Shi Yong new compilation, originally introduced from: http://www.freebsdiary.org/ipsec-tunnel.php In actual work, it is often encountered in need of two local area networks that need to be in different locations. The freebsd ipsec tunnel can easily connect two local area networks and have good security. Here, in this way, how to connect two local area networks in this way. It is assumed that the following network structure:
Both FreeBSD machines are configured as the firewall of two subnets, and add IPSec support for kernel configuration. The relevant kernel configuration parameters are as follows:
# Ip security (Crypto; Define W / IPSec)
Options IPsec
Options ipsec_esp
Options ipsec_debug
# Generic Tunnel Interface
Pseudo-Device GIF 4
# Berkeley Packet Filter Used by DHCP Server.
Pseudo-Device BPF 4
# FireWall Flags
Options ipfirewall
Options ipdivert
Options ipfilter
Options ipfilter_log
Rebate the kernel.
To start the firewall function, the following configuration options are added to / etc / rc.conf:
Gateway_enable = "yes"
DEFAULTROUTER = "172.x.1.110") provided by the access service provider
FireWall_enable = "YES"
FireWall_Type = "open"
NATD_ENABLE = "YES"
NATD_INTERFACE = "rl0" "determined according to the machine network card configuration
Named_enable = "yes"
To perform an automatic IPSec key exchange between two FreeBSD machines, you must install Port /usR/ports/.security/racoon, the configuration file is stored in /usr/local/etc/racoon/racoon.conf, thekey file is stored in / USR / local / etc / racoon / psk.txt. Start / usr / local / sbin / racoon during system startup.
You don't need to modify the configuration file, just modify the KEY file, as follows:
# /usr/local/etc/racoon/psk.txt
# Ipv4 / v6 Addresses
#
192.168.1.1 foobar
192.168.2.1 foobar
The key file must be set to 0600, otherwise Racoon cannot run;
#Chown root.wheel /usr/local/etc/racoon/psk.txt
#CHMOD 0600 /usR/local/etc/raccoon/psk.txt
In order to establish an IPsec tunnel connection at startup and add two internal networks, you can use the following shell script, stored in /usr/local/etc/rc.d/tunnel.sh
#! / bin / sh
#
BSD1_IP = "192.168.1.1"
BSD1_PUB_IP = "172.16.1.254"
BSD1_Net = "192.168.1.0/24"
BSD2_IP = "192.168.2.1"
BSD2_PUB_IP = "172.17.1.254"
BSD2_NET = "192.168.2.0/24" gif0 = "gif0 inet"
Gifconfig = "/ usr / sbin / gifconfig"
Ifconfig = "/ sbin / ifconfig"
Hostname = `/ bin / hostname`
Netmask = "255.255.255.0"
echo "/ nstarting ipsec tunnel ..."
Case $ hostname in
BSD1.test.com)
$ GIFCONFIG $ GIF0 $ BSD1_PUB_IP $ BSD2_PUB_IP
$ IFCONFIG $ GIF0 $ BSD1_IP $ bsd2_ip netmask $ netmask
/ usr / sbin / setKey-fp
/ usr / sbin / setKey -f
/ usr / sbin / setKey -c << EOF
SPDADD $ BSD1_NET $ BSD2_NET Any -P OUT IPSec
ESP / TUNNEL / $ {BSD1_PUB_IP} - $ {BSD2_PUB_IP} / Require
SPDADD $ BSD2_NET $ BSD1_NET ANY -P in IPSec
ESP / Tunnel / $ {BSD2_PUB_IP} - $ {BSD1_PUB_IP} / Require
EOF
/ SBIN / ROUTE ADD $ BSD2_NET $ BSD1_IP
;
BSD2.test.com)
$ GIFCONFIG $ GIF0 $ BSD2_PUB_IP $ BSD1_PUB_IP
$ IFCONFIG $ GIF0 $ BSD2_IP $ bsd1_ip netmask $ netmask
/ usr / sbin / setKey-fp
/ usr / sbin / setKey -f
/ usr / sbin / setKey -c << EOF
SPDADD $ BSD2_NET $ BSD1_NET Any -P Out IPSec
ESP / Tunnel / $ {BSD2_PUB_IP} - $ {BSD1_PUB_IP} / Require
SPDADD $ BSD1_NET $ BSD2_NET Any -P in ipsec
ESP / TUNNEL / $ {BSD1_PUB_IP} - $ {BSD2_PUB_IP} / Require
EOF
/ SBIN / ROUTE ADD $ BSD1_NET $ BSD2_IP
;
ESAC
The basic configuration is completed. This is automatically swapped when the system is started, and Tunnel is established.