Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Jul 2012 18:12:06 -0400
From:      "xenophon\\+freebsd" <xenophon+freebsd@irtnog.org>
To:        <freebsd-net@freebsd.org>
Subject:   RE: IPSec woes coming from OpenBSD to Free
Message-ID:  <BABF8C57A778F04791343E5601659908236C45@cinip100ntsbs.irtnog.net>
In-Reply-To: <CAPKwmM1heXCRviB5nQ-YCDYsTTLMa2UNDG4sAfj1xeeft63RNQ@mail.gmail.com>
References:  <CAPKwmM1heXCRviB5nQ-YCDYsTTLMa2UNDG4sAfj1xeeft63RNQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Chris Benesch writes:

> Looking at the manual, it says to create a gif interface with the
> other end.

Are you referring to chapter 15.9 in the FreeBSD Handbook?  I don't
know why it starts with tunneling over a GIF (IP-in-IP) interface.
Why don't you try a pure IPsec tunnel, instead?  I assume you already
have security/ipsec-tools installed.

Let's say you have two endpoints and two networks:

    Left router -   1.1.1.1
    Left network -  10.10.10.0/24

    Right router -  2.2.2.2
    Right network - 20.20.20.0/24

You can start with the security policy, because it's easy.  Here's the
policy for the left side:

    # Left to Right
    spdadd 10.10.10.0/24 20.20.20.0/24 any -P out ipsec
      esp/tunnel/1.1.1.1-2.2.2.2/require;

    # Right to Left
    spdadd 20.20.20.0/24 10.10.10.0/24 any -P in ipsec
      esp/tunnel/2.2.2.2-1.1.1.1/require;

The policy for the right side is the same, with the direction's
swapped:

    # Right to Left
    spdadd 20.20.20.0/24 10.10.10.0/24 any -P out ipsec
      esp/tunnel/2.2.2.2-1.1.1.1/require;

    # Left to Right
    spdadd 10.10.10.0/24 20.20.20.0/24 any -P in ipsec
      esp/tunnel/1.1.1.1-2.2.2.2/require;

(On FreeBSD, save these to /etc/ipsec.conf, not setkey.conf.)

The next part is setting up IKE.  I use AES-SHA1 with DH group 2 for
the IKE SAs, and I use AES128-HMAC-SHA1 with PFS enabled (also DH
group 2) for the IPsec SAs.  Here's the left side:

    remote 2.2.2.2
    {
      exchange_mode main, aggressive, base;
      ike_frag on;
      dpd_delay 20;
      proposal
      {
	encryption_algorithm aes;
	hash_algorithm sha1;
	authentication_method pre_shared_key;
	dh_group 2;
	lifetime time 86400 seconds;
      }
    }

    sainfo address 1.1.1.1 any address 2.2.2.2 any
    {
      pfs_group 2;
      lifetime time 3600 seconds;
      encryption_algorithm aes 128;
      authentication_algorithm hmac_sha1;
      compression_algorithm deflate;
    }

The right side is the same, just with the addresses reversed:

    remote 1.1.1.1
    {
      exchange_mode main, aggressive, base;
      ike_frag on;
      dpd_delay 20;
      proposal
      {
	encryption_algorithm aes;
	hash_algorithm sha1;
	authentication_method pre_shared_key;
	dh_group 2;
	lifetime time 86400 seconds;
      }
    }

    sainfo address 2.2.2.2 any address 1.1.1.1 any
    {
      pfs_group 2;
      lifetime time 3600 seconds;
      encryption_algorithm aes 128;
      authentication_algorithm hmac_sha1;
      compression_algorithm deflate;
    }

Lastly, make sure that your firewall software is configured properly.
You can cheat and disable filtering on the tunnel entirely by setting
the following sysctl variables (see also enc(4) and ipsec(4)):

    net.inet.ipsec.filtertunnel=3D0
    net.inet6.ipsec6.filtertunnel=3D0

(I'm assuming that you already have UDP port 500 and IP protocol 50
allowed through the left and right routers' public interfaces.)

Make sure the IPsec SPD gets loaded properly:

    service ipsec onestop
    service ipsec onestart
    setkey -P -D

The last command should show something like the following on the left
router:

    20.20.20.0/24[any] 10.10.10.0/24[any] any
            in ipsec
            esp/tunnel/2.2.2.2-1.1.1.1/require
            spid=3D4 seq=3D2 pid=3D79044
            refcnt=3D1
    10.10.10.0/24[any] 20.20.20.0/24[any] any
            out ipsec
            esp/tunnel/1.1.1.1-2.2.2.2/require
            spid=3D3 seq=3D0 pid=3D79044
            refcnt=3D1

The right router will be similar:

    10.10.10.0/24[any] 20.20.20.0/24[any] any
            in ipsec
            esp/tunnel/1.1.1.1-2.2.2.2/require
            spid=3D8 seq=3D2 pid=3D79068
            refcnt=3D1
    20.20.20.0/24[any] 10.10.10.0/24[any] any
            out ipsec
            esp/tunnel/2.2.2.2-1.1.1.1/require
            spid=3D7 seq=3D0 pid=3D79068
            refcnt=3D1

When you start racoon, it should automatically turn up the tunnel.
You can test it by pinging through the tunnel.  You'll have to
override ping's default source address to get it to work.  On the
router on the left:

    ping -S 10.10.10.1 20.20.20.1

And on the router on the right:

    ping -S 20.20.20.1 10.10.10.1

This is my configuration nearly verbatim, only in my case the right
side is a Cisco router.  Let me know if you can't get it working.

Best wishes,
Matthew



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BABF8C57A778F04791343E5601659908236C45>