Setting up VPN+IPSec+Racoon
gabor.kovesdan at t-hosting.hu
Fri Feb 17 08:26:30 PST 2006
Mike Tancsa wrote:
>On Thu, 16 Feb 2006 18:26:42 +0100, in sentex.lists.freebsd.questions
>>it is the first time I have to set up such configuration. Could you tell
>>me some guidelines? What should I care about? I see there's a chapter in
>>the Handbook about VPN. It mentions the FAST_IPSEC kernel option in
>>>5.X. Should I use this implemetation or the KAME implementation? What
>>are the differencies, and what are the advantages, disadvantages of each?
>>If you know some other good tutorial or howto, please let me know.
>FAST_IPSEC allows for hardware crypto offloading (see man 4 crypto).
>Even without it, the author claims its faster than KAME. However, its
>important to note FAST_IPSEC cannot work with INET6 in the kernel.
>Also, you want to use it mostly with RELENG_6 if possible. Also, dont
>use racoon, better to use ipsec-tools. Its also in the ports.
I meant that port, the binary called racoon there, too.
>As for tutorials, google around and read through various posts. There
>is lots of good info out there. Perhaps if you describe what you want
>to do, people can make specific suggestions.
Unfortunately, I haven't found a good howto. The situation is the following:
This project will be some kind of SMS service. The serv will connect to
the SMS server and get the received SMSes, but the connection to the SMS
server is only allowed via VPN. Here are two IP addresses, one of them
is the VPN peers address. I have to set up a VPN connection to this host
with 3DES SHA IPsec and a DH pre-shared key. The other IP address is the
SMS servers adress but that is only accessible via VPN.
I've installed ipsec-tools, and tried to configure it, but I can't start
racoon and I get a configuration file parse error. I couldn't found out
which line is wrong. I just got this:
racoon: failed to parse configuration file.
Here is the racoon.conf:
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
path include "@sysconfdir_x@/racoon";
path pre_shared_key "@sysconfdir_x@/racoon/vodafone.psk";
path certificate "@sysconfdir_x@/cert";
# "padding" defines some padding parameters. You should not touch these.
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
#isakmp ::1 ;
#isakmp 220.127.116.11 ;
#admin ; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
# Specify various default timers.
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
certificate_type x509 "my.cert.pem" "my.key.pem";
proposal_check obey; # obey, strict, or claim
I've just modified what I considered necessary.
I haven't found anything useful with google. Please help me fixing this.
Thanks in advance,
More information about the freebsd-questions