Setting up pipsecd on FreeBSD


IPSec and the capabilities in havingadvantages of running IPSec on individual servers in the network is becoming evermore popular, because of some of the functionalityever more popular, mainly due to various security features it can provide in distributed networks. I.e. havingnetworks, i.e. hosting servers in different geographical locations.


IPSec is like having an interface on 2 servers connectedinterfacing 2 servers by connecting them with a crossed cable. We theThe same level on security.of security is achieved. This can provide for instance secure NFS/Database transactions/BackupNFS, Database transactions, Backup and so on.


Fortunately setting up IPSec in FreeBSD is easy.


Pipsecd in the ports collection provides all the necessary functionality. In the following examplewe’ll setup an IPSec ESP tunnel between 2 hosts will be setup:


Our layout:


+--------+   IPSec    +--------+

| Host A |------------| Host B |

+--------+ ESP Tunnel +--------+      Real IP      Tunnel IP



We wantYou need to connect 2 hosts with an IPSec tunnel. We’ll startStart out by installing pipsecd on both hosts from the ports collection on them both. Start by goingcollection. Go to /usr/ports/net/pipsecd


root@freebsdcluster /# cd /usr/ports/net/pipsecd


Nowwe’ll make and install the port:


root@freebsdcluster net/pipsecd# make install


The different files are now installed. The prefix is /usr/local.

In order to get the tunnel to behave to our liking we need to go andmake the tunnel behave to your liking, you need to edit the config files. The config files are located in /usr/local/etc/ipsec


root@freebsdcluster net/pipsecd# cd /usr/local/etc/ipsec


A sample config file has been installed in this directory. Use the sample file as a template for your config file:


root@freebsdcluster etc/ipsec# cp pipsecd.conf.sample pipsecd.conf


Edit the config file.


root@freebsdcluster etc/ipsec# vi pipsecd.conf


Make theThe files on both hosts should look likeshown below:


Host A:

sa ipesp spi=1001 enc=blowfish_cbc ekey=f1f2f3f4f5f6f7f8f9fafbfcfdfeff dest=

sa ipesp spi=1001 enc=blowfish_cbc ekey=deadb00fd00d00d00db00fd00dc00e

if /dev/tun1 local_spi=1001 remote_spi=1001


Host B

sa ipesp spi=1001 enc=blowfish_cbc ekey=f1f2f3f4f5f6f7f8f9fafbfcfdfeff

sa ipesp spi=1001 enc=blowfish_cbc ekey=deadb00fd00d00d00db00fd00dc00e dest=

if /dev/tun1 local_spi=1001 remote_spi=1001


This is a simple example, but you can do much more with pipsecd; Authentication header, different encryption algorithms… - Havealgorithms, etc. Have a look at the README file. (/usr/ports/net/pipsecd/work/pipsec-19991014/README)

file for more information. (/usr/ports/net/pipsecd/work/pipsec-19991014/README)


You are now ready to connect the IPSec tunnel. You connect the tunnelThis is achieved by executing the pipsecd start script. The script is located in /usr/local/etc/rc.d/

Start pipsecd on both hosts.


root@freebsdcluster etc/ipsec# /usr/local/etc/rc.d/


You should now be able to confirm that the tun1 interface is up.


root@freebsdcluster etc/ipsec# ifconfig tun1


tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500

        inet6 fe80::260:8ff:fe68:4efc%tun1 --> :: prefixlen 64 scopeid 0xb

        Opened by PID 249


Great. To complete, weFinally, you must assign IP addresses to the tunnel. Execute the following commands on host A and B respectively.


Host A:

ifconfig tun1 add netmask


Host B:

ifconfig tun1 add netmask


Use ping on either host to confirm that the tunnel is operational:


Host A:

root@freebsdcluster htdocs/members# ping -c 5

PING ( 56 data bytes

64 bytes from icmp_seq=0 ttl=255 time=30.554 ms

64 bytes from icmp_seq=1 ttl=255 time=36.136 ms

64 bytes from icmp_seq=2 ttl=255 time=31.709 ms

64 bytes from icmp_seq=3 ttl=255 time=36.569 ms

64 bytes from icmp_seq=4 ttl=255 time=27.056 ms


--- ping statistics ---

5 packets transmitted, 5 packets received, +4 duplicates, 0% packet loss

round-trip min/avg/max/stddev = 27.056/33.551/37.665/3.381 ms



(My(The servers used in this example are in different countries, thus the relatively high latency)


You can now makeperform various transactions between the 2 hosts using the private addresses. Your traffic will travel encrypted across the public internet without possibility of being compromised.


Happy Hacking



/Lasse L. Johnsen