IPsec is a protocol which sits on top of the Internet Protocol (IP) layer. IPsec allows communication between hosts in a secure manner. The FreeBSD IPsec based on the KAME implementation.

I’ll use FreeBSD 7.2 for this howto, before we start to configure IPsec we need to compile IPSEC module into FreeBSD kernel if you don’t know to recompile FreeBSD kernel then please follow this document. To enable IPsec support into your kernel, add the following options in kernel configuration file:

Let’s draw the scenario which will be use throughout this tutorial

In the above diagram two public IP addresses has been used (172.17.1.254, 172.18.1.254). We will use these IP addresses as a reference in the rest of this article. Anywhere you see those ip addresses, replace them with your own public IP address.

Note for the local network I used (192.168.1.x) for 172.17.1.254 and (192.168.2.x) for 172.18.1.254.

All the machines on (192.168.1.x) network side assigned 192.168.1.1 as a default gateway.

All machines on (192.168.2.x) network side assigned 192.168.2.1 as a default gateway.

Creating a “virtual” network link

We will use a “tunnel” between the two networks. The two “tunnel mouths” are the IP addresses 172.16.17.254 and 172.18.1.254, and the tunnel must be told the addresses of the private IP addresses that will be allowed to pass through it. The tunnel is used to transfer traffic with private IP addresses across the public Internet.

This tunnel is created by using the generic interface or gif devices on FreeBSD. As you can imagine, the gif interface on each gateway host must be configured with four IP addresses; two for the public IP addresses, and two for the private IP addresses.

FreeBSD 7.x already include gif support into kernel, but you can also do this by adding the line:

Now let’s create our first tunnel on the machine (172.17.1.254) you would run the following commands to configure the tunnel.

On 2nd machine (172.18.1.254) you would run the following commands to configure the tunnel.

Now check the gif0 interface either its up or not, you can run ifconfig command on both machines:

On the machine(172.17.1.254) you would see this kind of information:

In the above output you can see, a tunnel has been created between the two hosts 172.17.1.254 and 172.18.1.254. The traffic between 192.168.1.1 and 192.168.2.1 pass through this tunnel, latter on we will secure this tunnel through IPSec.

On the other end (172.18.1.254) you would see this:

In the above output you can see, a tunnel has been created between the two hosts 172.18.1.254 and 172.17.1.254. The traffic between 192.168.2.1 and 192.168.1.1 pass through this tunnel.

A new entry will be added automatically in the routing table on both sides, which you can examine with the command netstat -rn. you would see a output like this.

Securing the link

We want to secure our both side tunnels for this we will be use IPsec. IPsec provides a mechanism for two hosts to agree on an encryption key to encrypt data between the two hosts.

Security associations and security policies are both maintained by the kernel, and can be modified by userland programs. However, before you can do this you must configure the kernel to support IPsec and the Encapsulated Security Payload (ESP) protocol. This is done by configuring a kernel with:

We don’t need to do this again, as you know we already compiled these options into our kernel.

IPSec Configuration

There are a number of choices for daemons to manage security associations with FreeBSD. In this article we will describe how to use one of these, racoon – which is available from security/ipsec-tools in the FreeBSD Ports collection.

After the installation of ipsec-toosl create a directory /usr/local/etc/racoon

The racoon software must be run on both sides. Each host it is configured with the IP address of the other end VPN, and a secret key (which we will create in /usr/local/etc/racoon/psk.txt.

Before configuring racoon.conf file we should create /etc/ipsec.conf keys on both machines.

Now let’s create a key on 172.17.1.254 machine.

On the 172.18.1.254 side.

The above racoon’s policies will encrypt all traffic following between the following hosts 172.17.1.254 & 172.18.1.254 and by using tunnel mode it will also provide protection(“authentication”) of the IP packet.

We need to enable ipsec in /etc/rc.conf on both sides so ipsec automatically run when machine is boot.

Now let’s configure racoon.conf on the machine A side (172.17.1.254).

vi /usr/local/etc/racoon/racoon.conf

As you can see I used isakmp 172.17.1.254 [500] on A side machine.

Thes listen section tells the demon what ip address and port to bind to. If you don’t specify anything under the Listen section, the daemon will attempt to bind port 500 on all available interfaces.

In the remote section I have defined Side B ip address (172.18.1.254) and tell the daemon to use shared-key authentication on both sides.

The remote section is for IKE phase 1 & the sainfo is for IKE phase 2.

Now we need to create psk.txt file for shared key. In this file we will define Side B ip address with shared password. The file permission should be 644 on both sides.

Side A is configured we need to edit racoon.conf on Side B

Let’s configure /usr/local/etc/racoon/racoon.conf on the machine (172.18.1.254).

vi /usr/local/etc/racoon/racoon.conf

As you can see I used isakmp 172.18.1.254 [500] on 172.18.1.254 machine.

In the remote section I have defined Side A ip address (172.17.1.254)

Let’s create shared key authentication file on Side B machine. In this file we will define other Side A ip address and shared password

Everything is configured and placed, we need to enable racoon in /etc/rc.conf on both sides and then start racoon daemon.

Let’s start racoon on both machines.

After starting the racoon daemon you can test your encrypted tunnel with setkey -DP, Let’s run this command on Side A (172.17.1.254)

The ouput of above command should be like this.

Above output means you have successfully configred your IPSec on FreeBSD.

Let’s test our IPSec tunnel to ensure that everything is running fine. On Side A we will ping Side B internal ip address e.g.

And get a response, you should be able to do the same thing on the other Side B machine.

However, you will not be able to reach other internal machines on both sides. This is because of the routing — although the gateway machines know how to reach one another, but they do not know how to reach the entire network.

To solve this problem we have to add a static route on each Sides. The command to do this on the first Side A (172.17.1.254)

This says “In order to reach on the entire network 192.168.2.0, send the packets to the host 192.168.2.1”.

On Side B (17.18.1.254) would be:

This says “In order to reach on the entire network 192.168.1.0, send the packets to the host 192.168.1.1”.

We need to set these entries in /etc/rc.conf so whenever computer is rebooting it’s automatically up and running.

On machine 172.17.1.254 add these entries in /etc/rc.conf

And machine 172.18.1.254 add these entries in /etc/rc.conf

Firewall Setup:

It is likely that you are running a firewall on both machines. In this regards you might want to allow all traffic between both networks, or you might want to include firewall rules that protect both ends of the VPN from one another.

If you are using pf then you will need to run this command on both gateway hosts.

It will allow all traffic between the two end points of the VPN

Your comments on this post helpful for us to make more competent howtos for you.