Set Up IPsec Under FreeBSD

Use FreeBSD’s built-in IPsec support to secure your traffic.

Using IPsec with IKE under FreeBSD requires enabling IPsec in the kernel and installing a user-land program, racoon , to handle the IKE negotiations.

You’ll need to make sure that your kernel has been compiled with the following options:

options         IPSEC               #IP security
options         IPSEC_ESP           #IP security (crypto; define w/ IPSEC)
options         IPSEC_DEBUG         #debug for IP security

If it hasn’t, you’ll need to define them and then rebuild and install the kernel. After you’ve done that, reboot to verify that it works.

racoon can be installed using the network section of the ports tree, or it can be downloaded from Install raccoon per the instructions provided with the distribution.

On the client, you should first configure racoon. You will need to modify this example racoon.conf to suit your needs:

path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
remote anonymous
        exchange_mode aggressive,main;
        my_identifier user_fqdn "";
        lifetime time 1 hour;
        initial_contact on;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
sainfo anonymous
        pfs_group 1;
        lifetime time 30 min;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;

In your firewall configuration, be sure you allow IKE connections to your machine (UDP port 500).

Get Network Security Hacks now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.