From 0aa2063ab620ba6b149a27f1667dfc354ba683a7 Mon Sep 17 00:00:00 2001 From: jdubois Date: Tue, 30 Aug 2022 10:40:40 +0200 Subject: [PATCH] =?UTF-8?q?M=C3=A0J=20et=20corrections=20d'options?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- HowtoISAKMPD.md | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/HowtoISAKMPD.md b/HowtoISAKMPD.md index a0256490..ef94d6bd 100644 --- a/HowtoISAKMPD.md +++ b/HowtoISAKMPD.md @@ -62,13 +62,6 @@ net.inet.ah.enable=1 net.inet.ip.forwarding=1 ~~~ -Activer l'interface enc0 : - -~~~ -# ifconfig enc0 up -# echo up >/etc/hostname.enc0 -~~~ - Dans /etc/pf.conf, positionner : ~~~ @@ -76,19 +69,21 @@ set skip on {lo0 enc0} pass in on $ext_if proto esp from $addr_gw2 to ($ext_if) pass in on $ext_if proto udp from $addr_gw2 to ($ext_if) port {isakmp, ipsec-nat-t} +pass in on $ext_if proto udp from $addr_gw2 port {isakmp, ipsec-nat-t} to ($ext_if) ~~~ Dans /etc/ipsec.conf, positionner : ~~~ local_network="192.0.2.0/24" + remote_ip="198.51.100.254" remote_network="198.51.100.0/24" ike dynamic esp from $local_network to $remote_network peer $remote_ip \ -main auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 86400 \ -quick auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 7200 \ -psk "PRE-SHARED KEY" + main auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 86400 \ + quick auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 7200 \ + psk "PRE-SHARED KEY" ~~~ Le mot-clef "dynamic" permet d'activer le Dead Peer Detection (DPD), utilisé pour détecter la perte du pair. Certains VPNs peuvent ne pas rester stable s'il n'est pas activé. @@ -101,12 +96,12 @@ Tester la configuration : # ipsecctl -n -f /etc/ipsec.conf ~~~ -Démarrer le service : +Activer et démarrer le service : ~~~ -# cat /etc/rc.conf.local -isakmpd_flags="-K" - +# rcctl enable ipsec +# rcctl enable isakmpd +# rcctl set isakmpd flags -KTv # rcctl start isakmpd # ipsecctl -f /etc/ipsec.conf ~~~