Date: Fri, 15 Nov 2002 09:47:26 -0600 From: Greg Panula <greg.panula@dolaninformation.com> To: David Kelly <dkelly@hiwaay.net> Cc: FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <3DD5170E.5C32DF02@dolaninformation.com> References: <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com> <20021115145342.GA4032@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Kelly wrote:
>
> On Fri, Nov 15, 2002 at 07:21:21AM -0600, Greg Panula wrote:
>
> > If you are using gif tunnels for passing your ipsec traffic thru you
> > might want to try not using them. I ran into some similar funkyness a
> > while back. Packets traverse the gif tunnel, get decrypted and then get
> > rejected by the firewall rules for the external interface.
> >
> > If you would like a quickie example of ipsec tunnel setup between two
> > freebsd boxes, let me know.
>
> Have a suspicion I'm not really using gif altho I've configured the
> interfaces. Earlier yesterday found I had not updated an IP address in
> the gif0 device which changed a month or to prior. Yet things were still
> working.
>
> So yes, please, I'd like to see your notes on how to IPsec tunnel
> without gif.
>
Quickie how-to for ipsec tunnel between two freebsd gateways. Assumes
racoon is installed & gateways use automatic key exchange. Usable
sample racoon.conf included.
Network A: 10.1.1.0/24
Gateway A: int nic=10.1.1.1 ext nic=1.1.1.1
Network B: 10.2.2.0/24
Gateway B: int nic=10.2.2.1 ext nic=2.2.2.1
SPD setup on Gateway A:
setkey -c < EOF
spdadd 10.1.1.0/24 10.2.2.0/24 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.1/unique;
spdadd 10.2.2.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/2.2.2.1-1.1.1.1/unique;
EOF
SPD setup on Gateway B:
setkey -c < EOF
spdadd 10.1.1.0/24 10.2.2.0/24 any -P in ipsec
esp/tunnel/1.1.1.1-2.2.2.1/unique;
spdadd 10.2.2.0/24 10.1.1.0/24 any -P out ipsec
esp/tunnel/2.2.2.1-1.1.1.1/unique;
EOF
**The above 'spdadd' commands are *one* line each. Adding the spdadd
lines to /etc/ipsec.conf will get the spds added in at boot-time.
Next is either adding a pre-shared secret to
/usr/local/etc/racoon/psk.txt or setting up certificates. Sorry haven't
done certs, yet. Format of psk.txt is <hostname/ip
address><tab><pre-shared secret>.
Here is a fairly generic /usr/local/etc/racoon/racoon.conf
configuration. It should be usable on both gateways. (works for
me<grin>).
### begin ###
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to
confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level.
# It is followed by either "notify", "debug"
# or "debug2".
#log debug;
log notify;
# "padding" defines some parameter of padding.
# You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize on; # enable randomize length.
randomize_length on;
strict_check off; # enable strict check.
exclusive_tail on; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 40 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 300 sec;
phase2 300 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode main,aggressive,base;
doi ipsec_doi;
#situation identity_only;
verify_identifier off;
send_cert off;
send_cr off;
nonce_size 16;
lifetime time 15 min; # sec,min,hour
#lifetime byte 5 MB; # B,KB,GB
initial_contact on;
support_mip6 off;
proposal_check claim; # obey, strict or claim
# If clients are connecting from dynamic addresses
# set generate_policy to "on"
generate_policy off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
#pfs_group 1;
# commented out pfs_group so that any pfs_group would be
accepted
lifetime time 3600 sec;
#lifetime byte 50 MB;
encryption_algorithm blowfish,3des,des,cast128 ;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
### end ###
If connecting your freebsd ipsec gateway to other equipment, e.g.
linksys vpn router, you might want to set net.key.prefered_oldsa to
zero.
Let me know if you have questions or problems. I might be able to help.
greg
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DD5170E.5C32DF02>