конфиги в студию.....ниже приведены конфиги для хоста с внешнм ip = x.x.x.x, для y.y.y.y аналогично заменив адреса.
/etc/ipsec.conf
spdadd 192.168.5.0/24 192.168.7.0/24 ipencap -P out ipsec esp/tunnel/x.x.x.x-y.y.y.y/require;
spdadd 192.168.7.0/24 192.168.5.0/24 ipencap -P in ipsec esp/tunnel/y.y.y.y-x.x.x.x/require;
/racoon.conf
path include "/usr/local/etc/racoon";
#include "remote.conf";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate "/usr/local/etc/racoon/cert";
log debug2;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
isakmp x.x.x.x [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote y.y.y.y
{
exchange_mode aggressive, main;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "vpn2.public" "vpn2.private";
peers_certfile x509 "vpn1.public";
nonce_size 16;
initial_contact on;
proposal_check strict; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 5;
lifetime time 60 min;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/rc.conf
gateway_enable="YES"
hostname="gate"
ifconfig_em0="inet 192.168.5.1 netmask 255.255.255.0"
ifconfig_bge0="inet x.x.x.x netmask 255.255.255.252"
firewall_enable="YES"
firewall_script="/usr/local/etc/rc.d/firewall"
natd_enable="YES"
natd_interface="bge0"
natd_flags="-f /etc/natd.conf"
racoon_enable="YES"
racoon_flags="-l /home/racoon.log"
cloned_interfaces="gif0"
gif_interfaces="gif0"
gifconfig_gif0="x.x.x.x y.y.y.y"
ifconfig_gif0="inet 192.168.5.1 192.168.7.100 netmask 255.255.255.0"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
static_routes="vpn"
route_vpn="192.168.7.0/24 192.168.7.100"
export route_vpn