MàJ et corrections d'options
This commit is contained in:
parent
a6ffb4cc80
commit
0aa2063ab6
|
@ -62,13 +62,6 @@ net.inet.ah.enable=1
|
||||||
net.inet.ip.forwarding=1
|
net.inet.ip.forwarding=1
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
Activer l'interface enc0 :
|
|
||||||
|
|
||||||
~~~
|
|
||||||
# ifconfig enc0 up
|
|
||||||
# echo up >/etc/hostname.enc0
|
|
||||||
~~~
|
|
||||||
|
|
||||||
Dans /etc/pf.conf, positionner :
|
Dans /etc/pf.conf, positionner :
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
|
@ -76,19 +69,21 @@ set skip on {lo0 enc0}
|
||||||
|
|
||||||
pass in on $ext_if proto esp from $addr_gw2 to ($ext_if)
|
pass in on $ext_if proto esp from $addr_gw2 to ($ext_if)
|
||||||
pass in on $ext_if proto udp from $addr_gw2 to ($ext_if) port {isakmp, ipsec-nat-t}
|
pass in on $ext_if proto udp from $addr_gw2 to ($ext_if) port {isakmp, ipsec-nat-t}
|
||||||
|
pass in on $ext_if proto udp from $addr_gw2 port {isakmp, ipsec-nat-t} to ($ext_if)
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
Dans /etc/ipsec.conf, positionner :
|
Dans /etc/ipsec.conf, positionner :
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
local_network="192.0.2.0/24"
|
local_network="192.0.2.0/24"
|
||||||
|
|
||||||
remote_ip="198.51.100.254"
|
remote_ip="198.51.100.254"
|
||||||
remote_network="198.51.100.0/24"
|
remote_network="198.51.100.0/24"
|
||||||
|
|
||||||
ike dynamic esp from $local_network to $remote_network peer $remote_ip \
|
ike dynamic esp from $local_network to $remote_network peer $remote_ip \
|
||||||
main auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 86400 \
|
main auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 86400 \
|
||||||
quick auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 7200 \
|
quick auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 7200 \
|
||||||
psk "PRE-SHARED KEY"
|
psk "PRE-SHARED KEY"
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
Le mot-clef "dynamic" permet d'activer le Dead Peer Detection (DPD), utilisé pour détecter la perte du pair. Certains VPNs peuvent ne pas rester stable s'il n'est pas activé.
|
Le mot-clef "dynamic" permet d'activer le Dead Peer Detection (DPD), utilisé pour détecter la perte du pair. Certains VPNs peuvent ne pas rester stable s'il n'est pas activé.
|
||||||
|
@ -101,12 +96,12 @@ Tester la configuration :
|
||||||
# ipsecctl -n -f /etc/ipsec.conf
|
# ipsecctl -n -f /etc/ipsec.conf
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
Démarrer le service :
|
Activer et démarrer le service :
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
# cat /etc/rc.conf.local
|
# rcctl enable ipsec
|
||||||
isakmpd_flags="-K"
|
# rcctl enable isakmpd
|
||||||
|
# rcctl set isakmpd flags -KTv
|
||||||
# rcctl start isakmpd
|
# rcctl start isakmpd
|
||||||
# ipsecctl -f /etc/ipsec.conf
|
# ipsecctl -f /etc/ipsec.conf
|
||||||
~~~
|
~~~
|
||||||
|
|
Loading…
Reference in a new issue