From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 01:43:59 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E676106566B for ; Wed, 15 Jul 2009 01:43:59 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: from mail-vw0-f172.google.com (mail-vw0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 0BA8B8FC08 for ; Wed, 15 Jul 2009 01:43:58 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: by vwj2 with SMTP id 2so2896210vwj.3 for ; Tue, 14 Jul 2009 18:43:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=WjmXg9ufcndkFq4yEMqTbuh2zGOnJaB16sURVe/Jzwo=; b=iS9u8hYa9N3pl5+o7c7pRsZMjTA6XqrXLkPvMdti6XKDQ0yljUxZGcozYjnbmBCnxh Rzyi/iyYAammfTF67Q4jxzFjRHq+9z7UqdIYNqMeW7rfSJa6X7UfOn8PwtKSWop1hmco GL24KpxzDQBpVFtVCW6vZ4DqH6tL6+VzQhCV8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=mCB8KK0hgDsjqN3adnnXg7nN8fcnsCqDVhbk/RFZ5Ykp3WryVYPZ1OEIxaUEE1NAQN RJN3mrdu3rXqUZkGSUy3x+JX1uUJqBd8/KGyC2IwWnz/l9rW7zlnoj0puwHeNwEn/zRF MbYBsh2CH3mJL4DcpoiYRNg3ZCpEgKi7fAlb0= MIME-Version: 1.0 Received: by 10.220.45.80 with SMTP id d16mr10052477vcf.93.1247622236499; Tue, 14 Jul 2009 18:43:56 -0700 (PDT) In-Reply-To: <20090715001514.GU6896@verio.net> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> <20090715001514.GU6896@verio.net> Date: Tue, 14 Jul 2009 21:43:56 -0400 Message-ID: <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> From: rascal To: rascal , freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 01:43:59 -0000 Thanks very much David, I really appreciate it! I have the racoon2 package; does this make a big difference or do these configs work close to the same? On Tue, Jul 14, 2009 at 8:15 PM, David DeSimone wrote: > rascal wrote: > > > > Thanks for the input on this everyone! Eugene, I'll take you up on > > your offer of examples! I have a good idea of how to do this, I > > just want to make sure I get it right and if I have some examples to > > compare to that would be great! Thanks much! > > Here is an example IPSEC config that we use, that interoperates with > Cisco, Checkpoint, and probably other standard IPSEC implementations. > > We're using PF for firewalling. > > Example config: > > Here: 11.22.33.44 (FreeBSD machine) > > Networks behind: > 10.10.30.40/24 > 10.10.30.50/24 > > There: 55.66.77.88 (Some other IPSEC) > > Networks behind: > 10.20.50.60/24 > 10.20.50.70/24 > > Parameters: > IKE: > Phase 1: > Pre-shared Secret > AES + SHA1 > DH Group 2 > Lifetime 24 hours > Phase 2: > One SPI per subnet pair > No PFS > Lifetime 1 hour > ESP: > AES + SHA1 > > Kernel build options: > > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG > > /etc/rc.conf: > > gateway_enable="YES" > > pf_enable="YES" > pf_rules="/usr/local/etc/pf.conf" > > racoon_enable="YES" > ipsec_enable="YES" > ipsec_file="/usr/local/etc/ipsec.conf" > > Partial /usr/local/etc/pf.conf: > > EXT="dc0" # Interface for external traffic > EXTIP="(dc0)" # External virtual IP > > table file "/usr/local/etc/ipsec.peers" > > pass in log quick on $EXT proto udp from to $EXTIP port > 500 keep state > pass in quick on $EXT proto esp from to $EXTIP > keep state > > /usr/local/etc/ipsec.peers: > > 55.66.77.88 > > /usr/local/etc/ipsec.conf: > > spdflush; > > spdadd 10.20.50.60/24 10.10.30.40/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.40/24 10.20.50.60/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.60/24 10.10.30.50/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.50/24 10.20.50.60/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.70/24 10.10.30.40/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.40/24 10.20.50.70/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.70/24 10.10.30.50/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.50/24 10.20.50.70/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > /usr/local/etc/racoon/racoon.conf: > > log debug; # notify(*), debug, debug2 > > path pre_shared_key "/usr/local/etc/ipsec.keys"; > path pidfile "/var/run/racoon.pid"; > > listen > { > isakmp 11.22.33.44; > strict_address; # Needed? > } > > remote 55.66.77.88 > { > exchange_mode aggressive,main,base; > > my_identifier address 11.22.33.44; > peers_identifier address 55.66.77.88; > > verify_identifier off; > > proposal_check claim; # obey, strict, claim(*), exact(*) > > proposal > { > encryption_algorithm aes; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > lifetime time 24 hours; > } > } > > > sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > /usr/local/etc/ipsec.keys: (chmod 600!) > > # Keys for IPSEC > # Remote IP, shared key > > 55.66.77.88 SecretKey!! > > > The main difficulty is making sure you've got every different direction > of source and destination subnet cross-referenced in your SPD config and > the exact same entries configured in your racoon config. > > In our setup, we auto-generate these files from a master config file, > but regretably I cannot release the code for this... > > > Anyway, I hope this gives you some idea how to setup IPSEC. Debugging > is of course the next step. Never assume that your peer has configured > everything right. :) > > Make sure your ipsec.keys file is not readable by anyone but root, or > raccoon will silently ignore it. > > -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately by > return e-mail and permanently delete this message and any attachments. > Verio, Inc. makes no warranty that this email is error or virus free. Thank > you. >