IPSec woes coming from OpenBSD to Free
xenophon\+freebsd
xenophon+freebsd at irtnog.org
Fri Jul 6 22:12:26 UTC 2012
Chris Benesch writes:
> Looking at the manual, it says to create a gif interface with the
> other end.
Are you referring to chapter 15.9 in the FreeBSD Handbook? I don't
know why it starts with tunneling over a GIF (IP-in-IP) interface.
Why don't you try a pure IPsec tunnel, instead? I assume you already
have security/ipsec-tools installed.
Let's say you have two endpoints and two networks:
Left router - 1.1.1.1
Left network - 10.10.10.0/24
Right router - 2.2.2.2
Right network - 20.20.20.0/24
You can start with the security policy, because it's easy. Here's the
policy for the left side:
# Left to Right
spdadd 10.10.10.0/24 20.20.20.0/24 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
# Right to Left
spdadd 20.20.20.0/24 10.10.10.0/24 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
The policy for the right side is the same, with the direction's
swapped:
# Right to Left
spdadd 20.20.20.0/24 10.10.10.0/24 any -P out ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
# Left to Right
spdadd 10.10.10.0/24 20.20.20.0/24 any -P in ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
(On FreeBSD, save these to /etc/ipsec.conf, not setkey.conf.)
The next part is setting up IKE. I use AES-SHA1 with DH group 2 for
the IKE SAs, and I use AES128-HMAC-SHA1 with PFS enabled (also DH
group 2) for the IPsec SAs. Here's the left side:
remote 2.2.2.2
{
exchange_mode main, aggressive, base;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 86400 seconds;
}
}
sainfo address 1.1.1.1 any address 2.2.2.2 any
{
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
The right side is the same, just with the addresses reversed:
remote 1.1.1.1
{
exchange_mode main, aggressive, base;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 86400 seconds;
}
}
sainfo address 2.2.2.2 any address 1.1.1.1 any
{
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Lastly, make sure that your firewall software is configured properly.
You can cheat and disable filtering on the tunnel entirely by setting
the following sysctl variables (see also enc(4) and ipsec(4)):
net.inet.ipsec.filtertunnel=0
net.inet6.ipsec6.filtertunnel=0
(I'm assuming that you already have UDP port 500 and IP protocol 50
allowed through the left and right routers' public interfaces.)
Make sure the IPsec SPD gets loaded properly:
service ipsec onestop
service ipsec onestart
setkey -P -D
The last command should show something like the following on the left
router:
20.20.20.0/24[any] 10.10.10.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require
spid=4 seq=2 pid=79044
refcnt=1
10.10.10.0/24[any] 20.20.20.0/24[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require
spid=3 seq=0 pid=79044
refcnt=1
The right router will be similar:
10.10.10.0/24[any] 20.20.20.0/24[any] any
in ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require
spid=8 seq=2 pid=79068
refcnt=1
20.20.20.0/24[any] 10.10.10.0/24[any] any
out ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require
spid=7 seq=0 pid=79068
refcnt=1
When you start racoon, it should automatically turn up the tunnel.
You can test it by pinging through the tunnel. You'll have to
override ping's default source address to get it to work. On the
router on the left:
ping -S 10.10.10.1 20.20.20.1
And on the router on the right:
ping -S 20.20.20.1 10.10.10.1
This is my configuration nearly verbatim, only in my case the right
side is a Cisco router. Let me know if you can't get it working.
Best wishes,
Matthew
More information about the freebsd-net
mailing list