本文详细说明在FreeBSD下如何建立IPSec VPN链路。在GNU/Linux下安装IPSec VPN,详见这里。
1, kernel update
2, ports update
# portsnap fetch extract update
3, kernel configure
# cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/kernel_ipsec # cat >> /usr/src/sys/i386/conf/kernel_ipsec << _EOF_ options IPSEC options IPSEC_ESP device gif _EOF_ # cd /usr/src # make buildkernel KERNCONF=kernel_ipsec # make installkernel KERNCONF=kernel_ipsec
4, Edit tunnel – /etc/rc.conf
host 1:
gif_interfaces="gif0" gifconfig_gif0="A.B.C.D W.X.Y.Z" ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 0xffffffff" static_routes="vpn" route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
host 2:
gif_interfaces="gif0" gifconfig_gif0="W.X.Y.Z A.B.C.D" ifconfig_gif0="inet 192.168.2.1 192.168.1.1 netmask 0xffffffff" static_routes="vpn" route_vpn="192.168.1.0 192.168.1.1 netmask 0xffffff00"
5, do tunnel commands
host 1:
# ifconfig gif0 create # ifconfig gif0 tunnel A.B.C.D W.X.Y.Z # ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
host 2:
# ifconfig gif0 create # ifconfig gif0 tunnel W.X.Y.Z A.B.C.D # ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff
6, enable ipsec – /etc/rc.conf
ipsec_enable="YES" ipsec_file="/etc/ipsec.conf"
7, setkey – /etc/ipsec.conf
host 1:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
host 2:
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
8, enable racoon in /etc/rc.conf
racoon_enable="YES"
9, racoon configure
# mkdir -p /usr/local/etc/racoon
# echo "A.B.C.D password" > /usr/local/etc/racoon/psk.txt
# chmod 0600 /usr/local/etc/racoon/psk.txt
# cat >> /usr/local/etc/racoon/racoon.conf << _EOF_
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
remote anonymous
{
exchange_mode main,aggressive,base;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
_EOF_
10, add route
/sbin/route add -net 10.55.0/16 192.168.1.101 /sbin/route add -net 172.16.0/16 192.168.1.101 /sbin/route add -net 10.69.0/16 192.168.1.101
11, /etc/sysctl.conf
# echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf # sysctl net.inet.ip.forwarding=1
11, ipsec boot
# setkey -F # setkey -FP # setkey -f /etc/ipsec.conf # /usr/local/etc/rc.d/racoon start
12, Done!
hey,Awesome blog dude! i am Fed up with using RSS feeds and do you use twitter?so i can follow you there:D.
PS:Have you thought to be putting video to your web site to keep the people more enjoyed?I think it works.Yours, Gerry Macculloch
Yeah, twitter is my favorite, my twitter is https://twitter.com/xiaqingran .
😀