From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 00:39:49 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C46CA106564A for ; Wed, 15 Jul 2009 00:39:49 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 6ECD98FC1E for ; Wed, 15 Jul 2009 00:39:49 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw02.corp.verio.net (iad-wprd-xchw02.corp.verio.net [198.87.7.165]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 4A1D4B038292; Tue, 14 Jul 2009 20:15:17 -0400 (EDT) thread-index: AcoE4VR25XcUZaegR/CC0X6ygZATDA== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.64]) by iad-wprd-xchw02.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Jul 2009 20:15:15 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Tue, 14 Jul 2009 19:15:15 +0000 Date: Tue, 14 Jul 2009 19:15:14 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: "rascal" Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Message-ID: <20090715001514.GU6896@verio.net> Mail-Followup-To: rascal , freebsd-net@freebsd.org References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 15 Jul 2009 00:15:15.0309 (UTC) FILETIME=[53C591D0:01CA04E1] Cc: freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 00:39:50 -0000 rascal wrote: > > Thanks for the input on this everyone! Eugene, I'll take you up on > your offer of examples! I have a good idea of how to do this, I > just want to make sure I get it right and if I have some examples to > compare to that would be great! Thanks much! Here is an example IPSEC config that we use, that interoperates with Cisco, Checkpoint, and probably other standard IPSEC implementations. We're using PF for firewalling. Example config: Here: 11.22.33.44 (FreeBSD machine) Networks behind: 10.10.30.40/24 10.10.30.50/24 There: 55.66.77.88 (Some other IPSEC) Networks behind: 10.20.50.60/24 10.20.50.70/24 Parameters: IKE: Phase 1: Pre-shared Secret AES + SHA1 DH Group 2 Lifetime 24 hours Phase 2: One SPI per subnet pair No PFS Lifetime 1 hour ESP: AES + SHA1 Kernel build options: options IPSEC options IPSEC_ESP options IPSEC_DEBUG /etc/rc.conf: gateway_enable="YES" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf" racoon_enable="YES" ipsec_enable="YES" ipsec_file="/usr/local/etc/ipsec.conf" Partial /usr/local/etc/pf.conf: EXT="dc0" # Interface for external traffic EXTIP="(dc0)" # External virtual IP table file "/usr/local/etc/ipsec.peers" pass in log quick on $EXT proto udp from to $EXTIP port 500 keep state pass in quick on $EXT proto esp from to $EXTIP keep state /usr/local/etc/ipsec.peers: 55.66.77.88 /usr/local/etc/ipsec.conf: spdflush; spdadd 10.20.50.60/24 10.10.30.40/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.40/24 10.20.50.60/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.60/24 10.10.30.50/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.50/24 10.20.50.60/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.70/24 10.10.30.40/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.40/24 10.20.50.70/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.70/24 10.10.30.50/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.50/24 10.20.50.70/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; /usr/local/etc/racoon/racoon.conf: log debug; # notify(*), debug, debug2 path pre_shared_key "/usr/local/etc/ipsec.keys"; path pidfile "/var/run/racoon.pid"; listen { isakmp 11.22.33.44; strict_address; # Needed? } remote 55.66.77.88 { exchange_mode aggressive,main,base; my_identifier address 11.22.33.44; peers_identifier address 55.66.77.88; verify_identifier off; proposal_check claim; # obey, strict, claim(*), exact(*) proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 24 hours; } } sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } /usr/local/etc/ipsec.keys: (chmod 600!) # Keys for IPSEC # Remote IP, shared key 55.66.77.88 SecretKey!! The main difficulty is making sure you've got every different direction of source and destination subnet cross-referenced in your SPD config and the exact same entries configured in your racoon config. In our setup, we auto-generate these files from a master config file, but regretably I cannot release the code for this... Anyway, I hope this gives you some idea how to setup IPSEC. Debugging is of course the next step. Never assume that your peer has configured everything right. :) Make sure your ipsec.keys file is not readable by anyone but root, or raccoon will silently ignore it. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.