Differences

This shows you the differences between two versions of the page.

--- public:ipsec [2011/01/30 14:21] – Nico
+++ public:ipsec [2012/03/09 22:43] (current) – [IPSec for FreeBSD's jails communication] typo Nico
@@ Line 1: / Line 1: @@
 ====== IPSec for FreeBSD's jails communication ======
-**Abstract**: Here we assume we have two FreeBSD hosts, A using public IP 1.1.1.1 and internal virtual net 192.168.3.0 for jails, and B using public IP 2.2.2.2 and internal net 192.168.6.0 for jails. We need hosts and jails to communicate together, preferably in a encrypted way.
+**Abstract**: Here we assume we have two FreeBSD hosts, **A** using public IP 1.1.1.1 and internal virtual net 192.168.3.0 for jails, and **B** using public IP 2.2.2.2 and internal net 192.168.6.0 for jails. We need hosts and jails to communicate together, preferably in a crypted way.
 ===== Preparation on both hosts =====
@@ Line 232: / Line 232: @@
 spdadd 192.168.6.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
 spdadd 192.168.3.0/24 192.168.6.0/24 any -P in  ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
+spdadd 2001:db8:ab02::/64 2001:db8:ab01::/64 any -P out ipsec esp/tunnel/2001:db8:ab02::1-2001:db8:ab01::1/require;
+spdadd 2001:db8:ab01::/64 2001:db8:ab02::/64 any -P out ipsec esp/tunnel/2001:db8:ab01::1-2001:db8:ab02::1/require;
 </code>
@@ Line 240: / Line 242: @@
 # IPv4/v6 addresses
 #
-.1.1.1     myfookinunforgettablepassword
+.1.1.1           myfookinunforgettablepassword
+:db8:ab01::1  myfookinunforgettablepassword
 </code>
@@ Line 270: / Line 273: @@
 {
         isakmp          2.2.2.2 [500];
+        isakmp          2001:db8:ab02::1 [500];
 }
 remote 1.1.1.1 [500]
+{
+        exchange_mode   main,aggressive;
+        doi             ipsec_doi;
+        situation       identity_only;
+        my_identifier   address 2.2.2.2;
+        peers_identifier        address 1.1.1.1;
+        lifetime        time 8 hour;
+        passive         off;
+        proposal_check  obey;
+       nat_traversal   off;
+        generate_policy off;
+                        proposal {
+                                encryption_algorithm    blowfish;
+                                hash_algorithm          md5;
+                                authentication_method   pre_shared_key;
+                                lifetime time           30 sec;
+                                dh_group                1;
+                        }
+}
+remote 2001:db8:ab01::1 [500]
 {
         exchange_mode   main,aggressive;
@@ Line 311: / Line 337: @@
 }
+sainfo  address 2001:db8:ab02::/64 any address 2001:db8:ab01::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
+{                               # $network must be the two internal networks you are joining.
+        pfs_group       1;
+        lifetime        time    36000 sec;
+        encryption_algorithm    blowfish,3des,des;
+        authentication_algorithm        hmac_md5,hmac_sha1;
+        compression_algorithm   deflate;
+}
+sainfo  address 2001:db8:ab01::/64 any address 2001:db8:ab02::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
+{                               # $network must be the two internal networks you are joining.
+        pfs_group       1;
+        lifetime        time    36000 sec;
+        encryption_algorithm    blowfish,3des,des;
+        authentication_algorithm        hmac_md5,hmac_sha1;
+        compression_algorithm   deflate;
+}
 </code>
@@ Line 321: / Line 363: @@
 # ifconfig gif0 192.168.6.1 192.168.3.1
 # ifconfig gif0 tunnel 2.2.2.2 1.1.1.1
+# ifconfig gif0 inet6 2001:db8:ab02::1 2001:db8:ab01::1 prefixlen 128
 # route add 192.168.3.0 192.168.3.1 255.255.255.0
+# route add -inet6 2001:db8:ab01:: -interface gif0
 # /etc/rc.d/ipsec start
 # /usr/local/etc/rc.d/racoon start

Da Kiwi

Da Nawigation

Da Kloud

Differences