Changes in 71a8d9a: Renamed ipsec on freebsd to IPsec on FreeBSD

howto/IPsec-on-FreeBSD.md

@@ -0,0 +1,72 @@

+# IPsec on FreeBSD

+

+These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.

+

+## Requirements

+* Root access to both endpoints.

+* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.

+* At least one static IPv4 on at least one endpoint unless you hate yourself.

+

+## Kernel configuration

+The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.

+If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.

+```

+ options IPSEC #IP security

+ device crypto

+```

+Reboot into your new kernel.

+

+## Userland configuration

+

+Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.

+Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.

+```

+path pre_shared_key "/usr/local/etc/racoon/psk";

+path certificate "/usr/local/etc/racoon/certs";

+log info;

+

+listen {

+ isakmp a.b.c.d [500];

+ isakmp_natt a.b.c.d [4500];

+}

+

+padding {

+ strict_check on;

+}

+

+timer {

+ natt_keepalive 5 sec;

+ interval 3 sec;

+ phase1 45 sec; # give embedded CPUs time to finish RSA operations

+ phase2 45 sec;

+}

+

+remote b.c.d.e [500] {

+ exchange_mode main;

+ proposal_check strict;

+ my_identifier asn1dn;

+ peers_identifier asn1dn;

+ lifetime time 1 hour;

+ certificate_type x509 "self.crt" "self.key";

+ peers_certfile x509 "peer.crt";

+ ca_type x509 "ca.crt";

+ verify_cert on;

+ send_cert off; # neither send

+ send_cr off; # nor request a crt to be send

+

+ proposal {

+ encryption_algorithm aes 256;

+ hash_algorithm sha256;

+ authentication_method rsasig;

+ dh_group modp4096;

+ }

+}

+

+sainfo (address a.b.c.d gre address b.c.d.e gre) {

+ pfs_group modp4096;

+ lifetime time 1 hour;

+ encryption_algorithm aes 256;

+ authentication_algorithm hmac_sha1;

+}

+

+```

\ No newline at end of file

howto/ipsec-on-freebsd.md

@@ -1,72 +0,0 @@

-# IPsec on FreeBSD

-

-These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.

-

-## Requirements

-* Root access to both endpoints.

-* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.

-* At least one static IPv4 on at least one endpoint unless you hate yourself.

-

-## Kernel configuration

-The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.

-If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.

-```

- options IPSEC #IP security

- device crypto

-```

-Reboot into your new kernel.

-

-## Userland configuration

-

-Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.

-Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.

-```

-path pre_shared_key "/usr/local/etc/racoon/psk";

-path certificate "/usr/local/etc/racoon/certs";

-log info;

-

-listen {

- isakmp a.b.c.d [500];

- isakmp_natt a.b.c.d [4500];

-}

-

-padding {

- strict_check on;

-}

-

-timer {

- natt_keepalive 5 sec;

- interval 3 sec;

- phase1 45 sec; # give embedded CPUs time to finish RSA operations

- phase2 45 sec;

-}

-

-remote b.c.d.e [500] {

- exchange_mode main;

- proposal_check strict;

- my_identifier asn1dn;

- peers_identifier asn1dn;

- lifetime time 1 hour;

- certificate_type x509 "self.crt" "self.key";

- peers_certfile x509 "peer.crt";

- ca_type x509 "ca.crt";

- verify_cert on;

- send_cert off; # neither send

- send_cr off; # nor request a crt to be send

-

- proposal {

- encryption_algorithm aes 256;

- hash_algorithm sha256;

- authentication_method rsasig;

- dh_group modp4096;

- }

-}

-

-sainfo (address a.b.c.d gre address b.c.d.e gre) {

- pfs_group modp4096;

- lifetime time 1 hour;

- encryption_algorithm aes 256;

- authentication_algorithm hmac_sha1;

-}

-

-```

\ No newline at end of file

...	...	@@ -0,0 +1,72 @@
	1	+# IPsec on FreeBSD
	2	+
	3	+These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.
	4	+
	5	+## Requirements
	6	+* Root access to both endpoints.
	7	+* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
	8	+* At least one static IPv4 on at least one endpoint unless you hate yourself.
	9	+
	10	+## Kernel configuration
	11	+The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
	12	+If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
	13	+```
	14	+ options IPSEC #IP security
	15	+ device crypto
	16	+```
	17	+Reboot into your new kernel.
	18	+
	19	+## Userland configuration
	20	+
	21	+Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
	22	+Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
	23	+```
	24	+path pre_shared_key "/usr/local/etc/racoon/psk";
	25	+path certificate "/usr/local/etc/racoon/certs";
	26	+log info;
	27	+
	28	+listen {
	29	+ isakmp a.b.c.d [500];
	30	+ isakmp_natt a.b.c.d [4500];
	31	+}
	32	+
	33	+padding {
	34	+ strict_check on;
	35	+}
	36	+
	37	+timer {
	38	+ natt_keepalive 5 sec;
	39	+ interval 3 sec;
	40	+ phase1 45 sec; # give embedded CPUs time to finish RSA operations
	41	+ phase2 45 sec;
	42	+}
	43	+
	44	+remote b.c.d.e [500] {
	45	+ exchange_mode main;
	46	+ proposal_check strict;
	47	+ my_identifier asn1dn;
	48	+ peers_identifier asn1dn;
	49	+ lifetime time 1 hour;
	50	+ certificate_type x509 "self.crt" "self.key";
	51	+ peers_certfile x509 "peer.crt";
	52	+ ca_type x509 "ca.crt";
	53	+ verify_cert on;
	54	+ send_cert off; # neither send
	55	+ send_cr off; # nor request a crt to be send
	56	+
	57	+ proposal {
	58	+ encryption_algorithm aes 256;
	59	+ hash_algorithm sha256;
	60	+ authentication_method rsasig;
	61	+ dh_group modp4096;
	62	+ }
	63	+}
	64	+
	65	+sainfo (address a.b.c.d gre address b.c.d.e gre) {
	66	+ pfs_group modp4096;
	67	+ lifetime time 1 hour;
	68	+ encryption_algorithm aes 256;
	69	+ authentication_algorithm hmac_sha1;
	70	+}
	71	+
	72	+```
...	...	\ No newline at end of file

...	...	@@ -1,72 +0,0 @@
1		-# IPsec on FreeBSD
2		-
3		-These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPsec in tunnel mode requires a too tight coupling with the routing table for dynamic routing because the policies can only be specified based on source/destination address and protocol not based on interfaces.
4		-
5		-## Requirements
6		-* Root access to both endpoints.
7		-* Static IPv4 addresses for both endpoints unless you want to write a small shell script as hook for racoon.
8		-* At least one static IPv4 on at least one endpoint unless you hate yourself.
9		-
10		-## Kernel configuration
11		-The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
12		-If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
13		-```
14		- options IPSEC #IP security
15		- device crypto
16		-```
17		-Reboot into your new kernel.
18		-
19		-## Userland configuration
20		-
21		-Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
22		-Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
23		-```
24		-path pre_shared_key "/usr/local/etc/racoon/psk";
25		-path certificate "/usr/local/etc/racoon/certs";
26		-log info;
27		-
28		-listen {
29		- isakmp a.b.c.d [500];
30		- isakmp_natt a.b.c.d [4500];
31		-}
32		-
33		-padding {
34		- strict_check on;
35		-}
36		-
37		-timer {
38		- natt_keepalive 5 sec;
39		- interval 3 sec;
40		- phase1 45 sec; # give embedded CPUs time to finish RSA operations
41		- phase2 45 sec;
42		-}
43		-
44		-remote b.c.d.e [500] {
45		- exchange_mode main;
46		- proposal_check strict;
47		- my_identifier asn1dn;
48		- peers_identifier asn1dn;
49		- lifetime time 1 hour;
50		- certificate_type x509 "self.crt" "self.key";
51		- peers_certfile x509 "peer.crt";
52		- ca_type x509 "ca.crt";
53		- verify_cert on;
54		- send_cert off; # neither send
55		- send_cr off; # nor request a crt to be send
56		-
57		- proposal {
58		- encryption_algorithm aes 256;
59		- hash_algorithm sha256;
60		- authentication_method rsasig;
61		- dh_group modp4096;
62		- }
63		-}
64		-
65		-sainfo (address a.b.c.d gre address b.c.d.e gre) {
66		- pfs_group modp4096;
67		- lifetime time 1 hour;
68		- encryption_algorithm aes 256;
69		- authentication_algorithm hmac_sha1;
70		-}
71		-
72		-```
...	...	\ No newline at end of file