?
Solved

Linux-BSD Ipsec VPN

Posted on 2003-02-19
3
Medium Priority
?
418 Views
Last Modified: 2012-05-04
I need to establish from a Linux firewall to a FreeBSD server.  I have successfully installed FreeS/Wan, but am quite confused as to what IP address I put where.  If someone is kind enough to provide a working ipsec.conf file for this connection, I'll give bonus points.  I have this tidbit of info from the side that I'm trying to connect to.  It was originally designed for a racoon BSD client:

spdadd 172.27.224.0/24 10.11.58.0/24 any -P out ipsec
        esp/tunnel/207.109.153.102-208.61.77.133/require;
spdadd 10.11.58.0/24 172.27.224.0/24 any -P in ipsec
        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
#spdadd 207.109.153.105 10.11.58.1 any -P out ipsec
#        esp/tunnel/207.109.153.102-208.61.77.133/require;
#spdadd 10.11.58.1 207.109.153.105 any -P in ipsec
#        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
spdadd 207.109.153.103 10.11.58.1 any -P out ipsec
        esp/tunnel/207.109.153.102-208.61.77.133/require;
spdadd 10.11.58.1 207.109.153.103 any -P in ipsec
        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
spdadd 207.109.153.98 10.11.58.1 any -P out ipsec
        esp/tunnel/207.109.153.102-208.61.77.133/require;
spdadd 10.11.58.1 207.109.153.98 any -P in ipsec
        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
Here is our config setup:
 
remote anonymous
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
 
        nonce_size 16;
        lifetime time 1 hour;
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim
 
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
 
sainfo anonymous
{
        pfs_group 1;
        lifetime time 1 hour;
        encryption_algorithm des, 3des;
        authentication_algorithm hmac_md5, hmac_sha1;
        compression_algorithm deflate ;
}

Cheers,
Darth
0
Comment
Question by:darthg8r
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Accepted Solution

by:
naccad earned 300 total points
ID: 7988707
well, i never worked on freebsd ipsec, but i did with linux
and frees/wan

here is one of my working setups (ips changed for privacy)

in frees/wan, the local machine is the "left" while
the remote machine is the "right"

----BEGIN /etc/ipsec.conf
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

conn clientbox
        keyingtries=0
        auth=esp
        authby=secret
        keylife=1h
        left=my.external.ip.here
        leftsubnet=192.168.1.0/24
        leftnexthop=my.router.ip.here
        right=client.external.ip.here
        rightsubnet=172.30.1.0/24
        rightnexthop=client.router.ip
        autostart
----END /etc/ipsec.conf

----BEGIN /etc/ipsec.secrets
my.external.ip.here client.external.ip.here: PSK "secretkey"
----END /etc/ipsec.secrets

I am using shared/secret keys here, but you can use
RSA as well, you just have to get the sigkeys and
put

auth=rsasig
leftrsasigkey=insertkeyhere
rightrsasigkey=insertkeyhere

in /etc/ipsec.conf and put the RSA in /etc/ipsec.secrets

good luck
-nick

0
 

Expert Comment

by:CleanupPing
ID: 9077804
darthg8r:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Author Comment

by:darthg8r
ID: 9080611
Not quite the answer I was looking for, but It helped a little further down the road.  Thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question