From 319a1fcbec3f119356b286f3c602db1a3c0f1c64 Mon Sep 17 00:00:00 2001 From: Tilman Keskinoz Date: Thu, 31 Jul 2008 10:53:42 +0000 Subject: [PATCH] - Remove reference to MS-Windows, because since the last rewrite, the section does not refer to Windows anymore - Remove reference to IPSEC_ESP kernel option, which does not exist anymore - Add "device crypto", which is required to compile a kernel with IPSEC - In the ipsec rc.d script setkey.conf is parsed by setkey, so convert it from shell script to setkey syntax - Add racoon_enable to the rc.conf section so racoon is started on boot - The whole section uses the setkey from ipsec-tools so set ipsec_program in rc.conf for consistency Approved by: remko --- .../books/handbook/security/chapter.sgml | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index 1c9f8d6a28..2563fa5b33 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -3046,9 +3046,7 @@ Connection closed by foreign host. Understanding IPsec This section will guide you through the process of setting - up IPsec, and to use it in an environment which consists of - FreeBSD and µsoft.windows; 2000/XP - machines, to make them communicate securely. In order to set up + up IPsec. In order to set up IPsec, it is necessary that you are familiar with the concepts of building a custom kernel (see ). @@ -3123,14 +3121,9 @@ Connection closed by foreign host. IPSEC - - kernel options - IPSEC_ESP - - options IPSEC #IP security -options IPSEC_ESP #IP security (crypto; define w/ IPSEC) +device crypto @@ -3400,9 +3393,8 @@ sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any) # address $network/ initialization and should be saved as /usr/local/etc/racoon/setkey.conf. -#!/bin/sh -/usr/local/sbin/setkey -FP -/usr/local/sbin/setkey -F +flush; +spdflush; # To the home network /usr/local/sbin/setkey -c spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use; /usr/local/sbin/setkey -c spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use; @@ -3481,7 +3473,9 @@ pass out quick on gif0 from any to any /etc/rc.conf: ipsec_enable="YES" -ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot +ipsec_program="/usr/local/sbin/setkey" +ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot +racoon_enable="yes"