Date: Tue, 24 Apr 2001 23:52:26 -0700 From: steve@Watt.COM (Steve Watt) To: questions@freebsd.org Subject: Re: VPN / VLAN configuration Message-ID: <200104250652.f3P6qQg06374@wattres.Watt.COM> In-Reply-To: <988031064-m2n-gw@Watt.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
dougy@bryden.apana.org.au wrote:
>I'd appreciate suggestions from anyone who has setup VPN / VLAN.
>The only HOWTO I've found to date is the freebsddiary.org one (using
>pipsecd) that appears to be quite straightforward. Whilst there is no
>mention of compiling options IPSEC into the kernel, several postings I found
>in the mailing list archives appear to suggest this is required.
>Is this the case & are there other ways of creating VPN / VLAN that I should
>consider ??
VPN and VLAN are, as several folks have pointed out, two different
things. Since you also said IPsec, I'll assume you meant VPN.
If you're dealing with systems that do not have NAT boxes in front of
them, it's surprisingly straightforward:
1. Add options IPSEC to the kernel, rebuild, install, reboot
2. Install racoon from the ports (/usr/ports/security/racoon)
3. Add security policies to /etc/ipsec.conf, enable ipsec in rc.conf
4. Configure and start racoon
5. Add routes to the destination network
The expanded versions:
1. Add optinos IPSEC to the kernel, rebuild, install, reboot
This has been covered many times in many places. Try the Handbook
for a good start.
2. Install racoon from the ports
# cd /usr/ports/security/racoon
# make install
If you don't have the ports collection installed, you really should.
3. Add security policies to /etc/ipsec.conf
Let's assume you've got two networks, 10.local and 10.remote that you
wish to join together via a VPN connection.
The machine that is to be gateway for 10.local/24 has internal IP address
10.local.1, and an Internet-connected IP address of 192.0.2.2.
The machine that is to be gateway for 10.remote/24 has internal IP address
10.remote.1, and an Internet-connected IP address of 192.0.3.3.
To allow traffic to pass between both ways, you'll need the following
two rules in /etc/ipsec.conf on the 10.local gateway:
- - - 8< - - - /etc/ipsec.conf@10.local gateway - - -
spdadd 10.local.0/24 10.remote.0/24 any -P out ipsec
esp/tunnel/192.0.2.2-192.0.3.3/require;
spdadd 10.remote.0/24 10.local.0/24 any -P in ipsec
esp/tunnel/192.0.3.3-192.0.2.2/require;
- - - >8 - - - /etc/ipsec.conf@10.local gateway - - -
And this is what the 10.remote machine'll look like:
- - - 8< - - - /etc/ipsec.conf@10.remote gateway - - -
spdadd 10.remote.0/24 10.local.0/24 any -P out ipsec
esp/tunnel/192.0.3.3-192.0.2.2/require;
spdadd 10.local.0/24 10.remote.0/24 any -P in ipsec
esp/tunnel/192.0.2.2-192.0.3.3/require;
- - - >8 - - - /etc/ipsec.conf@10.remote gateway - - -
You can stuff these into the kernel at whim by using the setkey(8)
command, or by adding ipsec_enable="YES" to rc.conf and rebooting.
4. Configure and start racoon
I'm using the following racoon.conf on all machines:
- - - 8< - - - /usr/local/etc/racoon/racoon.conf - - -
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log notify;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
# Identifier stuff here?
# Naw, this is for w2k guys.
nonce_size 16;
lifetime time 8 hour; # sec,min,hour
lifetime byte 500 MB; # B,KB,GB
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour;
lifetime byte 50 MB;
encryption_algorithm 3des,des,cast128,blowfish ;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate ;
}
- - - >8 - - - /usr/local/etc/racoon/racoon.conf - - -
You'll also need to add "pre-shared keys" to both machines. Those
go in /usr/local/etc/racoon/psk.txt, and are in the format
ipaddress key
So, for example, you could use the same pre-shared key file on all
machines you admin, and it could contain something like:
- - - 8< - - - /usr/local/etc/racoon/psk.txt - - -
192.0.2.2 ALousySecretKey-192.0.2.2
192.0.3.3 ALousySecretKey-192.0.3.3
- - - >8 - - - /usr/local/etc/racoon/psk.txt - - -
Note that the preshared key doesn't need to be cryptographically
interesting, because it is never used directly as a key, nor exposed
to the 'net. You do need to protect it a fair amount, though, and
racoon won't talk to the pre-shared key file if it's not mode 600.
Starting racoon is easy, though to be fancy you might want to
create a script in /usr/local/etc/rc.d/racoon.sh. I'll leave that
little bit of code as an exercise.
5. Add routes to the destination network
This is actually the most subtle piece, or at least the one that took
me the longest to figure out: You must add a route to the remote
network that points at the *inside address* of the local machine,
otherwise you won't be able to talk between the gateways themselves
over the IPsec link.
local-gw# route add 10.remote.0/24 10.local.1
remote-gw# route add 10.local.0/24 10.remote.1
Or, in /etc/rc.conf, add
- - - 8< - - - /etc/rc.conf snippet @ local gateway - - -
static_routes="remote_net" # just a name used to find the route string
route_remote_net="10.remote.0/24 10.local.1"
- - - >8 - - - /etc/rc.conf snippet @ local gateway - - -
Debugging tips:
1. Use tcpdump; it is your friend.
Remember to give it a long-enough snaplen (-s) to capture the full
isakmp exchange. The command I've been using is:
# tcpdump -s 512 -i xl0 esp or port 500
Port 500 is the key exchange protocol port. esp is the tunnel protocol.
2. Turn on all.log in syslog.conf and watch racoon's noise.
Racoon has a fairly verbose level of logging built in, and it's a good
thing.
Hope that helps!
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9"
Internet: steve @ Watt.COM Whois: SW32
Free time? There's no such thing. It just comes in varying prices...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104250652.f3P6qQg06374>