To facilitate the negotiation of IPsec keys on the FreeBSD GW, the security/racoon port must be installed and configured.
The following is a racoon configuration file suitable for use with the examples outlined in this document. Please make sure you fully understand this file before using it in a production environment.
# racoon.conf for use with Check Point VPN-1/Firewall-1
#
# search this file for pre_shared_key with various ID key.
#
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
#
# "padding" defines some parameter of padding. You should not touch these.
#
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
#isakmp 0.0.0.0 [500];
#admin [7002]; # administrative port by kmpstat.
#strict_address; # required all addresses must be bound.
}
#
# Specification of default various timers.
#
timer
{
#
# These values can be changed per remote node.
#
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
#
# timer for waiting to complete each phase.
#
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main; # For Firewall-1 Aggressive mode
#my_identifier address;
#my_identifier user_fqdn "";
#my_identifier address "";
#peers_identifier address "";
#certificate_type x509 "" "";
nonce_size 16;
lifetime time 10 min; # sec,min,hour
lifetime byte 5 MB; # B,KB,GB
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 10 min;
lifetime byte 50000 KB;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
Ensure that the /usr/local/etc/racoon/psk.txt file contains the pre-shared secret configured in the “Firewall-1 Network Object Configuration” section of this document and has mode 600 permissions.
# chmod 600 /usr/local/etc/racoon/psk.txt