1. What about BSD interface?

Before you will read it you can check this vpn ipsec handbook and skip below text and make all yourself.

Most people didn't like to read something where somebody explain in details why we use this or this or this.
This specialist always like use codesnippets. And after copy / paste trying understand why this application / service or something like this is not work.
So, it means i will not explain you how it works. I will give you only general keys and show you step by step, what you should use.

First you should check your kernel

options         ALTQ
options         ALTQ_CBQ        # Class Based Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)

# -Firewall
device          pf
device          pflog
device          pfsync

#VPN, IPSec, Crypto
option IPSEC
device crypto
option IPSEC_NAT_T

I think you know how to rebuild your kernel. If no, please, read this and this. Remember, if you want x32 platform, use i386, if x64, you should use amd. Other platforms not interesting for us now.

Our general scheme planed with using special GRE interface to building tunnel between BSD and Cisco, and using IPSec for encryption traffic between servers. So what we should did:

>ifconfig create gif0
>ifconfig gif0 X.X.X.X Y.Y.Y.Y tunnel
>ifconfig gif0 inet A.A.A.A B.B.B.B netmask
>ifconfig gif0 mtu 1280

Some explanations:

  • X.X.X.X - public IP of BSD server
  • Y.Y.Y.Y - public IP of Cisco 2911 router
  • A.A.A.A - local IP for vpn interface gif0, BSD side
  • B.B.B.B - local IP for vpn interface (Cisco tunnel), CISCO side

Your result should be like this

gif0: flags=8051 metric 0 mtu 1280
tunnel inet X.X.X.X --> Y.Y.Y.Y
inet A.A.A.A --> B.B.B.B netmask 0xfffffffc
nd6 options=29

2. What about Cisco side?

First of all you should know, we are using Cisco 2911, and our policy is

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 1800

The next subject is a shared key

crypto isakmp key YOUR_PASSWORD address X.X.X.X

Some explanations

  • Shared key YOUR_PASSWORD will be used for authenticate your BSD server. Not only encryption


crypto ipsec transform-set YOUR_PROFILE_NAME esp-3des esp-md5-hmac
 mode tunnel

YOUR_PROFILE_NAME as you wish, doesn't matter what is the name it will be

Some settings for your profile

crypto ipsec profile YOUR_PROFILE_NAME
 set security-association lifetime seconds 86400
 set transform-set YOUR_PROFILE_NAME
 set pfs group2

And now Cisco Tunnel configuration

interface Tunnel322
 description VPN_TO_BSD
 ip address B.B.B.B
 ip mtu 1280
 ip tcp adjust-mss 1240
 tunnel source GigabitEthernet0/0
 tunnel mode ipip
 tunnel destination X.X.X.X
 tunnel protection ipsec profile YOUR_PROFILE_NAME

As i told before

  • B.B.B.B - local IP on Cisco VPN Tunnel side
  • X.X.X.X - public IP of your BSD server
  • GigabitEthernet0/0 it is my external interface, you can use other.
  • lifetime parameter should be identical for both servers.
  • encr 3des from Cisco side and encryption_algorithm 3des; in your proposal from FreeBSD side should be identical
  • The same for hash algorythm shouldbe the same from Cisco side hash md5 and from FreeBSD side hash_algorithm md5; in your proposal section

Firewall rule, if you are using ACL on external/vpn interfaces

 permit ipinip host X.X.X.X host Y.Y.Y.Y
3. Lets configure Racoon

Remember, port for racoon it is ipsec-tool port. After installation from ports

    >cd /usr/ports
    >make search name='ipsec-tools'
    > cd /usr/ports/security/ipsec-tools
    >make fetch
    >make all
    >make install

You can find your racoon in /usr/local/etc/racoon
And this folder will be empty.
First of all you should create raccon.conf file and psk.txt
First file will be configuration for racoon and second one will stored our keys for vpn connections.

Our config

path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log     debug2;  #log verbosity setting: set to 'notify' when testing and debugging is complete

padding # options are not to be changed
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;

timer   # timing options. change as needed
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;

listen  # address [port] that racoon will listening on
        isakmp          X.X.X.X [500];

remote  Y.Y.Y.Y [500]
	# cisco can unsupport aggressive mode, it means we use main mode as general
        exchange_mode   main,aggressive;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address X.X.X.X;
        peers_identifier        address Y.Y.Y.Y;
        lifetime        time 1800 sec;
        passive         off;
        proposal_check  obey;
        generate_policy off;

                        proposal {
                                encryption_algorithm    3des;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           1800 sec;
                                dh_group                2;

# we no need to choose, which network will be routed to interface, so it means we can use anonymous
sainfo anonymous
        pfs_group       2;
        lifetime        time    86400 sec;
        encryption_algorithm    3des;
        authentication_algorithm        hmac_md5;
        compression_algorithm   deflate;

And it is psk.txt were we stored our shared key. If you lost while read this, we remember you
Cisco side:

crypto isakmp key YOUR_PASSWORD_HERE address X.X.X.X

And in psk.txt YOUR_PASSWORD_HERE should be the same.


4. What about IPSec

We will use IPSec for encryption our traffic in tunnel.
What we need fo this in our example. First of all we will create file /etc/ipsec.conf and put to this file specific information about which traffic we will encrypt.


spdadd X.X.X.X/32 Y.Y.Y.Y/32 ipencap -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd Y.Y.Y.Y/32 X.X.X.X/32 ipencap -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require;

And it is not at all. Now you should add into your /etc/rc.conf the next

For avtostart racoon and ipsec

ipsec_file="/etc/ipsec.conf" # allows setting up spd policies on boot

racoon_flags="-f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log"

And this you need to put in this file for avtostart interface

ifconfig_gif0="inet A.A.A.A B.B.B.B netmask tunnel X.X.X.X Y.Y.Y.Y mtu 1280"

Now you can reboot your BSD server and after check, it works or not.