Date: Fri, 25 Feb 2000 16:26:22 +0900 From: Yoshinobu Inoue <shin@nd.net.fujitsu.co.jp> To: kent@tfd.com Cc: freebsd-current@FreeBSD.ORG Subject: Re: IPSec/VPN Config Message-ID: <20000225162622L.shin@nd.net.fujitsu.co.jp> In-Reply-To: <200002250653.BAA15415@rtp.tfd.com> References: <200002250653.BAA15415@rtp.tfd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi all, > > Is there a howto/example guide for configuring IPSec for -current. Hi, I prepared one and sent the patches to freebsd-doc yesterday. I'll attach IPsec part from the document to end of this mail. Also, http://www.kame.net/newsletter/19991007/ might have better description about IPsec tunnel setup. Thanks, Yoshinobu Inoue > Needless to say I've spent fruitless hours trying to convince "setkey" > to sent an IPSec packet to my network's internet gateway w/o success. > My setup is typical: mobile/dynamic-assigned-ip-address freebsd box > trying to contact fixed address/private address network/(net 10)/ network > via an Ascend router with IPSec support. But according to "tcpdump" my > IPSec packets never leave. Help would be appreciated. > > Thanks a bunch. > > Kent ------------------------------------------------------------------- +<<<IPsec>>> + +The current KAME supports both transport mode and tunnel mode. +However, tunnel mode comes with some restrictions. + +IPsec requires fairly complex configuration, so here we show transport +mode only. http://www.kame.net/newsletter/ has more comprehensive +examples. + +Let's setup security association to deploy a secure channel between +HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little +complicated example. From HOST A to HOST B, only old AH is used. +From HOST B to HOST A, new AH and new ESP are combined. + +Now we should choose algorithm to be used corresponding to "AH"/"new +AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know +algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, +and new-DES-expIV with 8 byte IV for new ESP. + +Key length highly depends on each algorithm. For example, key +length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, +and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", +"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. + +OK, let's assign SPI (Security Parameter Index) for each protocol. +Please note that we need 3 SPIs for this secure channel since three +security headers are produced (one for from HOST A to HOST B, two for +from HOST B to HOST A). Please also note that SPI MUST be greater +than or equal to 256. We choose, 1000, 2000, and 3000, respectively. + + + (1) + HOST A ------> HOST B + + (1)PROTO=AH + ALG=MD5(RFC1826) + KEY=MYSECRETMYSECRET + SPI=1000 + + (2.1) + HOST A <------ HOST B + <------ + (2.2) + + (2.1) + PROTO=AH + ALG=new-HMAC-SHA1(new AH) + KEY=KAMEKAMEKAMEKAMEKAME + SPI=2000 + + (2.2) + PROTO=ESP + ALG=new-DES-expIV(new ESP) + IV length = 8 + KEY=PASSWORD + SPI=3000 + +Now, let's setup security association. Execute "setkey" on both HOST +A and B: + +# setkey -c +add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ; +add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ; +add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ; +^D + +Actually, IPsec communication doesn't process until security policy +entries will be defined. In this case, you must setup each host. + +At A: +# setkey -c +spdadd 10.2.3.4 10.6.7.8 any -P out ipsec + ah/transport/10.2.3.4-10.6.7.8/require ; +^D + +At B: +spdadd 10.6.7.8 10.2.3.4 any -P out ipsec + esp/transport/10.6.7.8-10.2.3.4/require ; +spdadd 10.6.7.8 10.2.3.4 any -P out ipsec + ah/transport/10.6.7.8-10.2.3.4/require ; +^D + +To utilize the security associations installed into the kernel, you +must set the socket security level by using setsockopt(). +This is per-application (or per-socket) security. For example, +the "ping" command has the -P option with parameter to enable AH and/or ESP. + +For example: +% ping -P "out ipsec \ + ah/transport/10.0.1.1-10.0.2.2/use \ + esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2 + +If there are proper SAs, this policy specification causes ICMP packet +to be AH transport mode inner ESP tunnel mode like below. + + HOST C -----------> GATEWAY D ----------> HOST E + 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2 + | | | | + | ======= ESP ======= | + ==================== AH ================== + + <end of USAGE> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000225162622L.shin>