This article does not cover all the details on IPsec and secure tunneling. It is intended to give a brief introduction and recipe for these specific configurations.
As our provider resets the pppoe-connection (established using ppp -ddial ...)
once a day at rather random times we needed a solution which could handle
the change of public IP-addresses at any time.
First we installed, registered and configured a dynamic dns-client
(/usr/ports/net/ddup/) to resolve the actual IP-addresses of both hosts.
Next we decided to run a shell-script by cron which would
check the addresses and see weather they had changed. In this case, the tunnel
interface and the kernel keys are updated to the new values.
As racoon (see /usr/ports/security/racoon) needs fixed configuration entries
based on public IP-addresses we could not use dynamic key-exchange.
So we used manual configured secrets.
The shell-script which runs on both hosts does the following:
On one side of the tunnel there is a FreeBSD host with static public IP, a tight firewall allowing access to icmp, ip ports ssh, dns, sendmail, etc. The other side is a LINUX host, sitting behind a firewall with a public and private IP on one ethernet interface. In this special case it is strongly recommended to set eth0 to the public ip-address and eth0:0 (the alias-interface) to the internal ip-address. The tunnel-interface on LINUX (IPsec0) will use the ip-address from eth0 so it is vital to have the public IP associated with it, otherwise it won't work.
We decided to use dynamic key-exchange. So we installed kame/racoon on the FreeBSD host (see /usr/ports/security/racoon) and the FreeS/WAN package on the Linux host.
Next you must open the firewall to allow ip access from <pub_src_ip>
port isakmp to <pub_dst_ip> port isakmp and vice versa to allow for
key-exchange.
Furthermore we only wanted to use esp/tunnel so we opened
the firewall for protocol esp between <pub_src_ip> and <pub_dst_ip>.
Now configure your startup-script /etc/rc.conf on FreeBSD to initialize the
tunnel-interface:
gif_interfaces="gifN" gifconfig_gifN="pub_src_ip pub_dst_ip" ifconfig_gifN="prv_src_ip prv_dst_ip" network_interfaces="... gifN" # if you don't use "auto"Create (if it doesn't exist) /etc/ipsec.conf and add the following lines:
# # The next 2 lines delete all existing entries from the SPD and SAD flush; spdflush; # Add the policy spdadd prv_src_net prv_dst_net any -P out ipsec esp/tunnel/pub_src_ip-pub_dst_ip/require; spdadd prv_dst_net prv_src_net any -P in ipsec esp/tunnel/pub_dst_ip-pub_src_ip/require;Configuration files for racoon.
last modified 18. Jun 2002 by Andreas Haakh