Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Linux-BSD Ipsec VPN

Posted on 2003-02-19
3
Medium Priority
?
420 Views
Last Modified: 2012-05-04
I need to establish from a Linux firewall to a FreeBSD server.  I have successfully installed FreeS/Wan, but am quite confused as to what IP address I put where.  If someone is kind enough to provide a working ipsec.conf file for this connection, I'll give bonus points.  I have this tidbit of info from the side that I'm trying to connect to.  It was originally designed for a racoon BSD client:

spdadd 172.27.224.0/24 10.11.58.0/24 any -P out ipsec
        esp/tunnel/207.109.153.102-208.61.77.133/require;
spdadd 10.11.58.0/24 172.27.224.0/24 any -P in ipsec
        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
#spdadd 207.109.153.105 10.11.58.1 any -P out ipsec
#        esp/tunnel/207.109.153.102-208.61.77.133/require;
#spdadd 10.11.58.1 207.109.153.105 any -P in ipsec
#        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
spdadd 207.109.153.103 10.11.58.1 any -P out ipsec
        esp/tunnel/207.109.153.102-208.61.77.133/require;
spdadd 10.11.58.1 207.109.153.103 any -P in ipsec
        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
spdadd 207.109.153.98 10.11.58.1 any -P out ipsec
        esp/tunnel/207.109.153.102-208.61.77.133/require;
spdadd 10.11.58.1 207.109.153.98 any -P in ipsec
        esp/tunnel/208.61.77.133-207.109.153.102/require;
 
Here is our config setup:
 
remote anonymous
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
 
        nonce_size 16;
        lifetime time 1 hour;
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim
 
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
 
sainfo anonymous
{
        pfs_group 1;
        lifetime time 1 hour;
        encryption_algorithm des, 3des;
        authentication_algorithm hmac_md5, hmac_sha1;
        compression_algorithm deflate ;
}

Cheers,
Darth
0
Comment
Question by:darthg8r
3 Comments
 
LVL 3

Accepted Solution

by:
naccad earned 300 total points
ID: 7988707
well, i never worked on freebsd ipsec, but i did with linux
and frees/wan

here is one of my working setups (ips changed for privacy)

in frees/wan, the local machine is the "left" while
the remote machine is the "right"

----BEGIN /etc/ipsec.conf
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

conn clientbox
        keyingtries=0
        auth=esp
        authby=secret
        keylife=1h
        left=my.external.ip.here
        leftsubnet=192.168.1.0/24
        leftnexthop=my.router.ip.here
        right=client.external.ip.here
        rightsubnet=172.30.1.0/24
        rightnexthop=client.router.ip
        autostart
----END /etc/ipsec.conf

----BEGIN /etc/ipsec.secrets
my.external.ip.here client.external.ip.here: PSK "secretkey"
----END /etc/ipsec.secrets

I am using shared/secret keys here, but you can use
RSA as well, you just have to get the sigkeys and
put

auth=rsasig
leftrsasigkey=insertkeyhere
rightrsasigkey=insertkeyhere

in /etc/ipsec.conf and put the RSA in /etc/ipsec.secrets

good luck
-nick

0
 

Expert Comment

by:CleanupPing
ID: 9077804
darthg8r:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Author Comment

by:darthg8r
ID: 9080611
Not quite the answer I was looking for, but It helped a little further down the road.  Thanks
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question