download

Chapter 8}encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;authentication_algorithm hmac_sha1, hmac_md5 ;compression_algorithm deflate ;This is actually a generic configuration for racoon that should simply work for anysource and destination address (note remote anonymous tag). You may want tomodify the configuration to fit your needs. However, when changing IKE setup,make sure you are applying change on both hosts. A comprehensive guide to racoonconfiguration can be found online at http://ipsec-tools.sourceforge.net/.To enable racoon daemon to launch at system start-up, make sure you add thefollowing line to the /etc/rc.conf file:racoon_enable="yes"To manually start racoon, run the appropriate rc script as follows:# /usr/local/etc/rc.d/racoon startStarting racoon.The racoon daemon will take care of setting up SA between two endpoints based onthe security policies (SP) you specify, using the setkey(8) utility.The policies should be added to the setkey configuration file which is usuallylocated in the /etc/ipsec.conf file.In order to encrypt the tunneled traffic between two hosts, you may create a setkeyconfiguration file that contains the following lines:flush;spdflush;spdadd 0.0.0.0/0 0.0.0.0/0 ipencap -P out ipsec esp/transport//require;spdadd 0.0.0.0/0 0.0.0.0/0 ipencap -P in ipsec esp/transport//require;The first two lines of the file actually flush SAD and SPD entries from the kernel'sSPD. The third line specifies encryption policy for the outgoing traffic (note -P outflag), that has a protocol number four in their layer3 header (note ipencap whichis actually IP encapsulated in IP packets on GIF interface), from source 0.0.0.0/0(any) to 0.0.0.0/0 (any). As the encapsulation type is ESP, the packet payload isencrypted. And the last line specifies decryption for the incoming packets.The ipsec.conf file should be configured on both hosts, considering that theoutgoing policy on each host should match the incoming policy on the other hostand vice versa.[ 141 ]