Date: Wed, 22 Sep 2004 18:19:53 -0700 From: Julian Elischer <julian@elischer.org> To: miha@ghuug.org Cc: freebsd-net@freebsd.org Subject: Re: question on tunnels (VPN) Message-ID: <415224B9.6070603@elischer.org> In-Reply-To: <200409222304.18427.miha@ghuug.org> References: <200409221617.59860.miha@ghuug.org> <4151EE16.1020100@elischer.org> <200409222304.18427.miha@ghuug.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mikhail P. wrote:
>On Wednesday 22 September 2004 21:26, Julian Elischer wrote:
>
>
>>I use MPD using the "UDP" transport.
>>
>>in other words packets get sent as udp packets.
>>
>>I then set up IPSEC to encrypt the UDP packets..
>>
>>when I had a NAT in the way I did further encapsulate the GRE packets in
>>UDP again :-)
>>
>>
>
>Julian,
>
>Thank you for your quick response.
>Do you have any pointers on how to implement such setup to send traffic as UDP
>in MPD?
>
>
look under 'link commands' in the mpd docs.
here are my (obfuscated) config files..
# cat mpd.conf
default:
set login ConsoleLogin
log -console
load vpn-lax
load vpn-chi
vpn_standard:
set iface disable on-demand
set iface idle 0
set iface mtu 1500
set ipcp yes vjcomp
set bundle enable multilink
# set bundle enable round-robin
tun_standard:
set link yes acfcomp protocomp
set link no pap
set link no chap
set link keep-alive 2 15
set link mru 900
set link mtu 900
# set link bandwidth 1440000
############### per-link settings #################
vpn-lax:
new -i ng0 vpn-lax lax-ISP-B lax-ISP-A
set iface addrs 10.x.x.x 10.z.z.z
set iface route 192.168.aa.0/24
set ipcp ranges 10.x.x.x/32 10.z.z.z/32
load vpn_standard
link lax-ISP-B
load tun_standard
link lax-ISP-A
load tun_standard
open
vpn-chi:
new -i ng1 vpn-chi chi-ISP-B chi-ISP-A
set iface addrs 10.x.x.x 10.y.y.y
set iface route 192.168.bb.0/24
set ipcp ranges 10.x.x.x/32 10.y.y.y/32
load vpn_standard
link chi-ISP-B
load tun_standard
link chi-ISP-A
load tun_standard
open
# cat mpd.links
lax-ISP-B:
set link type udp
set udp self bb.bb.bb.bb 4029
set udp peer aa.aa.aa.aa 4029
lax-ISP-A:
set link type udp
set udp self dd.dd.dd.dd 4029
set udp peer cc.cc.cc.cc 4029
chi-ISP-B:
set link type udp
set udp self bb.bb.bb.bb 4028
set udp peer ee.ee.ee.ee 4028
chi-ISP-A:
set link type udp
set udp self dd.dd.dd.dd 4028
set udp peer ff.ff.ff.ff 4028
these are the config files for a machine on the
internet that is connected to 2 other sites. in LA and Chicago for example,
Each site has a network behind it in the 192.168 range.
The links themselves are in the 10.xx.xx.xx range.
There are two LINKs for each bundle as we connect to the interent via 2 ISPs
at each site and use MPDs bonding to provide failover and soft degradation.
probably you don't have 2 ISPs..
In addition to this we have ipsec set up as follows:
# cat /etc/ipsec.conf
flush;
spdflush;
# LAX
spdadd aa.aa.aa.aa bb.bb.bb.bb any -P in ipsec esp/transport//require;
spdadd bb.bb.bb.bb aa.aa.aa.aa any -P out ipsec esp/transport//require;
spdadd cc.cc.cc.cc dd.dd.dd.dd any -P in ipsec esp/transport//require;
spdadd dd.dd.dd.dd cc.cc.cc.cc any -P out ipsec esp/transport//require;
# Chicago
spdadd bb.bb.bb.bb ee.ee.ee.ee any -P out ipsec esp/transport//require;
spdadd ee.ee.ee.ee bb.bb.bb.bb any -P in ipsec esp/transport//require;
spdadd dd.dd.dd.dd ff.ff.ff.ff any -P out ipsec esp/transport//require;
spdadd ff.ff.ff.ff dd.dd.dd.dd any -P in ipsec esp/transport//require;
and we run racoon for key serving..
this is the simplest config file we sometimes use:
(when we have just pre-shared secrets to start off the sequence)
normally we use certs but it gets trickier..
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
log notify;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp bb.bb.bb.bb [500];
isakmp dd.dd.dd.dd [500];
strict_address; # required all addresses must be bound.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
nonce_size 16;
lifetime time 10 min; # sec,min,hour
initial_contact on;
support_mip6 off;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 10 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
don't forget to set..
sysctl net.key.prefered_oldsa=0
I'll leave the firewalls and routing to you :-)
>regards,
>M.
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?415224B9.6070603>