Created
October 19, 2018 13:09
-
-
Save VegarLH/ff091e994f45a8469d6c32a08c36ef4c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#man ipsec | |
Additional Variables | |
A number of sysctl(8) variables are relevant to ipsec. These are | |
generally net.inet.ah.*, net.inet.esp.*, net.inet.ip.forwarding, | |
net.inet6.ip6.forwarding, and net.inet.ip.ipsec-*. Full explanations can | |
be found in sysctl(2), and variables can be set using the sysctl(8) | |
#man npppd | |
Normally npppd works with pipex(4) to accelerate IP packet forwarding, | |
but pipex(4) is disabled by default. To enable it, set net.pipex.enable | |
to `1' using sysctl(8). | |
When npppd uses PPTP, the host system should allow GRE packets, but they | |
are disabled by default. To enable GRE, set net.inet.gre.allow to `1' | |
using sysctl(8). | |
sysctl net.inet.ip.forwarding=1 | |
sysctl net.inet.esp.enable=1 | |
sysctl net.pipex.enable=1 | |
/etc/pf.conf | |
set skip on lo | |
block in log all | |
pass out all | |
pass in on egress proto icmp all | |
pass in on egress proto { tcp, udp } from any to egress port 65022 #ssh | |
pass in on egress proto { esp, ah } from any to egress # IPSec in | |
pass in on egress proto udp from any to egress port { isakmp, ipsec-nat-t } | |
#enc | |
pass in on enc0 proto udp from any to egress port l2tp | |
#allow in from tun0 | |
pass in on tun0 from any to any | |
match out log on egress from 10.0.0.0/24 to any nat-to egress:0 #nat | |
ipsec.conf | |
############### | |
# L2TP config | |
host=146.185.144.249 | |
psk_l2tp=notmypass | |
ike passive esp transport \ | |
proto udp from $host to any port 1701 \ | |
main auth hmac-sha1 enc aes group modp2048 \ | |
quick auth hmac-sha1 enc aes-128 \ | |
psk $psk_l2tp tag ipsec_l2tp | |
# L2TP downgraded for Android-support | |
ike passive esp transport \ | |
proto udp from $host to any port 1701 \ | |
main auth hmac-sha1 enc 3des group modp1024 \ | |
quick auth hmac-sha1 enc 3des \ | |
psk $psk_l2tp tag ipsec_l2tp | |
/etc/npppd/npppd-users | |
epidemic:\ | |
:password=alsonotmypass: | |
/etc/npppd/npppd.conf | |
authentication LOCAL type local { | |
users-file "/etc/npppd/npppd-users" | |
} | |
tunnel L2TP protocol l2tp { | |
listen on 0.0.0.0 | |
} | |
ipcp IPCP { | |
pool-address 10.0.0.2-10.0.0.254 | |
dns-servers 8.8.8.8 | |
} | |
# use tun(4) interface. multiple ppp sessions concentrate one interface. | |
interface tun0 address 10.0.0.1 ipcp IPCP | |
bind tunnel from L2TP authenticated by LOCAL to tun0 | |
#enable services | |
rcctl enable npppd | |
rcctl enable isakmpd | |
rcctl set isakmpd flags "-K" | |
rcctl enable ipsec | |
#and start them when needed. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment