 202.249.11.124 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
        nonce_size 16;
        lifetime time 7200 sec; # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 1 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 7200 sec;
        encryption_algorithm des ;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}
-----------------------
ipsec.conf

flush;
spdflush;
spdadd a.a.a.a b.b.b.b any -P out ipsec esp/transport/a.a.a.a-b.b.b.b/require;
spdadd b.b.b.b a.a.a.a any -P in ipsec esp/transport/b.b.b.b-a.a.a.a/require;
-----------------------

Don`t work.

This configuration (recoon.conf and ipsec.conf) works with IPSec accross IPIP from Cisco to FreeBSD.



Best regards!
victor at mcc.elektra.ru

More information about the freebsd-questions mailing list