2010年6月 8日
IPSec-VPN between racoon on FreeBSD 6.X and YAMAHA RTX1500/1200/1100
FreeBSD 6.4-stableの設定
YAMAHA RTX1500/1200/1100
# tunnel 2を使用の場合
ip route <FreeBSD-Local-Net>/24 gateway tunnel 2
tunnel select 2
ipsec tunnel 102
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
ipsec ike always-on 2 on
ipsec ike encryption 2 3des-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
ipsec ike local address 2 <RTX-Gloval-IP>
ipsec ike local id 2 <RTX-Gloval-IP>
ipsec ike log 2 key-info message-info payload-info
ipsec ike negotiate-strictly 2 off
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text suita2kudan
ipsec ike remote address 2 <FreeBSD-Gloval-IP>
ipsec ike remote id 2 <FreeBSD-Gloval-IP>
tunnel enable 2
- カーネル
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG - /etc/rc.conf
ipsec_enable="YES"
static_routes="vpn1 vpn2"
route_vpn1="-net 192.168.1.0/24 <My-Private-IP>"
route_vpn2="-net 192.168.2.0/24 <My-Private-IP>" - /etc/ipsec.conf
flush;
spdflush;
spdadd <FreeBSD-Local-Net>/24 <RTX-Local-Net>/24 any -P out ipsec esp/tunnel/<FreeBSD-Gloval-IP>-<RTX-Gloval-IP>/require;
spdadd <RTX-Local-Net>/24 <FreeBSD-Local-Net>/24 any -P in ipsec esp/tunnel/<RTX-Gloval-IP>-<FreeBSD-Gloval-IP>/require; - /usr/ports/security/ipsec-tools
ipsec-tools-7.0 (racoon)
/usr/local/etc/racoon/psk.txt
<RTX-Gloval-IP> [tab] <PassWord>
/usr/local/etc/racoon/racoon.confpath certificate "/usr/local/etc/racoon/certs";
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
log notify; #debug
listen {
<FreeBSD-Gloval-IP> [500];
}
remote <RTX-Gloval-IP> {
exchange_mode main;
doi ipsec_doi;
nonce_size 16;
lifetime time 28800 sec;
initial_contact on;
situation identity_only;
my_identifier address "<FreeBSD-Gloval-IP>";
peers_identifier address "<RTX-Gloval-IP>";
mode_cfg on;
generate_policy on;
ike_frag on;
passive off;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo address <FreeBSD-Local-Net>/24 any address <RTX-Local-Net>/24 any {
pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate;
}
sainfo address <FreeBSD-Gloval-IP> any address <RTX-Gloval-IP> any {
pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate;
}
YAMAHA RTX1500/1200/1100
# tunnel 2を使用の場合
ip route <FreeBSD-Local-Net>/24 gateway tunnel 2
tunnel select 2
ipsec tunnel 102
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
ipsec ike always-on 2 on
ipsec ike encryption 2 3des-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
ipsec ike local address 2 <RTX-Gloval-IP>
ipsec ike local id 2 <RTX-Gloval-IP>
ipsec ike log 2 key-info message-info payload-info
ipsec ike negotiate-strictly 2 off
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text suita2kudan
ipsec ike remote address 2 <FreeBSD-Gloval-IP>
ipsec ike remote id 2 <FreeBSD-Gloval-IP>
tunnel enable 2