Date: Tue, 14 Jul 2009 21:43:56 -0400 From: rascal <rascal1981@gmail.com> To: rascal <rascal1981@gmail.com>, freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup Message-ID: <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> In-Reply-To: <20090715001514.GU6896@verio.net> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> <20090715001514.GU6896@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks very much David, I really appreciate it!
I have the racoon2 package; does this make a big difference or do these
configs work close to the same?
On Tue, Jul 14, 2009 at 8:15 PM, David DeSimone <fox@verio.net> wrote:
> rascal <rascal1981@gmail.com> wrote:
> >
> > Thanks for the input on this everyone! Eugene, I'll take you up on
> > your offer of examples! I have a good idea of how to do this, I
> > just want to make sure I get it right and if I have some examples to
> > compare to that would be great! Thanks much!
>
> Here is an example IPSEC config that we use, that interoperates with
> Cisco, Checkpoint, and probably other standard IPSEC implementations.
>
> We're using PF for firewalling.
>
> Example config:
>
> Here: 11.22.33.44 (FreeBSD machine)
>
> Networks behind:
> 10.10.30.40/24
> 10.10.30.50/24
>
> There: 55.66.77.88 (Some other IPSEC)
>
> Networks behind:
> 10.20.50.60/24
> 10.20.50.70/24
>
> Parameters:
> IKE:
> Phase 1:
> Pre-shared Secret
> AES + SHA1
> DH Group 2
> Lifetime 24 hours
> Phase 2:
> One SPI per subnet pair
> No PFS
> Lifetime 1 hour
> ESP:
> AES + SHA1
>
> Kernel build options:
>
> options IPSEC
> options IPSEC_ESP
> options IPSEC_DEBUG
>
> /etc/rc.conf:
>
> gateway_enable="YES"
>
> pf_enable="YES"
> pf_rules="/usr/local/etc/pf.conf"
>
> racoon_enable="YES"
> ipsec_enable="YES"
> ipsec_file="/usr/local/etc/ipsec.conf"
>
> Partial /usr/local/etc/pf.conf:
>
> EXT="dc0" # Interface for external traffic
> EXTIP="(dc0)" # External virtual IP
>
> table <IPSEC_PEERS> file "/usr/local/etc/ipsec.peers"
>
> pass in log quick on $EXT proto udp from <IPSEC_PEERS> to $EXTIP port
> 500 keep state
> pass in quick on $EXT proto esp from <IPSEC_PEERS> to $EXTIP
> keep state
>
> /usr/local/etc/ipsec.peers:
>
> 55.66.77.88
>
> /usr/local/etc/ipsec.conf:
>
> spdflush;
>
> spdadd 10.20.50.60/24 10.10.30.40/24 any \
> -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
> spdadd 10.10.30.40/24 10.20.50.60/24 any \
> -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
> spdadd 10.20.50.60/24 10.10.30.50/24 any \
> -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
> spdadd 10.10.30.50/24 10.20.50.60/24 any \
> -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
> spdadd 10.20.50.70/24 10.10.30.40/24 any \
> -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
> spdadd 10.10.30.40/24 10.20.50.70/24 any \
> -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
> spdadd 10.20.50.70/24 10.10.30.50/24 any \
> -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
> spdadd 10.10.30.50/24 10.20.50.70/24 any \
> -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
> /usr/local/etc/racoon/racoon.conf:
>
> log debug; # notify(*), debug, debug2
>
> path pre_shared_key "/usr/local/etc/ipsec.keys";
> path pidfile "/var/run/racoon.pid";
>
> listen
> {
> isakmp 11.22.33.44;
> strict_address; # Needed?
> }
>
> remote 55.66.77.88
> {
> exchange_mode aggressive,main,base;
>
> my_identifier address 11.22.33.44;
> peers_identifier address 55.66.77.88;
>
> verify_identifier off;
>
> proposal_check claim; # obey, strict, claim(*), exact(*)
>
> proposal
> {
> encryption_algorithm aes;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 2;
> lifetime time 24 hours;
> }
> }
>
>
> sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any
> {
> lifetime time 1 hour;
>
> encryption_algorithm aes;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> /usr/local/etc/ipsec.keys: (chmod 600!)
>
> # Keys for IPSEC
> # Remote IP, shared key
>
> 55.66.77.88 SecretKey!!
>
>
> The main difficulty is making sure you've got every different direction
> of source and destination subnet cross-referenced in your SPD config and
> the exact same entries configured in your racoon config.
>
> In our setup, we auto-generate these files from a master config file,
> but regretably I cannot release the code for this...
>
>
> Anyway, I hope this gives you some idea how to setup IPSEC. Debugging
> is of course the next step. Never assume that your peer has configured
> everything right. :)
>
> Make sure your ipsec.keys file is not readable by anyone but root, or
> raccoon will silently ignore it.
>
> --
> David DeSimone == Network Admin == fox@verio.net
> "I don't like spinach, and I'm glad I don't, because if I
> liked it I'd eat it, and I just hate it." -- Clarence Darrow
>
>
> This email message is intended for the use of the person to whom it has
> been sent, and may contain information that is confidential or legally
> protected. If you are not the intended recipient or have received this
> message in error, you are not authorized to copy, distribute, or otherwise
> use this message or its attachments. Please notify the sender immediately by
> return e-mail and permanently delete this message and any attachments.
> Verio, Inc. makes no warranty that this email is error or virus free. Thank
> you.
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3228ef7c0907141843s30df148eu2c6c64acd7748029>