FreeBSD IPsec mini-HOWTO
22 Sep 2001

$Id: ipsec-howto.txt,v 1.6 2001/09/22 15:10:38 BKoester Exp $

$B0lHV2<$K99?7MzNr$,$"$j$^$9(B

* KAME IPsec $B%H%s%M%k$N%3!<%I$r:G?7HG$K%"%C%W%0%l!<%I$7$F$/$@$5$$!#(B
$B$=$&$G$J$$$H!"IT5,B'$K5/$3$k%3%M%/%7%g%sGK2u$GDK$$L\$K$"$$$^$9!#(B
---------------------------------------------


1. $B$O$8$a$K(B

$B$3$N%A%e!<%H%j%"%k$N:G?7HG$O!"0J2<$N$H$3$m$G>o$K<j$KF~$l$k$3$H$,$G$-$^$9!'(B

http://www.x-itec.de/projects/tuts/ipsec-howto.txt
http://asherah.dyndns.org/~josh/ipsec-howto.txt

$B$3$NJ8=q$O!"(BFreeBSD $B>e$G(B IPsec $B$rN)$A>e$2!"F0$+$7!"JL$N(B FreeBSD
$B!J$d(B NetBSD $B$dB>$N(B KAME $BGI@8$N%9%?%C%/!K%^%7%s$d!"(BWindows 2000 $B%^%7%s$H(B
$BAj8_@\B3$9$kJ}K!$N<j0z$-$rL\E*$H$7$?$b$N$G$9!#(BIPv6 $B$K$D$$$F$O!"I,MW@-$,(B
$B$G$F$/$l$P$9$0$KDI2C$7$^$9!#(B

IPsec $B$O!"%[%9%H4V$N(B IP $BAXDL?.$rJ]8n$9$k$?$a$N<jCJ$G!"(BIPv4$B!"(BIPv6 $B$N$$$:(B
$B$l$N%H%i%U%#%C%/$bJ]8n$9$k$3$H$,2DG=$G$9!#:9$7Ev$?$j$3$3$G$O(B IPv4 $B$KE,(B
$BMQ$9$k(B IPsec $B$K$D$$$F$N$_5DO@$7$^$9!#(B

IPsec $B$O!"%Q%1%C%H$N0E9f2=!"G'>Z!"$=$7$F8BDj$5$l$?%H%i%U%#%C%/%U%m!<$N(B
$BHkF?@-$G!J%7!<%1%s%9HV9f$K$h$k!K:FAw$+$i$NJ]8n$rJ]>Z$9$k$3$H$G!"%5%V%M(B
$B%C%H4V$G%H%s%M%k$r9=C[$7$?$j!J%H%s%M%k%b!<%I!K!"$^$5$KFs$D$N%^%7%s4V$N(B
$BDL?.$rJ]8n!J%H%i%s%9%]!<%H%b!<%I!K$G$-$^$9!#(BIPsec $BDL?.$O0U?^E*$K!"BP>N(B
$BE*$J%"%k%4%j%:%`!J(BBlowfish, DES, 3DES$B!K$K$h$C$F0E9f2=$5$l$^$9!#$3$l$O(B
ESP (Encapsulating Security Payload$B!'0E9f%Z%$%m!<%I(B) $B%b!<%I$H$7$FCN$i$l!"(B
$B%Q%1%C%H$N%Z%$%m!<%I$,0E9f2=$5$l$^$9!#%Q%1%C%H$N%X%C%@$O?($l$i$l$:$=$N(B
$B$^$^$G$9!#%H%i%U%#%C%/$r0E9f2=$9$k$D$b$j$,$J$$$J$i!"(BAH (Authenticaed
Header$B!'G'>Z%X%C%@(B) $B%b!<%I$H$7$FCN$i$l$k5!G=$G(B IPsec $B$rMxMQ$G$-$^$9!#(B
$B$3$N%b!<%I$G$O!"%Q%1%C%H$N%Z%$%m!<%I$O0E9f2=$5$l$^$;$s$,!"%X%C%@!&%U%#(B
$B!<%k%I$,?.Mj@-$N$"$k%O%C%7%e4X?t$rMxMQ$7$F%O%C%7%e$5$l!"$3$N%O%C%7%eCM(B
$B$r4^$`IU2C%X%C%@$,!"%Q%1%C%HFb$N>pJs$rG'>Z$G$-$k$h$&$K!"%Q%1%C%H$KDI2C(B
$B$5$l$^$9!#(B

$B$3$NJ8=q$O!"(BIPsec $B$NA4BN$N%"!<%-%F%/%A%c$d!"$=$N9=@.MWAG$N%W%m%H%3%k$K(B
$B$D$$$F@bL@$9$k$b$N$G$O$"$j$^$;$s!J$$$:$l$9$k$+$b$7$l$^$;$s$,!K!#(B

TCP $B%Q%1%C%H$r5;=QE*$K8+$k$H!"0J2<$N9=B$$K$J$j$^$9!J(BRFC2406 $B;2>H!K!#(B
$B$=$N?^$r!"650iE*$JMQES$G!"$3$N(B RFC $B$+$i0zMQ$7$^$9!'(B


                 ESP $BE,MQA0(B
            ----------------------------
      IPv4  |orig IP hdr  |     |      |
            |(any options)| TCP | Data |
            ----------------------------


                 ESP $BE,MQ8e(B
            -------------------------------------------------
      IPv4  |orig IP hdr  | ESP |     |      |   ESP   | ESP|
            |(any options)| Hdr | TCP | Data | Trailer |Auth|
            -------------------------------------------------
                                |<----- encrypted ---->|
                          |<------ authenticated ----->|


IPv6 $B$G$O!"$3$N$h$&$J?^$K$J$j$^$9!'(B


                     ESP $BE,MQA0(B
            ---------------------------------------
      IPv6  |             | ext hdrs |     |      |
            | orig IP hdr |if present| TCP | Data |
            ---------------------------------------


                     ESP $BE,MQ8e(B
            ---------------------------------------------------------
      IPv6  | orig |hop-by-hop,dest*,|   |dest|   |    | ESP   | ESP|
            |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer|Auth|
            ---------------------------------------------------------
                                         |<---- encrypted ---->|
                                     |<---- authenticated ---->|

            * = $BB8:_$9$k>l9g!"(BESP $B$NA0$K$b8e$m$K$b!"$=$NN>J}$K$bIU$-$&$k(B

ESP $B$,$I$&F0:n$9$k$+$N%a%+%K%:%`$rM}2r$9$k$?$a$K!"2f!9$,$3$3$G9T$J$C$F(B
$B$$$k$3$H$rCN$k$3$H$,=EMW$J$N$G!"(BSSH $B%H%s%M%k$dN`;w$N$b$N$rMQ$$$?$j$O$7(B
$B$^$;$s!#$3$l$,(B ESP $B%X%C%@$N9=B$$G!"$"$J$?$,$I$3$+$GFI$s$@$3$H$N$"$k$+$b(B
$B$7$l$J$$C18l$N$$$/$D$+$d$3$N?^$,!"(BESP $B$K$D$$$F$N99$J$kM}2r$N=u$1$K$J$k(B
$B$G$7$g$&!#(B

0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
|               Security Parameters Index (SPI)                 | ^Auth.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
|                      Sequence Number                          | |erage
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ----
|                    Payload Data* (variable)                   | |   ^
~                                                               ~ |   |
|                                                               | |Conf.
+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
|               |     Padding (0-255 bytes)                     | |erage*
+-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |   |
|                               |  Pad Length   | Next Header   | v   v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------
|                 Authentication Data (variable)                |
~                                                               ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        * $B%Z%$%m!<%I!&%U%#!<%k%I$K4^$^$l$k>l9g!"(B
          $B0E9fF14|%G!<%?!JNc!'=i4|%Y%/%H%k!K(B

$B!V%Q%G%#%s%0!W!V%7!<%1%s%9HV9f!W!V%Z%$%m!<%I!&%G!<%?!W$H$$$C$?8@MU$rJ9(B
$B$$$?$3$H$,$"$j!"(Bracoon.conf(5) $B$+(B setkey(8) $B$NJ8=q$rFI$s$G$$$k$J$i!"$3(B
$B$&$7$?>pJs$,(B ESP $B%X%C%@$N0lIt$G$"$j!"$=$l$,(B IPsec $B$H4X$o$j$,$"$k$3$H$,(B
$B$*J,$+$j$G$7$g$&!#(B

IPsec $B$r<BAu$9$k4pK\<j=g$O!'(B

        * $B%+!<%M%k9=C[(B
        * $B%;%-%e%j%F%#!&%]%j%7!<@_Dj(B
        * $B808r49@_Dj(B



2. $B$O$8$a$F$_$k(B

FreeBSD $B%^%7%s>e$G(B IPsec $B$rMxMQ$9$k$K$O!"(BFreeBSD 4.1 $B$+$=$l0J9_$N%P!<%8(B
$B%g%s$r6/$/$*4+$a$7$^$9!#$3$l$h$jA0$N%P!<%8%g%s!JFC$K(B FreeBSD 3.x$B!KMQ$N(B
KAME IPsec $B%3!<%I$bB8:_$7$^$9$,!"<+F080@_Dj$r9T$J$&(B racoon IKE 
(Internet Key Exchange$B!'<+F0808r49(B) $B%G!<%b%s$rMxMQ$9$k$K$O==J,$G$O$"$j$^(B
$B$;$s!#(B

$B%+!<%M%k$K(B IPsec $B$N%5%]!<%H$rDI2C$9$k$K$O!"%+!<%M%k@_Dj%U%!%$%k$K0J2<$N(B
$B9T$rDI2C$7$F$/$@$5$$(B

options         IPSEC                   #IP security
options         IPSEC_ESP               #IP security (crypto; define w/ IPSEC)
options         IPSEC_DEBUG             #debug for IP security

$B$5$i$K!"%H%s%M%k%b!<%I$G(B IPsec $B$rMxMQ$9$k>l9g$K$O!"%+!<%M%k@_Dj%U%!%$%k(B
$B$K0J2<$N9T$r2C$($F$/$@$5$$!'(B

FreeBSD 4.4 $B$h$jA0$N%P!<%8%g%s$G$O!'(B

pseudo-device   gif 4

FreeBSD 4.4 $B0J9_$J$i!'(B

pseudo-device gif

$B$H$9$k$+!"(Bgif $B$,4{$K%m!<%I2DG=$G$"$l$P!"2?$bI,MW$"$j$^$;$s!*(B



$B?7$7$$%+!<%M%k$r:F%3%s%Q%$%k$7!"%$%s%9%H!<%k$7$F$/$@$5$$!#%+!<%M%k$N(B
$B:F%3%s%Q%$%k$N;EJ}$,J,$+$i$J$$>l9g$O!"(BFreeBSD $B%O%s%I%V%C%/$r$4Mw$/$@$5$$!#(B

ports $B$+$i(B racoon $B%G!<%b%s$r%$%s%9%H!<%k$7$F$/$@$5$$!'(B

        cd /usr/ports/security/racoon ; make all install clean

$B$3$N(B mini HOWTO $B$r=q$$$F$$$k;~E@$K$*$$$F!"8=:_(B port $B$N:G?7HG$O!"(B
racoon-20010831a.tar.gz $B$G$9!#<jF080@_Dj!J$D$^$j!"0E9f2=80$r<jF0$G;XDj$9$k!K(B
$B$N$_$G(B IPsec $B$rMxMQ$7!"FsBf$N(B FreeBSD $B%^%7%s$rDL?.$5$;$k$3$H$O2DG=$G$9$,!"(B
$B$=$l$OLLGr$/$J$/<BMQE*$G$J$$$P$+$j$+!"(BWindows 2000 $B%^%7%s$HAj8_@\B3(B
$B$7$h$&$H$9$k:]$KLr$KN)$A$^$;$s!#(B

3. $B%;%-%e%j%F%#!&%]%j%7!<$N@_Dj(B

-------------------------------
$B$3$N%;%/%7%g%s$O!"(B4.4 $B$h$jA0$N%P!<%8%g%s$N(B FreeBSD $B$N$?$a$N$b$N$G!"(B
4.4 $B$N$?$a$K2<$K?7$7$/DI5-$7$F$^$9$,!"$3$N%;%/%7%g%s$bFI$s$G$*$/$N$O(B
$BB;$K$O$J$j$^$;$s!#(B
-------------------------------

IPsec $B$K7g$/$3$H$N$G$-$J$$$N$,!"$I$N%Q%1%C%H$r0E9f2=$9$Y$-$+!"$=$7$F$=(B
$B$l$r$I$N$h$&$K0E9f2=$9$Y$-$+!"(BAH$B!JG'>Z%X%C%@!K$+(B ESP$B!J0E9f%Z%$%m!<%I!K(B
$B%b!<%I$N$$$:$l$rMxMQ$9$k$+!"$I$N0E9f2=%"%k%4%j%:%`!"%O%C%7%e!&%"%k%4%j(B
$B%:%`$rMxMQ$9$k$+$H$$$&$3$H$r%+!<%M%k$K65$($kItJ,$G$9!#(B

$B$3$l$i$N7hDj$,!V%]%j%7!<!W$H8F$P$l!"%+!<%M%kFb$N(B Security Policy Database
(SPD) $B$H$7$FCN$i$l$k%F!<%V%k$NCf$K3JG<$5$l$^$9!#(Bsetkey(8) $B%W%m%0%i%`$r(B
$BMQ$$$F!"(BSPD $B$rA`:n$G$-$^$9!#(B

$B%[%9%H4V$NDL?.$rJ]8n$9$k$N$KI,MW$J3F<o$N0E9f80$r%+!<%M%kFb$K3JG<$9$k%F(B
$B!<%V%k$b$"$j$^$9!#$3$N%F!<%V%k$O(B Security Association Database (SAD) 
$B$H$7$FCN$i$l$F$$$^$9!#<jF080@_Dj$G(B IPsec $B$r@_Dj$9$k>l9g!"(Bsetkey(8)
$B%W%m%0%i%`$,!"(BSAD $B$K<jF080$r@_Dj$9$k$N$K$3$3$G$b;H$o$l$^$9!#%[%9%H4V$G(B
$B80$r<+F0E*$K8r49$9$k$N$K(B IKE $B$rMxMQ$9$k$J$i!"(Bracoon $B$,(B SAD $B$K%(%s%H%j(B
$B$rDI2C$7$?$j!"%(%s%H%j$r:o=|$7$?$j$9$kA`:n$r9T$J$$$^$9!#(B

IP $B%"%I%l%9$,(B 1.2.3.4 $B$N%N!<%I(B A $B$H!"(BIP $B%"%I%l%9$,(B 5.6.7.8 $B$N%N!<%I(B B
$B$N!"FsBf$N(B FreeBSD $B%^%7%s$,$"$k$J$i!"0J2<$N%3%^%s%I$G!"Fs$D$N%N!<%I4V$G(B
IPsec $B$rM-8z$K$9$k%]%j%7!<$r(B SPD $B$KDI2C$7$^$9!#(B

        #!/bin/sh
        # $B0J2<$N%3%^%s%I$,%N!<%I(BA$B$G(B IPsec $B$rF0$+$9$N$KI,MW(B
        # $B<!$N(B2$B9T$G(B SPD $B$H(B SAD $B$+$i!"4{B8$N%(%s%H%j$r$9$Y$F:o=|(B
        setkey -FP
        setkey -F
        # $B%]%j%7!<$NDI2C(B
        setkey -c << EOF
        spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec
         esp/transport/1.2.3.4-5.6.7.8/require;
        spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec
         esp/transport/5.6.7.8-1.2.3.4/require;
        EOF

$B:G=i$N(B spdadd $B%3%^%s%I$,!"(B1.2.3.4/32 $B$+$i(B 5.6.7.8/32 $B08$F$NA4$F$N308~$-(B
$B%Q%1%C%H$K(B ESP $B$rMQ$$$?0E9f2=$rMW5a$9$k%]%j%7!<$r@_Dj$7$^$9!#FsHVL\$N(B
spdadd $B%3%^%s%I$G$bF1$8%]%j%7!<$r@_Dj$7$F$^$9$,!"$3$l$O(B 5.6.7.8/32 $B$+$i(B
1.2.3.4/32 $B08$F$NFb8~$-$N%Q%1%C%H$K4X$9$k$b$N$G$9!#(B

        #!/bin/sh
        # $B0J2<$N%3%^%s%I$,%N!<%I(BB$B$G(B IPsec $B$rF0$+$9$N$KI,MW(B
        # $B<!$N(B2$B9T$G(B SPD $B$H(B SAD $B$+$i!"4{B8$N%(%s%H%j$r$9$Y$F:o=|(B
        setkey -FP
        setkey -F
        # $B%]%j%7!<$NDI2C(B
        setkey -c << EOF
        spdadd 5.6.7.8/32 1.2.3.4/32 any -P out ipsec
         esp/transport/5.6.7.8-1.2.3.4/require;
        spdadd 1.2.3.4/32 5.6.7.8/32 any -P in ipsec
         esp/transport/1.2.3.4-5.6.7.8/require;
        EOF

setkey(8) $B$rMQ$$$?(B SAD $B%(%s%H%j$r@_DjK!$NNc$O!"(BFreeBSD $B%O%s%I%V%C%/$N(B
IPsec $B$N>O$K$"$j$^$9!#(B

4. AH vs ESP$B!#%H%s%M%k(B vs $B%H%i%s%9%]!<%H!#(B

$BF~<j$G$-$k(B IPsec $B$K4X$9$kJ8=q$r$6$C$HFI$s$@$@$1$G$O!"$I$N%b!<%I$GF0$+$9(B
$B$Y$-$+>/!9:.Mp$7$F$7$^$&$3$H$b$"$j$($^$9!#(BVPN $B$r9=C[$7$?$$$N$G$J$1$l$P!"(B
ESP $B$r%H%i%s%9%]!<%H%b!<%I$GF0$+$;$PB?J,$h$$$G$7$g$&!#(B

ESP $B$N%H%i%s%9%]!<%H%b!<%I$G$O!"(BIPsec $B$rMW5a$5$l$F$$$kC<Kv08$F$N$I$N%Q(B
$B%1%C%H$b!"%Z%$%m!<%I$,0E9f2=$5$l$^$9!#%H%s%M%k%b!<%I$G$O!"%Q%1%C%HA4BN(B
$B!J0E9f2=$5$l$?%Z%$%m!<%I$b4^$a!K$,!"%j%b!<%H%[%9%H$K8~$1$FAw?.$5$l$kA0(B
$B$K!"JL$N%Q%1%C%H$NCf$K%+%W%;%k2=$5$l$^$9!#(B

$B$7$+$7!"(BVPN $B$r9=C[$9$k!"$9$J$o$A%$%s%?!<%M%C%H$r2p$7$F1s$/N%$l$FB8:_$9(B
$B$kFs$D$N%M%C%H%o!<%/$r$D$J$0$3$H$,L\E*$J$i!"(BESP $B$N%H%s%M%k%b!<%I$r;H$&(B
$B$N$,$h$$$G$7$g$&!#%H%s%M%k%b!<%IMQ$N(B SPD $B$N@_Dj$O!"%H%i%s%9%]!<%H$N$=$l(B
$B$K$h$/;w$F$^$9!#<g$J0c$$$O!"%k!<%F%#%s%0$r@5$7$/9T$&(B gif(4) $B%G%P%$%9$N(B
$BMxMQ$G$9!#%H%i%U%#%C%/$,(B gif(4) $B%H%s%M%k$rE>Aw$5$l$k$N$G$O$J$$$3$H$KCm(B
$B0U$7$F$/$@$5$$!*!!$=$&$G$J$/!"%+!<%M%kFbIt$N(B IPsec $B$N%3!<%I$,;XDj$5$l$?(B
$B%]%j%7!<$K=>$C$F%Q%1%C%H$r2#<h$j$7!"(BIPsec $B%H%s%M%kMQ$N@5$7$$(B IP $B%"%I%l(B
$B%9$GJq$`$N$G$9!#<B:]$K$O!"%Q%1%C%H$O(B gif $B%H%s%M%k$,DL2a$9$k7PO)$H0[$J$k!"(B
$B?7$7$$(B IP $B%"%I%l%9$r<u$1<h$k$N$G$9!#!J$=$&$G$9!"!V%H%s%M%k!W$H$$$&MQ8l(B
$B$O!"(BIPsec $B%H%s%M%k$@$1$G$J$/(B gif $B%H%s%M%k$b;X$7$^$9$+$i!"[#Kf$G$9!#$b$A(B
$B$m$s!"(BIP $B%k!<%F%#%s%0$r@5$7$/@_Dj$9$kJL$NJ}K!$bB8:_$7$^$9!#%k!<%F%#%s%0(B
$B!&%F!<%V%k$NCf$N(B IPsec $B%]%j%7!<$rH?1G$9$k$?$a$K(B gif $B%H%s%M%k$r%$%s%9%H!<(B
$B%k$9$k$K$O9%ET9g$G$9!K(B

$B2>Dj$7$?%N!<%I(B A $B$H(B B $B$KLa$j!"0J2<$N%M%C%H%o!<%/!&%H%]%m%8!<$r2>Dj$7$^$9!'(B

Internal net A <-> Node A <-----> Internet <------> Node B <-> Internal net B

$B$3$N>l9g(B

$B%N!<%I(B A $B$NFbB&$N%"%I%l%9$O(B 10.10.10.1/24$B!"30B&$N%"%I%l%9$O(B 1.2.3.4

$B%N!<%I(B B $B$NFbB&$N%"%I%l%9$O(B 10.20.20.1/24$B!"30B&$N%"%I%l%9$O(B 5.6.7.8

$B$=$3$G%N!<%I(B A $B$K%]%j%7!<$r@_Dj$7$^$9!'(B

        #!/bin/sh
        # $B0J2<$N%3%^%s%I$,%N!<%I(BA$B$G(B IPsec $B$rF0$+$9$N$KI,MW(B
		  # $B%H%s%M%k!&%G%P%$%9$N@_Dj!#(Bgif(4) $B$N%5%]!<%H$,A0Ds(B
		  # gif0 $B$O(B 1.2.3.4 $B$+$i(B 5.6.7.8 $B$K@\B3(B
		  gifconfig gif0 1.2.3.4 5.6.7.8
		  # $B%H%s%M%k$N!VFb!WB&$O!"(B10.10.10.1 $B$+$i(B 10.20.20.1 $B$K@\B3(B
		  ifconfig gif0 inet 10.10.10.1 10.20.20.1 netmask 255.255.255.0
        # $B<!$N(B2$B9T$G(B SPD $B$H(B SAD $B$+$i!"4{B8$N%(%s%H%j$r$9$Y$F:o=|(B
        setkey -FP
        setkey -F
        # $B%]%j%7!<$NDI2C(B
        setkey -c << EOF
        spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec
         esp/tunnel/1.2.3.4-5.6.7.8/require;
        spdadd 10.20.20.0/24 10.10.10.0/24 any -P in ipsec
         esp/tunnel/5.6.7.8-1.2.3.4/require;
        EOF

spdadd $B%3%^%s%I$N0c$$$KCm0U$7$F$/$@$5$$!#%M%C%H%o!<%/(B 10.10.10/24 $B$+$i(B
$B%M%C%H%o!<%/(B 10.20.20/24 $B$X$N%H%i%U%#%C%/$r!J(BESP $B$K$h$C$F!K0E9f2=$7!"(B
1.2.3.4 $B$+$i(B 5.6.7.8 $B08$F$N7PO)$r@_Dj$7!"$=$7$F$=$N5U$N$3$H$r9T$J$&%]%j(B
$B%7!<$r@_Dj$7$F$$$^$9!#(B

$B$=$7$F%N!<%I(B B $B$K$O!'(B

        #!/bin/sh
        # $B0J2<$N%3%^%s%I$,%N!<%I(BB$B$G(B IPsec $B$rF0$+$9$N$KI,MW(B
		  # $B%H%s%M%k!&%G%P%$%9$N@_Dj!#(Bgif(4) $B$N%5%]!<%H$,A0Ds(B
		  # gif0 $B$O(B 5.6.7.8 $B$+$i(B 1.2.3.4 $B$K@\B3(B
		  gifconfig gif0 5.6.7.8 1.2.3.4
		  # $B%H%s%M%k$N!VFb!WB&$O!"(B 10.20.20.1 $B$+$i(B 10.10.10.1 $B$K@\B3(B
		  ifconfig gif0 inet 10.20.20.1 10.10.10.1 netmask 255.255.255.0
        # $B<!$N(B2$B9T$G(B SPD $B$H(B SAD $B$+$i!"4{B8$N%(%s%H%j$r$9$Y$F:o=|(B
        setkey -FP
        setkey -F
        # $B%]%j%7!<$NDI2C(B
        setkey -c << EOF
        spdadd 10.20.20.0/24 10.10.10.0/24 any -P out ipsec
         esp/tunnel/5.6.7.8-1.2.3.4/require;
        spdadd 10.10.10.0/24 10.20.20.0/24 any -P in ipsec
          esp/tunnel/1.2.3.4-5.6.7.8/require;
        EOF

$B$3$l$r!"(B/etc/rc.conf $B$H(B /etc/ipsec.conf $B$KF~$l$k$3$H$K$J$j$^$9!#Nc$($P!"(B
$B%N!<%I(B A $B$G$7$?$i$3$N$h$&$K$J$j$^$9!'(B

    /etc/rc.conf:

        ...
        # /etc/ipsec.conf $B$K(B setkey $B$rFI$_$3$^$;$k(B 
        ipsec_enable="YES"
        # ep0 $B30It%$%s%?%U%'!<%9$G$"$k$H2>Dj(B
        network_interfaces="ep0 gif0 lo0"
        ifconfig_ep0="inet 1.2.3.4 netmask ..."    # correct mask here
        ifconfig_gif0="inet 10.10.10.1 10.20.20.1 netmask 255.255.255.0"
        gif_interfaces="gif0"
        gifconfig_gif0="1.2.3.4 5.6.7.8"
        ...

    /etc/ipsec.conf:

        flush;
        spdflush;
        spdadd 10.10.10.0/24 10.20.20.0/24 any -P out ipsec
         esp/tunnel/1.2.3.4-5.6.7.8/require;
        spdadd 10.20.20.0/24 10.10.10.0/24 any -P in ipsec
         esp/tunnel/5.6.7.8-1.2.3.4/require;



4a Changes for FreeBSD 4.4 *NEW*

Brooks Davis $B$,!"(BFreeBSD 4.4 $B%P!<%8%g%s$K$*$1$kJQ99$K$D$$$F$N>pJs(B
$B$r65$($F$/$l$^$7$?!#>e$K5-=R$7$?!J(Bgif $B$K4X$9$k!K%+!<%M%k$NJQ99$,$"$j!"(B
$B$3$3$K$=$NJQ99$r=q$-$^$9!'(B

$B!D%3%s%Q%$%k$5$l$?(B gif $B%G%P%$%9$G$"$C$F$b!"<+J,$G%9%/%j%W%H$r:n@.(B
$B$9$kI,MW$,$"$k$N$G!"%V!<%H;~$K$O$^$C$?$/5!G=$7$^$;$s!#$=$3$G!"(B
$B%9%/%j%W%H$O0J2<$N$h$&$J$b$N$G$"$kI,MW$,$"$j$^$9!'(B

ifconfig gif0 create
# gifconfig $B$OL$$@M-8z$@$,!"8=:_$O(B ifconfig $B$G$=$N:n6H$r9T$($k(B
ifconfig gif0 tunnel 5.6.7.8 1.2.3.4
# netmask $B$,K\Ev$K%]%$%s%H4V%j%s%/$rI=<($9$k$H$O;W$o$J$$(B
ifconfig gif0 inet 10.20.20.1 10.10.10.1

$B$=$&$G$J$/!"%/!<%k$G?7$7$$@_Dj$r8+$;$S$i$+$7!"G$0U$N%$%s%?%U%'!<%95!G=(B
$B$r:n@.$7$?$$$J$i!"0J2<$N$h$&$J$b$N$,;H$($^$9!'(B

ifn=`ifconfig gif create`
ifconfig ${ifn} tunnel 5.6.7.8 1.2.3.4
ifconfig ${ifn} inet 10.20.20.1 10.10.10.1

$B4{$K2??M$+$N?MC#$,:.Mp$7$F$^$9$N$G!"$3$NJQ99$K$D$$$F$N5-=R$r2C$($k$N$,(B
$B$h$$$N$+$b$7$l$^$;$s!#(B


5. racoon $B$rMxMQ$7$?<+F0808r49(B

$B<sHx$h$/80$r8r49$G$-$kDxEY$^$G(B racoon $B$r@_Dj$9$k$N$O!"$+$J$j4JC1$G$9!#(B
$B%G%U%)%k%H$N(B racoon.conf $B%U%!%$%k$G!"4pK\E*$J%;%C%H%"%C%W$O==J,$G$9!#(B
$B$7$+$7$J$,$i!"2f!9$H$7$F$O0J2<$N9`L\$rJQ99$9$k$3$H$r$*4+$a$7$^$9!#(B

$B%G%U%)%k%H$N%m%0!&%l%Y%k$G$"$k!V(Bdebug4$B!W$G$O!"$P$j$P$j%m%0$rEG$-$^$9!#(B
$BIaDL$K%;%C%H%"%C%W$9$k$K$OJXMx$G$9$,!"DL>o$NMQES$K$O$A$g$C$H2aEY$G$9!#(B
$B%m%0$r8:$i$9$?$a!"$=$N9T$N(B

        log "debug4";

$B$r(B

        log "info";

$B$KJQ99$7$^$9!#(Bfreebsd-net $B$N%a!<%j%s%0%j%9%H$N%9%l%C%I$G!"(Bracoon $B$K$h$j(B
$B%M%4$5$l$k80$N<wL?$N%G%U%)%k%H$NCM$,!"(BWAN $B$N%j%s%/!"FC$K(B PPPoE
$B!JLuCm!'(BPPP over Ethernet$B!#<g$K(B xDSL $B$GMxMQ$5$l$k@\B3J}<0!K$N%j%s%/$K$O!"(B
$BC;$9$.$k$N$G$O$J$$$+$H$$$&;XE&$,$"$j$^$7$?!#=>$C$F!"!V(Bsainfo anonymous$B!W(B
$B@a$K$"$k!"!V(Blifetime time$B!W$H!V(Blifetime byte$B!W%Q%i%a!<%?$r!"$=$l$>$l(B
3600 $BIC$H(B 50000 KB $B$KJQ99$7$?$$$H;W$&$+$b$7$l$^$;$s!#(B

$B808r49$N2aDx$N0lIt$H$7$F!"Fs$D$N%N!<%I$,$$$/$D$+$NA0$b$C$F7h$a$F$*$$$?(B
$BHkL)CM$rG'<1$7$F$*$/I,MW$,$"$j$^$9!#$3$l$O!"(BX.509 $B>ZL@=q$rM?$($k$+!"(B
$B!JC1$K!KFCDj$N%F%-%9%H$N;vA06&M-80$K$h$C$F<B8=2DG=$G$9!#;vA06&M-80$r@_(B
$BDj$9$k$K$O!"N>J}$N%N!<%I$G!"(B/usr/local/etc/racoon/psk.txt $B%U%!%$%k$rJT(B
$B=8$7$J$1$l$P$J$j$^$;$s!#(B

psk.txt $B%U%!%$%k$K!"<!$N9T$rDI2C$7$F$/$@$5$$!'(B

        peer_ip_address        sharedkey

IP $B%"%I%l%9$,(B 5.6.7.8 $B$G$"$k%T%"$H!"6&M-80!V(Bthisisatest$B!W$GDL?.$r$9$k(B
IPsec $B$N@_Dj$r9T$J$&$J$i!"(B

        5.6.7.8                thisisatest

$B$H$$$&9T$r!"$=$N%^%7%s$N(B psk.txt $B%U%!%$%k$KDI2C$7$F$/$@$5$$!#(B

psk.txt $B%U%!%$%k$N%"%/%;%98"8B$,(B 600 $B$G!"=jM-<T$,(B root $B$G$"$j!"$=$&$G$J(B
$B$1$l$P(B racoon $B$O$=$l$rFI$_$3$`$N$r5qH]$9$k$N$r3NG'$7$F$/$@$5$$!#(B

$B$3$3$K;j$C$F!"0J2<$N%3%^%s%I$K$h$C$F!"N>J}$N%^%7%s$G(B racoon $B$r3+;O$9$k(B
$B$3$H$,$G$-$^$9!'(B

        /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf

$B$9$Y$F$&$^$/$$$C$?$J$i!"$I$A$i$N%[%9%H$K(B ping $B$9$k$N$b$&$^$/$$$/$O$:$G(B
$B$9!#(Bracoon $B$N808r49$KC;$$CY1d$,@8$8$^$9$,!"%Q%1%C%H!&%U%m!<$r$_$k$3$H$,(B
$B$G$-$^$9!#(Bracoon $B$N%m%0!&%U%!%$%k$O%G%U%)%k%H$G$O!"(B/var/log/racoon.log
$B$K$"$j$^$9!#%m%0$r(B tail $B$9$l$P!"80$,8r49$5$l$k$N$r8+$k$3$H$,2DG=$G$9!#(B

6. Windows 2000 $B$H$NAj8_@\B3(B

FreeBSD $B%^%7%s$K!"(BWindows 2000 $B%^%7%s$H(B IPsec $BDL?.$5$;$k$3$H$b2DG=$G$9!#(B
Windows 2000 $B$HAj8_@\B3$9$k>l9g$K$O<jF080@_Dj$K$h$k%;%C%H%"%C%W$,$G$-$J(B
$B$$$N$G!"(Bracoon $B$r;H$C$F<+F0E*$K80$r8r49$7$J$1$l$P$J$j$^$;$s!#$^$?(B
Windows 2000 $B%^%7%s$K$O$$$/$D$+@)8B$,$"$k$N$G!"0E9f2=$5$l$?(B FreeBSD $B%M(B
$B%C%H%o!<%/$[$I$K$O?.Mj@-$,9b$/$J$$!J<BAu$7$F$$$k%"%k%4%j%:%`$N?t$,>/$J(B
$B$/!"0E9f80$N%S%C%H?t$b>.$5$$!K$N$rCN$C$F$*$/I,MW$,$"$j$^$9!#(B

FreeBSD $B%^%7%s$H(B Windows 2000 $B%5!<%P!<4V$G0E9f2=%;%C%7%g%s$r@8@.$7$?$$(B
$B>l9g$K9T$J$o$J$1$l$P$J$i$J$$$3$H$N$^$:0lHVL\$O!"F~<j2DG=$J:G?7$N%5!<%S(B
$B%9%Q%C%/$r%@%&%s%m!<%I$9$k$3$H$G!"$=$l$b!V(BWindows 2000 $BMQ9bEY0E9f2=%Q%C(B
$B%/!W$r%@%&%s%m!<%I$7$J$1$l$P$J$j$^$;$s!#$3$N0E9f%Q%C%/$O!"$$$/$D$+$N9q(B
$B$K$*$$$F!"(BWindows 2000 $B%^%7%s$G(B 128 $B%S%C%H(B 3DES $B$rM-8z$K$9$k$N$KI,MW$G(B
$B$9!#$=$N%Q%C%/$r%@%&%s%m!<%I$7$J$1$l$P!"(BFreeBSD $B%5!<%P$H$O@\B3$G$-$J$$(B
$B$7!"2?$r$7$h$&$K$b%?%$%`%"%&%H$K$J$j$^$9!#Ev3:%5!<%S%9%Q%C%/$b9bEY0E9f(B
$B2=%Q%C%/$b%^%$%/%m%=%U%H$N%5%$%H$+$iL5NA$GF~<j2DG=$G$9!#(B
$B!JLuCm!'(BWindows 2000 $B1Q8lHG$O!"I8=`$G$O0E9f2=%"%k%4%j%:%`$NM"=P5,@)$N$?(B
$B$a!"0E9f2=%"%k%4%j%:%`$K(B 3DES $B$r;XDj$7$F$bM-8z$K$J$i$J$$!#$J$*!"9bEY0E(B
$B9f2=%Q%C%/$O(B Windows Update $B$K$h$j%@%&%s%m!<%I2DG=!#$3$NLdBj$N>\:Y$O!"(B
@IT $B$N!V(BWindows 2000$B$N(BIPSec$B$G(B3DES$B$K$h$k0E9f2=$rM-8z$K$9$kJ}K!!W(B
http://www.atmarkit.co.jp/fpc/pctips/030gethighencrypt/gethighencrypt.html
$B$J$I$r;2>H$9$k$H$h$$!K(B

$B>e=R$7$?DL$j$K!"(BIPsec $B$r4^$a$F%+!<%M%k$r:F%3%s%Q%$%k$7!"(Bsetkey(8) $B$r;H(B
$B$C$F(B SAD $B$K%(%s%H%j$rDI2C$7!"(Bracoon $B$r@_Dj!"5/F0$7!"(BFreeBSD $B%^%7%s$r%;(B
$B%C%H%"%C%W$7$F$/$@$5$$!#(B

$B$^$:(B setkey $B$G4pK\@_Dj$r$7$J$1$P$J$i$:!"$=$l$+$i(B racoon $B$r;OF0$5$;$^$9!#(B
$B$3$N%A%e!<%H%j%"%k$K$*$$$F>e=R$7$?4pK\@_Dj!J(Bsetkey $B%9%/%j%W%H!K$r9T$J$&(B
$BA0$K$O!"(Bracoon $B$r;OF0$5$;$k$Y$-$G$O$"$j$^$;$s!#(B

$B$3$3$G!"(BWindows 2000 $BMQ$KFC$KI,MW$J(B racoon $B$N@_DjK!$r>R2p$7$^$9!#(B

$B0J2<$N@_Dj%U%!%$%k!J(Bmy-racoon.conf $B$H8F$S$^$9!K$r$4Mw2<$5$$!#$$$/$D$+=$(B
$B@5$r9T$J$C$F$$$k$N$G!"85$N(B racoon.conf $B$H$O40A4$K$OF1$8$G$O$"$j$^$;$s!#(B

racoon $B$N:G?7HG$rMQ$$$k$3$H$r!"2f!9$O$"$^$j=EMW;k$7$F$^$;$s!#(Bracoon $B$N(B
$B3+H/$O!"%j%j!<%9$NEY$KB??t$N%P%0$HAj8_@\B3$NLdBj$,=$@5$5$l!"$+$J$j5^B.(B
$B$K?J$s$G$$$^$9!#(B

$B!V(Blog debug4$B!W%*%W%7%g%s$K$D$$$F$O!"J*8@$$$,$D$/$+$b$7$l$^$;$s$,!"$^$:(B
$BBh0l$K2f!9$N;HL?$O!"0E9f2=DL?.$rN)$A>e$2!"2TF0$5$;$k$3$H$G$9!#$=$l$,$&(B
$B$^$/$$$1$P!"@_Dj$d$=$N%*%W%7%g%s$r:GE,2=$9$l$P$h$$$N$G$9!#(B

-------------------------------------------------------

path pre_shared_key "/usr/local/etc/psk.txt" ;

log debug4;

# "padding" $B$O%Q%G%#%s%0$K4X$9$k$$$/$D$+$N%Q%i%a!<%?$r@_Dj$7$F$$$k!#<j$r2C$($k$Y$-$G$O$J$$(B
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# $B%G%U%)%k%H$N$$$m$$$m$J;~4V$K4X$9$k;EMM(B
timer
{
        # $B0J2<$NCM$O%j%b!<%H!&%[%9%HKh$KJQ992DG=(B
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # $B3F%U%'!<%:$r40?k$9$k$N$K%&%'%$%H$9$k;~4V(B
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous
{
        #exchange_mode main,aggressive;
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        # identifier$B$OI,MW$J$$!#<+F0E*$K%;%C%H$5$l$k(B
        #my_identifier address;
        #my_identifier address "192.168.0.99";
        ##peers_identifier address "192.168.0.1";
        #certificate_type x509 "mycert" "mypriv";

        nonce_size 16;
        lifetime time 1 min;    # sec,min,hour
        lifetime byte 5 MB;     # B,KB,GB
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        # $BBgJQ=EMW!#0E9f2=$K$O(B 3DES$B!"%A%'%C%/%5%`$K$O(B MD5 $B$,I,MW(B

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 36000 sec;
        lifetime byte 50000 KB;
        encryption_algorithm 3des,des,cast128,blowfish ;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate ;
}

-------------------------------------------------------

$B<wL?;~4V$N@_Dj$K$D$$$F$bJ*8@$$$,$D$/$+$b$7$l$^$;$s$,!"<wL?$rC;$/$9$l$P(B
$B$9$k$[$I!"%;%C%7%g%s$N0BA4$O9b$^$j$^$9!#$3$l$3$=$,!"BP>NE*0E9f%"%k%4%j(B
$B%:%`MQ$N%;%C%7%g%s!&%-!<$,$H$F$bIQHK$KJQ99$5$l$kM}M3$J$N$G$9!#$=$N7k2L!"(B
$B%;%C%7%g%s!&%-!<$N$$$:$l$+$,%/%i%C%/$5$l$k$3$H$G32$rHo$kDL?.$O>/$J$/$J(B
$B$j$^$9!#$7$+$7(B Windows 2000 $B%^%7%s$K$O$$$/$D$+@)8B$,$"$j$^$9!#$"$^$j$K(B
$B$bC;$$<wL?$O@_Dj$G$-$^$;$s!#B>J}$+$i$9$l$P!"<wL?$rC;$/$9$l$P$9$k$[$I!"(B
$B%*!<%P!<%X%C%I$,A}$($k$N$G!"M>J,$JBS0hI}$H=hM}G=NO$,!"808r49$KHq$d$5$l(B
$B$k$3$H$K$J$k$N$G$9!#(B

$B$3$N%A%e!<%H%j%"%k$G>e=R$7$?DL$j!";vA06&M-!V80!W!J%Q%9%o!<%I!K$K$h$C$F!"(B
$B!VHkL)%U%!%$%k!W$r:n$k$N$rK:$l$J$$$G$/$@$5$$!#(Bracoon $B$NMxE@$K!"%Q%9%o!<(B
$B%ID9$K4X$9$k7W;;!J%Q%9%o!<%ID9$N%S%C%H?t$,(B 8 $B$G3d$j@Z$l$k$+!K$r$9$kI,MW(B
$B$,$J$$$3$H$H!"%Q%9%o!<%I$rFs$D!J0l$D$OG'>ZMQ!"0l$D$O0E9f2=MQ!K;H$&I,MW(B
$B$,$J$$$3$H$,$"$j$^$9!#(BWindows 2000 $B$G$O!"%Q%9%o!<%I$rFs$D;H$&$3$H$,$G$-(B
$B$^$;$s!#DL?.MQ$K$?$@0l8D$N6&M-$9$kHkL)CM$r;}$A!"$=$l$OG'>ZMQ$H0E9fMQ$K(B
$B%Q%9%o!<%I$rJL!9$KJ,$1$k$3$H$O$7$^$;$s!#(B

$B%G%P%C%0$,L\E*$J$i!"(Bracoon $B$K0J2<$N%*%W%7%g%s$rIU$1$F5/F0$7$^$9!'(B

    racoon -F -v -f my-racoon.conf

$B$3$l$K$h$j(B racoon $B$OI=$GF0$/$N$G!"8e$G<~CN$NLdBj$r2r@O$9$k$h$&$K!"%G%P(B
$B%C%0!&%W%m%H%3%k$r%9%/%j!<%s>e$G8+$k$3$H$,$G$-$^$9!#(B

Windows $B%^%7%s$G$O!"0J2<$N<j=g$r<B9T$7$^$9!'(B

* $B%3%^%s%I!&%&%#%s%I%&$r3+$-!"!V(Bmmc$B!W$r3+;O!#!V%3%s%=!<%k!W(B->$B!V%9%J%C%W(B
  $B%$%s$NDI2C$H:o=|!W$K?J$`!#!V(BIP$B%;%-%e%j%F%#%]%j%7!<$N4IM}!W$KDI2C!#(B

* $B%D%j!<!&%j%9%HFb$N!V(BIP$B%;%-%e%j%F%#%]%j%7!<!W$r%/%j%C%/$7!"$=$l$+$i(B
  $B%a%K%e!<$+$i!"!VA`:n!W(B->$B!V(BIP$B%;%-%e%j%F%#%]%j%7!<$N:n@.!W$rA*Br!#(B

* $B%&%#%6!<%I$r40N;$9$k!#FC$K!"(B
        * $B%G%U%)%k%H$NJV?.%k!<%k$rM-8z$K$7$J$$(B
        * $B%W%m%Q%F%#$rJT=8(B 

* $B%W%m%Q%F%#$G!"?7$7$$%k!<%k$rDI2C$9$k$?$a!VDI2C!W%\%?%s$r%/%j%C%/!#%&%#%6(B
  $B!<%I$r40N;$7!"0J2<$N@_Dj$r3N$+$K$9$k!'(B
        * $B%k!<%k$O%H%s%M%k$r;XDj$7$J$$(B
        * $B%k!<%k$O(B LAN $B$KE,MQ(B
        * $B808r49$rJ]8n$9$k$?$a!"J8;zNs$rMxMQ$9$k!#(Bpsk.txt $B%U%!%$%k$K;X(B
          $BDj$7$?$N$HF1$880$GE}0l(B
        * BSD $B%^%7%s$X$N%H%i%U%#%C%/$K$N$_%;%-%e%j%F%#!&%]%j%7!<$rE,MQ(B
          $B$9$k$h$&$K!"?7$7$$(B IP $B%U%#%k%?$r@8@.$7$?$$$@$m$&$+$i!"$3$N?7(B
          $B$7$$%U%#%k%?$rA*Br(B
        * $B%U%#%k%?$NF0:n$H$7$F!"!V(BRequire Security$B!W$rA*Br(B

        $B!V(BRequire Security$B!WMQ$N@_Dj$r!"0J2<$N$h$&$K$7$^$9!#(B
        $B$$$/$D$+%k!<%k$,$"$k$N$G!"$3$N%*%W%7%g%s$K9g$C$?%k!<%k$r%A%'%C(B
        $B%/$9$k$+!"<+J,$G?7$7$$%k!<%k$r@8@.$7$F$/$@$5$$!'(B

        AH $B$OL58z(B
        ESP $B$N40A4@-$O(B MD5
        $B0E9f2=%"%k%4%j%:%`$O(B 3DES

        $B:G=i$N%F%9%H$NL\E*MQ$K!"!V(BSession Key Settings$B!W$OL58z$K$7$^$9!#(B
        $B$=$l$O8e$GJQ99!":GE,2=$G$-$^$9!#(B

* $B%3%s%H%m!<%k!&%Q%M%k$+$i(B Administrative Tools->Services selection $B$H(B
  $B?J$s$G!"(BIPsec $B%]%j%7!<!&%(!<%8%'%s%H$r:F5/F0!#%k!<%k%;%C%H$K$I$s$JJQ(B
  $B99$r2C$($?>l9g$G$b!"$=$N%k!<%k$,E,59E,@Z$K<u$1F~$l$i$l$k$+3N$+$a$k$K(B
  $B$O!"JQ99$NEY$K%(!<%8%'%s%H$r:F5/F0$5$;$kI,MW$,$"$j$^$9!#(B

* $B%&%#%s%I%&$G?7$7$$%]%j%7!<$rA*Br$7!"%a%K%e!<!&%P!<$NCf$N%9%$%C%A!&%"(B
  $B%$%3%s$N%H%0%k$r%/%j%C%/$7!"$=$N%]%j%7!<$rM-8z$K$9$k!#(B

* $B!V(Bipsecmon$B!W%W%m%0%i%`$r5/F0!#$3$N%D!<%k$G!"%^%7%s>e$GM-8z$J%k!<%k$r(B
  $B%b%K%?2DG=$G$9!#(B

* $B%3%^%s%I!&%&%#%s%I%&$r3+$-!"(BBSD $B%^%7%s$K(B ping $B$rBG$C$F$/$@$5$$!#$=$N(B
  ping $B$O!"!V(BNegotiating IP Security$B!W%a%C%;!<%8$,=P$F!V<:GT!W$7$^$9!#(B
  $B0z$-B3$$$F$b$&0lEY(B ping $B$rBG$D$H!":#EY$O$&$^$/$$$/$O$:$G$9!#(Bping $B$rBG(B
  $B$C$F$9$0!"BgNL$N%G%P%C%0!&%a%C%;!<%8$r=P$7$F$$$k(B BSD $B%^%7%s$r3NG'$9$k(B
  $B$3$H$,$G$-$^$9!#(B

$B$3$3$K;j$C$F!"#2%^%7%s4V$NA4$F$N(B IP $B%H%i%U%#%C%/$,J]8n$5$l$k$3$H$K$J$j(B
$B$^$7$?!#(B

Windows $B%^%7%s>e$G$O!"(Bipsecmon $B%D!<%k$G0E9f2=%;%C%7%g%s$r3NG'$G$-$^$9!#(B
BSD $B%^%7%s>e$G$O!"%G%P%C%0!&%a%C%;!<%8$rDI$&$3$H$G!"$9$Y$F$,$&$^$/$$$C(B
$B$F$$$k$N$r3NG'$G$-$^$9!#(B

BSD $B%^%7%s>e$G$O!"2f!9$,K>$`DL$j$K$9$Y$F$,$&$^$/$$$C$F$$$k$+3NG'$9$k$?(B
$B$a$K!"@~>e$N%G!<%?$r%@%s%W$G$-$^$9!#(Bed0 $B$,Ev3:%$%s%?%U%'!<%9$J$i!"0J2<(B
$B$N$h$&$J%3%^%s%I$G!"(B

   tcpdump -i ed0 -x -X -s 14400

$B@~>e$N%Q%1%C%H$rI=<($7$^$9!#(BWindows 2000 $B$H(B racoon $B4V$G$N(B IKE $B808r49$b!"(B
ESP $B%Q%1%C%H$HI=<($5$l$k!"<B:]$N0E9f2=%Q%1%C%H$bN>J}$H$b8+$k$3$H$,$G$-(B
$B$^$9!#(B

$B$b$7(B IPsec $B$NN)$A>e$2$KLdBj$,@8$8$F$$$k$J$i!"Cx<T$KD>@\%3%s%?%/%H$r<h$k(B
$BA0$K!"(Bfreebsd-net@freebsd.org $B$d(B freebsd-questions@freebsd.org $B$H$$$C$?(B
$BE,@Z$J%a!<%j%s%0!&%j%9%H$K$^$:<ALd$rEj$2$F$_$k$3$H$r$*4+$a$7$^$9!#(B

A. $BM-MQ$J%j%s%/(B

Kame documentation:
http://www.kame.net

FreeBSD IPsec documentation:
http://www.freebsd.org/handbook/ipsec.html

Raccoon configuration tips:
http://www.kame.net/newsletter/20001119/

Using certificates instead of pre-shared keys in Racoon:
http://www.kame.net/newsletter/20001119b/

NetBSD IPsec documentation:
http://www.netbsd.org/Documentation/network/ipsec/
$B!JLuCm!'F|K\8lLu(B http://www.jp.netbsd.org/ja/Documentation/network/ipsec/ $B!K(B

Some RFCs:
RFC1825: Security Architecture for the Internet Protocol
RFC1829: The ESP DES-CBC Transform
RFC2709: Security Model with Tunnel-mode IPsec for NAT Domains
RFC2663: IP Network Address Translator (NAT) Terminology and Considerations
RFC2406: ESP
RFC2402: AH
RFC2409: IKE

http://www.rfc.net $B$K!"(BRFC $B$,Jq3gE*$K=8$a$i$l$F$$$k!#(B
$B!JLuCm!'>e5-(B RFC $B$r4^$`%;%-%e%j%F%#4X78$N(B RFC $B$NF|K\8lLu$O!"(B
http://www.ipa.go.jp/security/rfc/RFC.html $B$K=8$a$i$l$F$$$k!K(B

------------
B. $BCx<T$K$D$$$F!J=gITF1!K(B

Boris K$B‹T(Bter $B$H(B Josh Tiefenbach

$BO"Mm@h!'(B

X-ITEC IT-Consulting [ http://www.x-itec.de ]
Boris K$B‹T(Bter (x-itec@freenet.de) MCSE, CNA
Gr$B—O(Be 33 - 57368 Lennestadt - Germany - Tel: (0 27 21) 989 400
Win/Unix$B4D6-$K$*$1$k!"(BPHP4 $B$d(B *BSD C++ $B!J>o$K%W%m%8%'%/%HJg=8Cf!K$G$N(B
$B9b%Q%U%)!<%^%s%9$G%b%8%e!<%k2=$5$l$?%=%U%H%&%'%"3+H/$KFC2=(B

$B$H(B

Josh Tiefenbach (josh@zipperup.org)



C. $B$=$NB>$N9W8%<T!JF|IU=g!K!'(B
09/2001 Brooks Davis $B$O!"(BFreeBSD 4.4 $B$K4X$9$kJQ99$r2f!9$K65$($F$/$l$^$7$?(B
xx/2001 Helge Oldach (IV$B$K4X$9$k5-=R$NDI2C(B)
xx/2001 Tobias Larsson $B$O!"(BHOWTO$B$NCf$N$A$g$C$H$7$?%P%0$rJs9p$7$F$/$l$^$7$?(B

D. $B$=$NB>(B

$B$3$NJ8=q$K4X$9$kDs8@!"=u8@!"Ci9p!"D{@5!"$=$7$F%U%#!<%I%P%C%/$O!"Cx<T$K(B
$BAw$C$F$/$@$5$$!#(B
----------------

E. $B99?7MzNr(B [$BF|(B/$B7n(B/$BG/(B]
2000$BG/(B11$B7n(B $B=i4|%P!<%8%g%s(B
22/09/2001  [bk] Brooks Davis$B!J46<U!*!K$+$i!"(BFreeBSD 4.4 $B$K4X$9$k:G?7>pJs(B
                 $B$rDI2C$7!"=i?4<T$X$N%X%k%W$r$5$i$K=<<B(B
21/08/2001  [bk] $B%7%9%F%`>c32$r5/$3$9D9;~4V$NCY1d$K$D$$$F(B Helge Oldach $B$+$i$N%Q%C%A$rE,MQ(B
xx/06/2001  [bk] $B$$$/$D$+@0M}!"D{@5!#<+J,$N(B CVS $B%5!<%P$KJ8=q$rCV$-$^$7$?(B
21/06/2001  [bk] Tobias Larsson $B$,!"(Bspdadd $B$NItJ,$N%H%s%M%k$K4X$9$k8m$j(B
$B$rJs9p$7$F$/$@$5$C$?$N$G!"=$@5(B


----------------
$BK\J8=q$NF|K\8lLu$O!"(Byomoyomo (ymgrtq at yamdas dot org) $B$,9T$J$C$?!#(B
http://www.yamdas.org/wa/yamdas/column/technique/ipsec-howtoj.txt
$B$K8x3+$5$l$F$^$9!#(B

$BF|K\8lLu(B $B:G=*99?7F|!'(B2001$BG/(B10$B7n(B07$BF|(B