This paper attempts to explain how to configure racoon/ipsec-tools to encrypt wireless communications.

Our example does not cover how to configure the wireless gateway as an access point, it assumes that there is a configured wireless access point plugged into one of the nics of the gateway. Our example also assumes the client and gateway are both NetBSD, however the procedures are nearly the same for FreeBSD and MacOSX as well.

For our example, assume the gateway is 10.0.0.1 and the wireless client is 10.0.0.50.

You need to ensure that IPSec is enabled in your kernel. If it is not you should add/uncomment the following lines to your kernel config and recompile the kernel. Recompiling your kernel is outside the scope of this document.

Note: IPSEC_DEBUG is not required, but should you have to troubleshoot any failures, it will be most useful

  [...]
  options IPSEC
  options IPSEC_ESP
  options IPSEC_DEBUG
  [...]

 
Next you will need to configure the ipsec rules, these rules are placed in /etc/ipsec.conf.

On your gateway you should add

  spdadd 0.0.0.0/0 10.0.0.50/32 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.50/require;
  spdadd 10.0.0.50/32 0.0.0.0/0 any -P in ipsec esp/tunnel/10.0.0.50-10.0.0.1/require;

 
Similarly, on the client you should add:

  spdadd 10.0.0.50/32 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.50-10.0.0.1/require;
  spdadd 0.0.0.0/0 10.0.0.50/32 any -P in ipsec esp/tunnel/10.0.0.1-10.0.0.50/require;

 
In our example we will authenticate using pre-shared keys, this is not ideal but it simplifies the example. IPSec authentication utilizing x509 certificates is covered here.

On the gateway machine you need to add the following to /etc/racoon/psk.txt

  10.0.0.50     mypresharedkey

 
On the client machine you need to add an entry for the gateway using the same key.

  10.0.0.1      mypresharedkey

 
On both the gateway and client you will have to add the following to /etc/rc.conf:

  ipsec=YES
  racoon=YES

 
Now, simply reboot or run the following on both the gateway and the client and you should be in business.

  # /etc/rc.d/ipsec start
  # /etc/rc.d/racoon start

 
To further secure your wireless gateway, you can block all traffic on the access point interface that isn’t ipsec related and doesn’t originate from your wireless client(s). In this example we use pf, but the same concepts apply to ipf, ipfw, etc.

Note: Only the relevant rules are displayed.

  # /etc/pf.conf
  #
  # access point interface
  ap_int="fxp0"
  # wireless clients that use ipsec
  ipsec_hosts="{10.0.0.50 10.0.0.51}"

  block in log
  pass in on $ap_int proto udp from $ipsec_hosts to ($ap_int) port 500
  pass in on $ap_int proto esp from $ipsec_hosts to ($ap_int)