From owner-freebsd-current Thu Feb 24 23:25:53 2000 Delivered-To: freebsd-current@freebsd.org Received: from fgwmail5.fujitsu.co.jp (fgwmail5.fujitsu.co.jp [192.51.44.35]) by hub.freebsd.org (Postfix) with ESMTP id C98B637BE44 for ; Thu, 24 Feb 2000 23:25:48 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m5.gw.fujitsu.co.jp by fgwmail5.fujitsu.co.jp (8.9.3/3.7W-MX0002-Fujitsu Gateway) id QAA07644; Fri, 25 Feb 2000 16:25:33 +0900 (JST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from chisato.nd.net.fujitsu.co.jp by m5.gw.fujitsu.co.jp (8.9.3/3.7W-0002-Fujitsu Domain Master) id QAA06496; Fri, 25 Feb 2000 16:25:32 +0900 (JST) Received: from localhost (dhcp25.pkt.ts.fujitsu.co.jp [10.36.204.25]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id QAA28786; Fri, 25 Feb 2000 16:25:31 +0900 (JST) In-Reply-To: <200002250653.BAA15415@rtp.tfd.com> References: <200002250653.BAA15415@rtp.tfd.com> X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Subject: Re: IPSec/VPN Config To: kent@tfd.com Cc: freebsd-current@FreeBSD.ORG X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000225162622L.shin@nd.net.fujitsu.co.jp> Date: Fri, 25 Feb 2000 16:26:22 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 128 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Hi all, > > Is there a howto/example guide for configuring IPSec for -current. Hi, I prepared one and sent the patches to freebsd-doc yesterday. I'll attach IPsec part from the document to end of this mail. Also, http://www.kame.net/newsletter/19991007/ might have better description about IPsec tunnel setup. Thanks, Yoshinobu Inoue > Needless to say I've spent fruitless hours trying to convince "setkey" > to sent an IPSec packet to my network's internet gateway w/o success. > My setup is typical: mobile/dynamic-assigned-ip-address freebsd box > trying to contact fixed address/private address network/(net 10)/ network > via an Ascend router with IPSec support. But according to "tcpdump" my > IPSec packets never leave. Help would be appreciated. > > Thanks a bunch. > > Kent ------------------------------------------------------------------- +<<>> + +The current KAME supports both transport mode and tunnel mode. +However, tunnel mode comes with some restrictions. + +IPsec requires fairly complex configuration, so here we show transport +mode only. http://www.kame.net/newsletter/ has more comprehensive +examples. + +Let's setup security association to deploy a secure channel between +HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little +complicated example. From HOST A to HOST B, only old AH is used. +From HOST B to HOST A, new AH and new ESP are combined. + +Now we should choose algorithm to be used corresponding to "AH"/"new +AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know +algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, +and new-DES-expIV with 8 byte IV for new ESP. + +Key length highly depends on each algorithm. For example, key +length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, +and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", +"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. + +OK, let's assign SPI (Security Parameter Index) for each protocol. +Please note that we need 3 SPIs for this secure channel since three +security headers are produced (one for from HOST A to HOST B, two for +from HOST B to HOST A). Please also note that SPI MUST be greater +than or equal to 256. We choose, 1000, 2000, and 3000, respectively. + + + (1) + HOST A ------> HOST B + + (1)PROTO=AH + ALG=MD5(RFC1826) + KEY=MYSECRETMYSECRET + SPI=1000 + + (2.1) + HOST A <------ HOST B + <------ + (2.2) + + (2.1) + PROTO=AH + ALG=new-HMAC-SHA1(new AH) + KEY=KAMEKAMEKAMEKAMEKAME + SPI=2000 + + (2.2) + PROTO=ESP + ALG=new-DES-expIV(new ESP) + IV length = 8 + KEY=PASSWORD + SPI=3000 + +Now, let's setup security association. Execute "setkey" on both HOST +A and B: + +# setkey -c +add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ; +add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ; +add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ; +^D + +Actually, IPsec communication doesn't process until security policy +entries will be defined. In this case, you must setup each host. + +At A: +# setkey -c +spdadd 10.2.3.4 10.6.7.8 any -P out ipsec + ah/transport/10.2.3.4-10.6.7.8/require ; +^D + +At B: +spdadd 10.6.7.8 10.2.3.4 any -P out ipsec + esp/transport/10.6.7.8-10.2.3.4/require ; +spdadd 10.6.7.8 10.2.3.4 any -P out ipsec + ah/transport/10.6.7.8-10.2.3.4/require ; +^D + +To utilize the security associations installed into the kernel, you +must set the socket security level by using setsockopt(). +This is per-application (or per-socket) security. For example, +the "ping" command has the -P option with parameter to enable AH and/or ESP. + +For example: +% ping -P "out ipsec \ + ah/transport/10.0.1.1-10.0.2.2/use \ + esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2 + +If there are proper SAs, this policy specification causes ICMP packet +to be AH transport mode inner ESP tunnel mode like below. + + HOST C -----------> GATEWAY D ----------> HOST E + 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2 + | | | | + | ======= ESP ======= | + ==================== AH ================== + + To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message