|
Lines 3640-3646
Link Here
|
| 3640 |
|
3640 |
|
| 3641 |
<para>There are a number of choices for daemons to manage |
3641 |
<para>There are a number of choices for daemons to manage |
| 3642 |
security associations with FreeBSD. This article will describe |
3642 |
security associations with FreeBSD. This article will describe |
| 3643 |
how to use one of these, racoon — which is available from |
3643 |
how to use one of these, <application>racoon</application> — which is available from |
| 3644 |
<filename role="package">security/ipsec-tools</filename> in the &os; Ports |
3644 |
<filename role="package">security/ipsec-tools</filename> in the &os; Ports |
| 3645 |
collection.</para> |
3645 |
collection.</para> |
| 3646 |
|
3646 |
|
|
Lines 3662-3675
Link Here
|
| 3662 |
gets) it will not do them much good -- by the time they have cracked |
3662 |
gets) it will not do them much good -- by the time they have cracked |
| 3663 |
the key the two daemons have chosen another one.</para> |
3663 |
the key the two daemons have chosen another one.</para> |
| 3664 |
|
3664 |
|
| 3665 |
<para>The configuration file for racoon is stored in |
3665 |
<para>The configuration file for <application>racoon</application> is stored in |
| 3666 |
<filename>${PREFIX}/etc/racoon</filename>. You should find a |
3666 |
<filename>${PREFIX}/etc/racoon</filename>. You should find a |
| 3667 |
configuration file there, which should not need to be changed |
3667 |
configuration file there, which should not need to be changed |
| 3668 |
too much. The other component of racoon's configuration, |
3668 |
too much. The other component of <application>racoon</application>'s configuration, |
| 3669 |
which you will need to change, is the <quote>pre-shared |
3669 |
which you will need to change, is the <quote>pre-shared |
| 3670 |
key</quote>.</para> |
3670 |
key</quote>.</para> |
| 3671 |
|
3671 |
|
| 3672 |
<para>The default racoon configuration expects to find this in |
3672 |
<para>The default <application>racoon</application> configuration expects to find this in |
| 3673 |
the file <filename>${PREFIX}/etc/racoon/psk.txt</filename>. It is important to note |
3673 |
the file <filename>${PREFIX}/etc/racoon/psk.txt</filename>. It is important to note |
| 3674 |
that the pre-shared key is <emphasis>not</emphasis> the key that will be used to |
3674 |
that the pre-shared key is <emphasis>not</emphasis> the key that will be used to |
| 3675 |
encrypt your traffic across the VPN link, it is simply a token |
3675 |
encrypt your traffic across the VPN link, it is simply a token |
|
Lines 3696-3704
Link Here
|
| 3696 |
<para>That is, the public IP address of the remote end, and the |
3696 |
<para>That is, the public IP address of the remote end, and the |
| 3697 |
same secret key. <filename>psk.txt</filename> must be mode |
3697 |
same secret key. <filename>psk.txt</filename> must be mode |
| 3698 |
<literal>0600</literal> (i.e., only read/write to |
3698 |
<literal>0600</literal> (i.e., only read/write to |
| 3699 |
<username>root</username>) before racoon will run.</para> |
3699 |
<username>root</username>) before <application>racoon</application> will run.</para> |
| 3700 |
|
3700 |
|
| 3701 |
<para>You must run racoon on both gateway machines. You will |
3701 |
<para>You must run <application>racoon</application> on both gateway machines. You will |
| 3702 |
also need to add some firewall rules to allow the IKE traffic, |
3702 |
also need to add some firewall rules to allow the IKE traffic, |
| 3703 |
which is carried over UDP to the ISAKMP (Internet Security Association |
3703 |
which is carried over UDP to the ISAKMP (Internet Security Association |
| 3704 |
Key Management Protocol) port. Again, this should be fairly early in |
3704 |
Key Management Protocol) port. Again, this should be fairly early in |
|
Lines 3708-3716
Link Here
|
| 3708 |
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp |
3708 |
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp |
| 3709 |
</programlisting> |
3709 |
</programlisting> |
| 3710 |
|
3710 |
|
| 3711 |
<para>Once racoon is running you can try pinging one gateway host |
3711 |
<para>Once <application>racoon</application> is running you can try pinging one gateway host |
| 3712 |
from the other. The connection is still not encrypted, but |
3712 |
from the other. The connection is still not encrypted, but |
| 3713 |
racoon will then set up the security associations between the two |
3713 |
<application>racoon</application> will then set up the security associations between the two |
| 3714 |
hosts -- this might take a moment, and you may see this as a |
3714 |
hosts -- this might take a moment, and you may see this as a |
| 3715 |
short delay before the ping commands start responding.</para> |
3715 |
short delay before the ping commands start responding.</para> |
| 3716 |
|
3716 |
|
|
Lines 3925-3931
Link Here
|
| 3925 |
|
3925 |
|
| 3926 |
<para>When they are received by the far end of the VPN they will |
3926 |
<para>When they are received by the far end of the VPN they will |
| 3927 |
first be decrypted (using the security associations that have |
3927 |
first be decrypted (using the security associations that have |
| 3928 |
been negotiated by racoon). Then they will enter the |
3928 |
been negotiated by <application>racoon</application>). Then they will enter the |
| 3929 |
<devicename>gif</devicename> interface, which will unwrap |
3929 |
<devicename>gif</devicename> interface, which will unwrap |
| 3930 |
the second layer, until you are left with the innermost |
3930 |
the second layer, until you are left with the innermost |
| 3931 |
packet, which can then travel in to the inner network.</para> |
3931 |
packet, which can then travel in to the inner network.</para> |