From owner-freebsd-doc Sat Apr 6 8:10:44 2002 Delivered-To: freebsd-doc@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 17C1237B404 for ; Sat, 6 Apr 2002 08:10:03 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g36GA3i07554; Sat, 6 Apr 2002 08:10:03 -0800 (PST) (envelope-from gnats) Date: Sat, 6 Apr 2002 08:10:03 -0800 (PST) Message-Id: <200204061610.g36GA3i07554@freefall.freebsd.org> To: freebsd-doc@FreeBSD.org Cc: From: Nik Clayton Subject: Re: docs/36723: IPSec section is unintelligible Reply-To: Nik Clayton Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR docs/36723; it has been noted by GNATS. From: Nik Clayton To: Murray Stokely Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: docs/36723: IPSec section is unintelligible Date: Sat, 6 Apr 2002 17:05:41 +0100 --L0TNCHh3fkwjpuuE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 03, 2002 at 10:09:11PM -0800, Murray Stokely wrote: > People often complain about the IPSec section in the FreeBSD Handbook. > The material is in great need of clarification. Anyone feel like SGML'ifying this (and fleshing it out as necessary)? It's been kicking around my hard disk for ages, and I never found the need to finish it up. . . N /*- * Copyright (c) 2001 Nik Clayton * All rights reserved. * * Redistribution is not permitted. If you are reading this it's because t= his * is an early version of this article that I have put out for review. It = is * not finished, and I do not want copies that possibly provide incorrect * information floating around the net. * * THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' = AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPO= SE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTI= AL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRI= CT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE */ ToDo: Check the path of the racoon config file Talk about the racoon settings that talk about timeouts Talk about choosing a good value for "secret" in psk.txt Check that racoon without a policy still sets up security associations Get sample tcpdump output between encrypted networks Show how to configure Windows hosts with a WINS Server Show dhcpd.conf netbios config option. Creating a VPN between two networks, separated by the Internet, using FreeB= SD gateways. The Problem There's no standard for what constitutes a VPN. VPNs can be implemented using a number of different technologies, each of which have their own strengths and weaknesses. This article presents a number of scenarios, and strategies for implementing a VPN for each scenario. Scenario #1: Two networks, connected to the Internet, to behave as one This is the scenario that caused me to first investigating VPNs. The premise is as follows: * You have at least two sites * Both sites are using IP internally * Both sites are connected to the Internet, through a gateway that is running FreeBSD. * The gateway on each network has at least one public IP address. * The internal addresses of the two networks can be public or private IP addresses, it doesn't matter. You can be running NAT on the gateway machine if necessary. * The internal IP addresses of the two networks DO NOT COLLIDE. Whi= le I expect it is theoretically possible to use a combination of VPN technology and NAT to get this to work, I expect it to be a configuration nightmare. If you find that you are trying to connect two networks, both of which, internally, use the same private IP address range (e.g., both of them use 192.168.1.x), then one of the networks will have to be renumbered. I think it's now a law that every VPN article must feature some ASCII artwork. This one is no exception. The network topology might look something like this: Network #1 [ Internal Hosts ] Private Net, 192.168.1.2-2= 54 [ Win9x/NT/2K ] [ Unix ] | | .---[fxp1]---. Private IP, 192.168.1.1 | FreeBSD | `---[fxp0]---' Public IP, A.B.C.D | | -=3D-=3D- Internet -=3D-=3D- | | .---[fxp0]---. Public IP, W.X.Y.Z | FreeBSD | `---[fxp1]---' Private IP, 192.168.2.1 | | Network #2 [ Internal Hosts ] [ Win9x/NT/2K ] Private Net, 192.168.2.2-2= 54 [ Unix ] Notice the two public IP addresses. I'll use the letters to refer to t= hem in the rest of this article. Anywhere you see those letters in this article, replace them with your own public IP addresses. Note also that that internally, the two gateway machines have .1 IP addresses, and that the two networks have different private IP address (192.168.1.x and 192.168.2.x respectively). All the machines on the private networks ha= ve been configured to use the .1 machine as their default gateway. The intention is that, from a network point of view, each network should view the machines on the other network as though they were directly attached the same router -- albeit a slightly slow router with an occasional tendency to drop packets. This means that (for example), machine 192.168.1.20 should be able to r= un ping 192.168.2.34 and have it work, transparently. Windows machines should be able to see the machines on the other network, browse file shares, and so on, in exactly the same way that they can browse machines on the local network. And the whole thing has to be secure. This means that traffic between = the two networks has to be encrypted. Creating a VPN between these two networks is a multi-step process. The stages are as follows; 1. Create a "virtual" network link between the two networks, across the Internet. Test it, using tools like ping(8), to make sure it works. 2. Apply security policies to ensure that traffic between the two networks is transparently encrypted and decrypted as necessary. Test this, using toolks like tcpdump(8), to ensure that traffic is encrypted. 3. Configure additional software on the FreeBSD gateways, to allow Windows machines to see one another across the VPN. Step 1: Creating and testing a "virtual" network link Suppose that you were logged in to the gateway machine on network #1 (w= ith public IP address A.B.C.D, private IP address 192.168.1.1), and you ran "ping 192.168.2.1", which is the private address of the machine with IP address W.X.Y.Z. What needs to happen in order for this to work? =20 1. The gateway machine needs to know how to reach 192.168.2.1. In other words, it needs to have a route to 192.168.2.1. 2. Private IP addresses, such as those in the 192.168.x range are not supposed to appear on the Internet at large. Instead, each packet you send to 192.168.2.1 will need to be wrapped up inside another packet. This packet will need to appear to be from A.B.C.D, and = it will have to be sent to W.X.Y.Z. This process is called "encapsulation". 3. Once this packet arrives at W.X.Y.Z it will need to "unencapsulated", and delivered to 192.168.2.1. You can think of this as requiring a "tunnel" between the two networks. The two "tunnel mouths" are the IP addresses A.B.C.D and W.X.Y.Z, and t= he tunnel must be told the addresses of the private IP addresses that will= be allowed to pass through it. The tunnel is used to transfer traffic with private IP addresses across the public Internet. This tunnel is created by using the generic interface, or "gif" devices= on FreeBSD. As you can imagine, the gif interface on each gateway host mu= st be configured with four IP addresses; two for the public IP addresses, = and two for the private IP addresses. Support for the gif device must be compiled in to the FreeBSD kernel on both machines. You can do this by adding the line pseudo-device gif to the kernel configuration files on both machines, and then compile, install, and reboot as normal. Configuring the tunnel is a two step process. First the tunnel must be told what the outside (or public) IP addresses are, using gifconfig(8). Then the private IP addresses must be configured using ifconfig(8). On the gateway machine on network #1 you would run the following two commands to configure the tunnel. gifconfig gif0 A.B.C.D W.X.Y.Z ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff On the other gateway machine you run the same commands, but with the or= der of the IP addresses reversed. gifconfig gif0 W.X.Y.Z A.B.C.D ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff You can then run=20 gifconfig gif0 to see the configuration. For example, on the network #1 gateway, you would see this # gifconfig gif0 gif0: flags=3D8011 mtu 1280 inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffffff physical address inet A.B.C.D --> W.X.Y.Z As you can see, a tunnel has been created between the physical addresses A.B.C.D and W.X.Y.Z, and the traffic allowed through the tunnel is that between 192.168.1.1 and 192.168.2.1. This will also have added an entry to the routing table on both machine= s, which you can examine with "netstat -rn". This output is from the gate= way host on network #1. # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire ... 192.168.2.1 192.168.1.1 UH 0 0 gif0 ... As the "Flags" value indicates, this is a host route, which means that each gateway knows how to reach the other gateway, but they do not know how to reach the rest of their respective networks. That problem will = be fixed shortly. It is likely that you are running a firewall on both machines. This wi= ll need to be circumvented for your VPN traffic. You might want to allow = all traffic between both networks, or you might want to include firewall ru= les that protect both ends of the VPN from one another. It greatly simplifies testing if you configure the firewall to allow all traffic through the VPN. You can always tighten things up later. If y= ou are using ipfw(8) on the gateway machines then a command like ipfw add 1 allow ip from any to any via gif0 will allow all traffic between the two end points of the VPN, without affecting your other firewall rules. Obviously you will need to run th= is command on both gateway hosts. This is sufficient to allow each gateway machine to ping the other. On 192.168.1.1 you should be able to run ping 192.168.2.1 and get a response, and you should be able to do the same thing on the other gateway machine. However, you will not be able to reach internal machines on either netw= ork yet. This is because of the routing -- although the gateway machines k= now how to reach one another, they do not know how to reach the network beh= ind each one. To solve this problem you must add a static route on each gateway machine. The command to do this on the first gateway would be: route add 192.168.2.0 192.168.2.1 netmask 0xffffff00 This says "In order to reach the hosts on the network 192.168.2.0, send the packets to the host 192.168.2.1". You will need to run a similar command on the other gateway, but with the 192.168.1.x addresses instea= d. IP traffic from hosts on one network will now be able to reach hosts on the other network.=20 That has now created two thirds of a VPN between the two networks, in as much as it's "virtual" and it's a "network". It's not private yet. You can test this using ping(8) and tcpdump(8). Log in to the gateway host and run tcpdump dst host 192.168.2.1 In another log in session on the same host run ping 192.168.2.1 You will see output that looks something like this. 16:10:24.018080 192.168.1.1 > 192.168.2.1: icmp: echo request 16:10:24.018109 192.168.1.1 > 192.168.2.1: icmp: echo reply 16:10:25.018814 192.168.1.1 > 192.168.2.1: icmp: echo request 16:10:25.018847 192.168.1.1 > 192.168.2.1: icmp: echo reply 16:10:26.028896 192.168.1.1 > 192.168.2.1: icmp: echo request 16:10:26.029112 192.168.1.1 > 192.168.2.1: icmp: echo reply As you can see, the ICMP messages are going back and forth unencrypted. If you had used the "-s" parameter to tcpdump(8) to grab more bytes of data from the packets you would see more information. Obviously this is unacceptable. The next section will discuss securing the link between the two networks so that it all traffic is automatical= ly encrypted. Summary: * Configure both kernels with "pseudo-device gif" * Edit /etc/rc.conf on gateway host #1 and add the following lines=20 (replacing IP addresses as necessary). gifconfig_gif0=3D"A.B.C.D W.X.Y.Z" ifconfig_gif0=3D"inet 192.168.1.1 192.168.2.1 netmask 0xffffffff" static_routes=3D"vpn" route_vpn=3D"192.168.2.0 192.168.2.1 netmask 0xffffff00" * Edit your firewall script (/etc/rc.firewall, or similar) on both hosts, and add =20 ipfw add 1 allow ip from any to any via gif0 * Make similar changes to /etc/rc.conf on gateway host #2, reversing = the order of IP addresses. Step 2: Securing the link To secure the link we will be using IPSec. IPSec provides a mechanism = for two hosts to agree on an encryption key, and to then use this key in or= der to encrypt data between the two hosts. The are two areas of configuration to be considered here. 1. There must be a mechanism for two hosts to agree on the encryption mechanism to use. Once two hosts have agreed on this mechanism there is said to be a "security association" between them. 2. There must be a mechanism for specifying which traffic should be encrypted. Obviously, you don't want to encrypt all your outgoing traffic -- you only want to encrypt the traffic that is part of the VPN. The rules that you put in place to determine what traffic will be encrypted are called "security policies". Security associations and security policies are both maintained by the kernel, and can be modified by userland programs. However, before you = can do this you must configure the kernel to support IPSec and the Encapsulated Security Payload (ESP) protocol. This is done by configur= ing a kernel with options IPSEC options IPSEC_ESP and recompiling, reinstalling, and rebooting. As before you will need = to do this to the kernels on both of the gateway hosts. You have two choices when it comes to setting up security associations. You can configure them by hand between two hosts, which entails choosing the encryption algorithm, encryption keys, and so forth, or you can use daemons that implement the Internet Key Exchange protocol (IKE) to do t= his for you. I recommend the latter. Apart from anything else, it's easier to set u= p. Editing and displaying security policies is carred out using setkey(8). By analogy, setkey(8) is to the kernel's security policy tables as route(8) is to the kernel's routing tables. setkey(8) can also display the current security associations, and to continue the analogy further,= is akin to "netstat -r" in that respect. There are a number of choices for daemons to manage security associatio= ns with FreeBSD. This article will describe how to use one of these, raco= on. racoon is in the FreeBSD ports collection, in the security/ category, a= nd is installed in the usual way. racoon must be run on both gateway hosts. On each host it is configured with the IP address of the other end of the VPN, and a secret key (which you choose, and must be the same on both gateways). The two daemons then contact one another, confirm that they are who they say they are (by using the secret key that you configured). The daemons then generate a new secret key, and use this to encrypt the traffic over the VPN. They periodically change this secret, so that even if an attacker were to crack one of the keys (which is as theoretically close= to unfeasible as it gets) it won't do them much good -- by the time they've cracked the key the two daemons have chosen another one. racoon's configuration is stored in ${PREFIX}/etc/racoon. You should f= ind a configuration file there, which should not need to be changed too muc= h. The other component of racoon's configuration, which you will need to change, is the 'pre-shared key'. The default racoon configuration expects to find this in the file ${PREFIX}/etc/racoon/psk.txt. It is important to note that the pre-sha= red key is *not* the key that will be used to encrypt your traffic across t= he VPN link, it is simply a token that allows the key management daemons to trust one another. =20 psk.txt contains a line for each remote site you are dealing with. In this example, where there are two sites, each psk.txt file will contain one line (because each end of the VPN is only dealing with one other en= d). On gateway host #1 this line should look like this: W.X.Y.Z secret That is, the *public* IP address of the remote end, whitespace, and a t= ext string that provides the secret. Obviously, you shouldn't use "secret"= as your key -- the normal rules for choosing a password apply. On gateway host #2 the line would look like this A.B.C.D secret That is, the public IP address of the remote end, and the same secret k= ey. psk.txt must be mode 0600 (i.e., only read/write to root) before racoon will run. You must run racoon on both gateway machines. You will also need to add some firewall rules to allow the IKE traffic, which is carried over UDP= to the isakmp (kmp =3D=3D key management protocol) port. Again, this shou= ld be fairly early in your firewall ruleset. ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp Once racoon is running you can try pinging one gateway host from the other. The connection is still not encrypted, but racoon will then set= up the security associations between the two hosts -- this might take a moment, and you may see this as a short delay before the ping commands start responding. Once the security association has been set up you can view it using setkey(8). Run setkey -D on either host to view the security assocation information. That's one half of the problem. They other half is setting your securi= ty policies. =20 To create a sensible security policy, let's review what's been set up so far. This discussions hold for both ends of the link. Each IP packet that you send out has a header that contains data about = the packet. The header includes the IP addresses of both the source and destination. As we already know, private IP addresses, such as the 192.168.x.y range are not supposed to appear on the public Internet. Instead, they must first be encapsulated inside another packet. This packet must have the public source and destination IP addresses substituted for the private addresses. So if your outgoing packet started looking like this: .----------------------. | Src: 192.168.1.1 | | Dst: 192.168.2.1 | | | +----------------------+ | | `----------------------' Then it will be encapsulated inside another packet, looking something l= ike this: .--------------------------. | Src: A.B.C.D | | Dst: W.X.Y.Z | | | +--------------------------+ | .----------------------. | | | Src: 192.168.1.1 | | | | Dst: 192.168.2.1 | | | | | | | +----------------------+ | | | | | | `----------------------' | `--------------------------' This encapsulation is carried out by the gif device. As you can see, t= he packet now has real IP addresses on the outside, and our original packet has been wrapped up as data inside the packet that will be put out on t= he Internet. Obviously, we want all traffic between the VPNs to be encrypted. You might try putting this in to words, as=20 If a packet leaves from A.B.C.D, and it is destined for W.X.Y.Z, then encrypt it, using the necessary security associations. If a packet arrives from W.X.Y.Z, and it is destined for A.B.C.D, then decrypt it, using the necessary security associations. That's close, but not quite right. If you did this, all traffic to and from W.X.Y.Z, even traffic that was not part of the VPN, would be encrypted. That's not quite what you want. The correct policy is as follows If a packet leaves from A.B.C.D, and that packet is encapsulating another packet, and it is destined for W.X.Y.Z, then encrypt it, using the necessary security associations. If a packet arrives from W.X.Y.Z, and that packet is encapsulating another packet, and it is destined for A.B.C.D, then encrypt it, using the necessary security associations. A subtle change, but a necessary one. Security policies are also set using setkey(8). Unfortunately, setkey(8), and the related code, is under almost constant development. And the version of setkey(8) included in FreeBSD 4.3 does= n't quite handle this properly. If you're using a version of FreeBSD-stable built after 3rd July 2001 (that includes FreeBSD 4.4 and later) then you have the necessary fixes. If you are using an earlier version, including FreeBSD 4.3 and below th= en you need to make a very small change to the setkey(8) source code, and then recompile it and reinstall it. Without this change, setkey(8) won't allow you to specify the rule to correctly match encapsulated packets. The change is very simple. 1. Acquire a copy of the FreeBSD source code for the version of FreeBSD you are running. 2. Change to the src/usr.sbin/setkey/ directory. 3. Edit the file token.l. Find the four lines that look like this: icmp { PREPROC; yylval.num =3D IPPROTO_ICMP; return(UP_PROTO= ); } icmp6 { PREPROC; yylval.num =3D IPPROTO_ICMPV6; return(UP_PRO= TO); } tcp { PREPROC; yylval.num =3D IPPROTO_TCP; return(UP_PROTO)= ; } udp { PREPROC; yylval.num =3D IPPROTO_UDP; return(UP_PROTO)= ; } and add this line ipencap { PREPROC; yylval.num =3D IPPROTO_IPV4; return(UP_PROTO= ); } after them. 4. Rebuild and reinstall setkey(8) by running "make install". Once you have done this you can configure the security policy. setkey(= 8) features a configuration language for defining the policy. You can eit= her enter configuration instructions via stdin, or you can use the -f option to specify a filename that contains configuration instructions. =20 The configuration on gateway host #1 (which has the public IP address A.B.C.D) to force all outbound traffic to W.X.Y.Z to be encrypted is spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; Put these commands in a file (e.g., /etc/ipsec.conf) and then run=20 setkey -f /etc/ipsec.conf "spdadd" tells setkey(8) that we want to add a rule to the secure policy database. The rest of this line specifies which packets will match this policy. "A.B.C.D/32" and "W.X.Y.Z/32" are the IP addresses and netmasks that identify the network or hosts that this policy will apply to. In this case, we want it to apply to traffic between these two hosts. "ipencap" tells the kernel that this policy should only apply to packets that encapsulate other packets. "-P out" says that this policy applies= to outgoing packets, and "ipsec" says that the packet will be secured. The second line specifies how this packet will be encrypted. "esp" is = the protocol that will be used, while "tunnel" indicates that the packet wi= ll be further encapsulated in an IPSec packet. The repeated use of A.B.C.D and W.X.Y.Z is used to select the security association to use, and the final "require" mandates that packets must be encrypted if they match t= his rule. This rule only matches outgoing packets. You will need a similar rule = to match incoming packets. spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; Note the "in" instead of "out" in this case, and the necessary reversal= of the IP addresses. The other gateway host (which has the public IP address W.X.Y.Z) will n= eed similar rules. spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; Finally, you need to add firewall rules to allow ESP and IPENCAP packets back and forth. These rules will need to be added to both hosts. ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D Because the rules are symmetric you can use the same rules on each gate= way host. Outgoing packets will now look something like this. .------------------------------. --------------------------. | Src: A.B.C.D | | | Dst: W.X.Y.Z | | | | | Encrypt= ed +------------------------------+ | packet. | .--------------------------. | -------------. | contents | | Src: A.B.C.D | | | | are=20 | | Dst: W.X.Y.Z | | | | complet= ely | | | | | |- secure | +--------------------------+ | | Encap'd | from th= ird | | .----------------------. | | -. | packet | party | | | Src: 192.168.1.1 | | | | Original |- with real | snooping | | | Dst: 192.168.2.1 | | | | packet, | IP addr | | | | | | | |- private | | | | +----------------------+ | | | IP addr | | | | | | | | | | | | | `----------------------' | | -' | | | `--------------------------' | -------------' | `------------------------------' --------------------------' When they are received by the far end of the VPN they will first be decrypted (using the security associations that have been negotiated by racoon). Then they will enter the gif interface, which will unwrap the second layer, until you are left with the innermost packet, which can t= hen travel in to the inner network. You can check the security using the same ping(8) test from earlier. First, log in to the A.B.C.D gateway machine, and run tcpdump dst host 192.168.2.1 In another log in session on the same host run ping 192.168.2.1 This time you should see output like the following: Now, as you can see, tcpdump(8) shows the ESP packets. If you try and examine them with the -s option you will see (apparently) gibberish, because of the encryption. Congratulations. You have just set up a VPN between two remote sites. Summary: * Configure both kernels with=20 options IPSEC options IPSEC_ESP * Install ports/security/racoon. Edit ${PREFIX}/etc/racoon/psk.txt on both gateway hosts, adding an entry for the remote host's IP address and a secret key that they both know. Make sure this file is mode 0600. * If necessary, make the one line change to src/usr.sbin/setkey/token= .l, then recompile and reinstall setkey(8). * Add the following lines to /etc/rc.conf on each host ipsec_enable=3D"YES" ipsec_file=3D"/etc/ipsec.conf" * Create an /etc/ipsec.conf on each host that contains the necessary spdadd lines. On gateway host #1 this would be spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; On gateway host #2 this would be spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; * Add firewall rules to allow IKE, ESP, and IPENCAP traffic to both hosts ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D Step 3: All the horrible Windows related configuration you need to do The previous two steps should suffice to get the VPN up and running. Machines on each network will be able to refer to one another using IP addresses, and all traffic across the link will be automatically and securely encrypted. So far so good. However, you probably have hosts running various flavo= urs of Windows at each site, and you would like to have them all appear in = the "Network Neighbourhood" or equivalent. Out of the box, this won't work. This is because the SMB protocol, aro= und which Windows' file sharing and related activities are based, was not originally designed for use on more than one subnet (or, indeed, for IP networks). Over time a number of kludges have been bolted on to the protocol to correct for these deficiencies, and you will need to implem= ent them before browsing will work. You should note that you don't need FreeBSD machines to do most of what follows. I think Windows NT or Windows 2000 hosts acting as domain controllers will also do the right thing. Of course, if you don't have any NT or 2000 hosts, and you don't feel like paying for the priviledge, you can use FreeBSD to do all this for you as well. At this point our network is composed of two subnets, 192.168.1.x, and 192.168.2.x. In order for the "Network Neighbourhood" to work properly= , a number of things need to be configured. 1. All your machines need to be configured to be in the same workgroup. For the rest of the examples I will use the workgroup name "WORKGROUP". You should, of course, change this to what ever you are using. 2. Each subnet needs to have a host acting as a "local master browse= r". This a Windows term. The local master browser is responsible for maintaining a list of all the hosts on the network. When a Windo= ws machine needs to find a list of all the other hosts on the network it sends a broadcast message out saying "Who is the local master browser?". The local master then replies, and the Windows host c= an then query the local master for a list of all the hosts on the sa= me subnet. There should be one local master browser per subnet. 3. Of course, this only works within a subnet. In order for this to= =20 work across subnets, one host has to be the "domain master browser". The domain master browser maintains a complete list of all the hosts on all the subnets. This is done by having all the local master browsers send it updates periodically. Without a domain master browser your Network Neighbourhood will not show up hosts in other subnets. There should only be one domain master browser. 4. Windows network is based on the Netbios protocol. This has a concept of hostnames, but it is different from the IP concept of hostnames. Netbios name look ups do not normally work across subnets. In order to work around this, one machine (and only one) machine should be designated a "WINS Server". The WINS Server is normally the same host as the domain master browser. It is the responsibility of the WINS Server to maintain the mapping of Netbios host names to IP addresses. Without this mapping, your Network Neighbourhood will show hosts in other subnets (because of the local master browser -> domain master browser communication) but your Windows hosts in another network will not be able to communicate with them, because they will not be able to convert their Netbios names in to IP addresses. There can only be one WINS Server per network (note: not per subn= et, per network), and every other host needs to know its IP address. That's the bare minimum you need to get started. Now you need to design your network. For the sake of this example, we will assume that you have two more FreeBSD hosts, one on each subnet. Lets give these the IP addressess 192.168.1.2 and 192.168.2.2 respectively, and make them responsible for coordinating the Windows network and allowing browsing across the VPN to work. These machines might also have file shares on them, but this article will not touch on that, as it's trivial to set up, and well documented. Recall that we will need two local master browsers, one domain master browser, and one WINS server. To keep things simple, 192.168.1.2 will be a local master browser, the domain master browser, and the WINS Server. 192.168.2.2 will be the lo= cal master browser for its network, and will send updates to the domain mas= ter browser. You should install Samba, from ports/net/samba/, on both hosts. Samba's configuration file is ${PREFIX}/etc/smb.conf. Both hosts will share some configuration information, since they will b= oth be acting as a local master browser. Edit ${PREFIX}/etc/smb.conf and add the following lines: [global] ; The network workgroup workgroup =3D WORKGROUP ; The name for this server, as it will appear in the=20 ; Network Neighbourhood server string =3D Samba Server ; Hosts that will be allowed to access this server hosts allow =3D 192.168.1. 192.168.2. 127. ; Template for generating log files log file =3D /var/log/log.%M ; This host is a local master. It is the preferred master, and the ; os level is set high enough that it will be chosen in preference ; to every other host on the network, should that eventuality ; arise. local master =3D yes preferred master =3D yes os level =3D 65 The per-host configuration is as follows. 192.168.1.2 is the WINS Server and domain master. Add these lines to t= he bottom of the "[global]" section in the configuration file. ; This host is the domain master for the whole network. domain master =3D yes ; This host will act as a WINS Server. wins support =3D yes 192.168.2.2 is neither of these. The lines to add for that are ; This host will not be the domain master. domain master =3D no ; This host is not a WINS Server, but it needs to know the address ; of the WINS Server wins server =3D 192.168.1.2 Make sure that the Samba daemons (smbd(8) and nmbd(8)) are running on b= oth machines. Now you need to configure your Windows client machines. Specifically, they need to know the address of the WINS Server (192.168.1.2). There = are two ways you can do this. 1. If you are 'statically' configuring the hosts then this informati= on can be entered by doing Start -> Control Panel -> Network -> ... 2. Alternatively, if you are using DHCP then must DHCP servers can be configured to provide this information. If you use the ISC DH= CPD then the relevant line to add to the configuration file is=20 options ... --=20 FreeBSD: The Power to Serve http://www.freebsd.org/ (__) FreeBSD Documentation Project http://www.freebsd.org/docproj/ \\\'',) \/ \= ^ --- 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- .\._/= _) --L0TNCHh3fkwjpuuE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyvHNAACgkQk6gHZCw343U5ogCdFF4HViejvE/Yt74SdB/2vRh9 9c8AnA8wy+JL7g35a8021HcxgFhXuVK9 =XYDt -----END PGP SIGNATURE----- --L0TNCHh3fkwjpuuE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message