IPSec VPN using 2 FreeBSD Firewall Boxes Network Topology 192.168.1.0/24 -- BOX1( 192.168.1.1 - A.A.A.A ) <--> BOX2( 172.16.1.

1 - B.B.B.B ) -- 172.16.0.1/24 ##BOX1 Setup #/usr/local/etc/racoon/racoon.conf on BOX1 path include /usr/local/etc/racoon; path pre_shared_key /usr/local/etc/racoon/psk.txt; #log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen on all # available interface addresses. listen { isakmp A.A.A.A [500]; } # Specify various default timers. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 30 sec; phase2 15 sec; } remote B.B.B.B { exchange_mode main,aggressive; doi ipsec_doi; #situation identity_only; my_identifier address; nonce_size 16; lifetime time 86400 seconds; initial_contact on; #proposal_check obey; # obey, strict or claim proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ;

dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } # /etc/ipsec.conf on BOX1: flush; spdflush; spdadd 192.168.1.0/24 172.16.1.0/24 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/ require; spdadd 172.16.1.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/r equire; #/usr/local/etc/racoon/psk.txt B.B.B.B password /etc/rc.conf on BOX1: static_routes=vpn route_vpn=-net 172.16.1.0/24 192.168.1.1 ################################################################################ ##BOX2 Setup #/usr/local/etc/racoon/racoon.conf on BOX2 path include /usr/local/etc/racoon; path pre_shared_key /usr/local/etc/racoon/psk.txt; #log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen on all # available interface addresses. listen { isakmp B.B.B.B [500]; } # Specify various default timers. timer { # These value can be changed per remote node.

counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 30 sec; phase2 15 sec; } remote A.A.A.A { exchange_mode main,aggressive; doi ipsec_doi; #situation identity_only; my_identifier address; nonce_size 16; lifetime time 86400 seconds; initial_contact on; #proposal_check obey; # obey, strict or claim proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } # /etc/ipsec.conf on BOX1: flush; spdflush; spdadd 172.16.1.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/B.B.B.B-A.A.A.A/ require; spdadd 192.168.1.0/24 172.16.1.0/24 any -P in ipsec esp/tunnel/A.A.A.A-B.B.B.B/r equire; #/usr/local/etc/racoon/psk.txt A.A.A.A password /etc/rc.conf on BOX2: static_routes=vpn route_vpn=-net 192.168.1.0/24 172.16.0.1