- Remove reference to MS-Windows, because since the last rewrite, the section
does not refer to Windows anymore - Remove reference to IPSEC_ESP kernel option, which does not exist anymore - Add "device crypto", which is required to compile a kernel with IPSEC - In the ipsec rc.d script setkey.conf is parsed by setkey, so convert it from shell script to setkey syntax - Add racoon_enable to the rc.conf section so racoon is started on boot - The whole section uses the setkey from ipsec-tools so set ipsec_program in rc.conf for consistency Approved by: remko
This commit is contained in:
Tilman Keskinoz
parent
486e3a3ffb
commit
319a1fcbec
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=32596
1 changed files with 7 additions and 13 deletions
|
|
@ -3046,9 +3046,7 @@ Connection closed by foreign host.</screen>
|
||||||
<title>Understanding IPsec</title>
|
<title>Understanding IPsec</title>
|
||||||
|
|
||||||
<para>This section will guide you through the process of setting
|
<para>This section will guide you through the process of setting
|
||||||
up IPsec, and to use it in an environment which consists of
|
up IPsec. In order to set up
|
||||||
FreeBSD and <application>µsoft.windows; 2000/XP</application>
|
|
||||||
machines, to make them communicate securely. In order to set up
|
|
||||||
IPsec, it is necessary that you are familiar with the concepts
|
IPsec, it is necessary that you are familiar with the concepts
|
||||||
of building a custom kernel (see
|
of building a custom kernel (see
|
||||||
<xref linkend="kernelconfig">).</para>
|
<xref linkend="kernelconfig">).</para>
|
||||||
|
|
@ -3123,14 +3121,9 @@ Connection closed by foreign host.</screen>
|
||||||
<secondary>IPSEC</secondary>
|
<secondary>IPSEC</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<indexterm>
|
|
||||||
<primary>kernel options</primary>
|
|
||||||
<secondary>IPSEC_ESP</secondary>
|
|
||||||
</indexterm>
|
|
||||||
|
|
||||||
<screen>
|
<screen>
|
||||||
options IPSEC #IP security
|
options IPSEC #IP security
|
||||||
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
|
device crypto
|
||||||
</screen>
|
</screen>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
|
@ -3400,9 +3393,8 @@ sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any) # address $network/
|
||||||
initialization and should be saved as
|
initialization and should be saved as
|
||||||
<filename>/usr/local/etc/racoon/setkey.conf</filename>.</para>
|
<filename>/usr/local/etc/racoon/setkey.conf</filename>.</para>
|
||||||
|
|
||||||
<programlisting>#!/bin/sh
|
<programlisting>flush;
|
||||||
/usr/local/sbin/setkey -FP
|
spdflush;
|
||||||
/usr/local/sbin/setkey -F
|
|
||||||
# To the home network
|
# To the home network
|
||||||
/usr/local/sbin/setkey -c spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
|
/usr/local/sbin/setkey -c spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
|
||||||
/usr/local/sbin/setkey -c spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;</programlisting>
|
/usr/local/sbin/setkey -c spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;</programlisting>
|
||||||
|
|
@ -3481,7 +3473,9 @@ pass out quick on gif0 from any to any</programlisting>
|
||||||
<filename>/etc/rc.conf</filename>:</para>
|
<filename>/etc/rc.conf</filename>:</para>
|
||||||
|
|
||||||
<programlisting>ipsec_enable="YES"
|
<programlisting>ipsec_enable="YES"
|
||||||
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot</programlisting>
|
ipsec_program="/usr/local/sbin/setkey"
|
||||||
|
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
|
||||||
|
racoon_enable="yes"</programlisting>
|
||||||
</sect2>
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue