2010年6月 8日
IPSec-VPN between racoon on FreeBSD 6.X and YAMAHA RTX1500/1200/1100
FreeBSD 6.4-stableの設定
YAMAHA RTX1500/1200/1100
# tunnel 2を使用の場合
ip route <FreeBSD-Local-Net>/24 gateway tunnel 2
tunnel select 2
ipsec tunnel 102
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
ipsec ike always-on 2 on
ipsec ike encryption 2 3des-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
ipsec ike local address 2 <RTX-Gloval-IP>
ipsec ike local id 2 <RTX-Gloval-IP>
ipsec ike log 2 key-info message-info payload-info
ipsec ike negotiate-strictly 2 off
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text [PRE-SHARED-KEY]
ipsec ike remote address 2 <FreeBSD-Gloval-IP>
ipsec ike remote id 2 <FreeBSD-Gloval-IP>
tunnel enable 2
- カーネル
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG - /etc/rc.conf
ipsec_enable="YES"
static_routes="vpn1 vpn2"
route_vpn1="-net 192.168.1.0/24 <My-Private-IP>"
route_vpn2="-net 192.168.2.0/24 <My-Private-IP>" - /etc/ipsec.conf
flush;
spdflush;
spdadd <FreeBSD-Local-Net>/24 <RTX-Local-Net>/24 any -P out ipsec esp/tunnel/<FreeBSD-Gloval-IP>-<RTX-Gloval-IP>/require;
spdadd <RTX-Local-Net>/24 <FreeBSD-Local-Net>/24 any -P in ipsec esp/tunnel/<RTX-Gloval-IP>-<FreeBSD-Gloval-IP>/require; - /usr/ports/security/ipsec-tools
ipsec-tools-7.0 (racoon)
/usr/local/etc/racoon/psk.txt
<RTX-Gloval-IP> [tab] <PassWord>
/usr/local/etc/racoon/racoon.confpath certificate "/usr/local/etc/racoon/certs";
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
log notify; #debug
listen {
<FreeBSD-Gloval-IP> [500];
}
remote <RTX-Gloval-IP> {
exchange_mode main;
doi ipsec_doi;
nonce_size 16;
lifetime time 28800 sec;
initial_contact on;
situation identity_only;
my_identifier address "<FreeBSD-Gloval-IP>";
peers_identifier address "<RTX-Gloval-IP>";
mode_cfg on;
generate_policy on;
ike_frag on;
passive off;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo address <FreeBSD-Local-Net>/24 any address <RTX-Local-Net>/24 any {
pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate;
}
sainfo address <FreeBSD-Gloval-IP> any address <RTX-Gloval-IP> any {
pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate;
}
YAMAHA RTX1500/1200/1100
# tunnel 2を使用の場合
ip route <FreeBSD-Local-Net>/24 gateway tunnel 2
tunnel select 2
ipsec tunnel 102
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
ipsec ike always-on 2 on
ipsec ike encryption 2 3des-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
ipsec ike local address 2 <RTX-Gloval-IP>
ipsec ike local id 2 <RTX-Gloval-IP>
ipsec ike log 2 key-info message-info payload-info
ipsec ike negotiate-strictly 2 off
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text [PRE-SHARED-KEY]
ipsec ike remote address 2 <FreeBSD-Gloval-IP>
ipsec ike remote id 2 <FreeBSD-Gloval-IP>
tunnel enable 2
[FreeBSD][VPN] : 2010年6月 8日 13:46
2010年6月11日
Flets VPN Wide
NTT東日本のFlet's VPN Wideの回線を、B Flet'sからFlet's 光 Nextへ変更した。YAMAHA RTX1100からRTX1200へ。その際、configの変更が必要だった。
以下、2行を追加した。
ppp ipcp ipaddress on
ppp ipcp msext on
- B Flet's on RTX1100
ip route <対抗ネットワーク>/<ビット> gateway pp 2
pp select 2
pp always-on on
pppoe use lan3
pppoe auto connect on
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname <ID> <PASS>
ppp lcp mru on 1454
ppp ccp type stac
ip pp mtu 1454
pp enable 2 - Flet's 光 Next on RTX1200
ip route <対抗ネットワーク>/<ビット> gateway pp 2
pp select 2
pp always-on on
pppoe use lan3
pppoe auto connect on
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname <ID> <PASS>
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type stac
ip pp mtu 1454
pp enable 2
以下、2行を追加した。
ppp ipcp ipaddress on
ppp ipcp msext on