Date: Tue, 14 Jul 2009 19:15:14 -0500 From: "David DeSimone" <fox@verio.net> To: "rascal" <rascal1981@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup Message-ID: <20090715001514.GU6896@verio.net> In-Reply-To: <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
rascal <rascal1981@gmail.com> wrote:
>
> Thanks for the input on this everyone! Eugene, I'll take you up on
> your offer of examples! I have a good idea of how to do this, I
> just want to make sure I get it right and if I have some examples to
> compare to that would be great! Thanks much!
Here is an example IPSEC config that we use, that interoperates with
Cisco, Checkpoint, and probably other standard IPSEC implementations.
We're using PF for firewalling.
Example config:
Here: 11.22.33.44 (FreeBSD machine)
Networks behind:
10.10.30.40/24
10.10.30.50/24
There: 55.66.77.88 (Some other IPSEC)
Networks behind:
10.20.50.60/24
10.20.50.70/24
Parameters:
IKE:
Phase 1:
Pre-shared Secret
AES + SHA1
DH Group 2
Lifetime 24 hours
Phase 2:
One SPI per subnet pair
No PFS
Lifetime 1 hour
ESP:
AES + SHA1
Kernel build options:
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
/etc/rc.conf:
gateway_enable="YES"
pf_enable="YES"
pf_rules="/usr/local/etc/pf.conf"
racoon_enable="YES"
ipsec_enable="YES"
ipsec_file="/usr/local/etc/ipsec.conf"
Partial /usr/local/etc/pf.conf:
EXT="dc0" # Interface for external traffic
EXTIP="(dc0)" # External virtual IP
table <IPSEC_PEERS> file "/usr/local/etc/ipsec.peers"
pass in log quick on $EXT proto udp from <IPSEC_PEERS> to $EXTIP port 500 keep state
pass in quick on $EXT proto esp from <IPSEC_PEERS> to $EXTIP keep state
/usr/local/etc/ipsec.peers:
55.66.77.88
/usr/local/etc/ipsec.conf:
spdflush;
spdadd 10.20.50.60/24 10.10.30.40/24 any \
-P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
spdadd 10.10.30.40/24 10.20.50.60/24 any \
-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
spdadd 10.20.50.60/24 10.10.30.50/24 any \
-P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
spdadd 10.10.30.50/24 10.20.50.60/24 any \
-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
spdadd 10.20.50.70/24 10.10.30.40/24 any \
-P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
spdadd 10.10.30.40/24 10.20.50.70/24 any \
-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
spdadd 10.20.50.70/24 10.10.30.50/24 any \
-P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
spdadd 10.10.30.50/24 10.20.50.70/24 any \
-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
/usr/local/etc/racoon/racoon.conf:
log debug; # notify(*), debug, debug2
path pre_shared_key "/usr/local/etc/ipsec.keys";
path pidfile "/var/run/racoon.pid";
listen
{
isakmp 11.22.33.44;
strict_address; # Needed?
}
remote 55.66.77.88
{
exchange_mode aggressive,main,base;
my_identifier address 11.22.33.44;
peers_identifier address 55.66.77.88;
verify_identifier off;
proposal_check claim; # obey, strict, claim(*), exact(*)
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 24 hours;
}
}
sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any
{
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/usr/local/etc/ipsec.keys: (chmod 600!)
# Keys for IPSEC
# Remote IP, shared key
55.66.77.88 SecretKey!!
The main difficulty is making sure you've got every different direction
of source and destination subnet cross-referenced in your SPD config and
the exact same entries configured in your racoon config.
In our setup, we auto-generate these files from a master config file,
but regretably I cannot release the code for this...
Anyway, I hope this gives you some idea how to setup IPSEC. Debugging
is of course the next step. Never assume that your peer has configured
everything right. :)
Make sure your ipsec.keys file is not readable by anyone but root, or
raccoon will silently ignore it.
--
David DeSimone == Network Admin == fox@verio.net
"I don't like spinach, and I'm glad I don't, because if I
liked it I'd eat it, and I just hate it." -- Clarence Darrow
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090715001514.GU6896>