From owner-freebsd-stable  Fri Nov 15  7:47:37 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A33A737B404
	for <FreeBSD-stable@FreeBSD.ORG>; Fri, 15 Nov 2002 07:47:29 -0800 (PST)
Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185])
	by mx1.FreeBSD.org (Postfix) with SMTP id E298443E3B
	for <FreeBSD-stable@FreeBSD.ORG>; Fri, 15 Nov 2002 07:47:28 -0800 (PST)
	(envelope-from greg.panula@dolaninformation.com)
Received: (qmail 62263 invoked by uid 0); 15 Nov 2002 15:47:28 -0000
Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 
 ( Clear:. 
 Processed in 0.522423 secs); 15 Nov 2002 15:47:28 -0000
X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy
X-Qmail-Scanner-Rcpt-To: dkelly@hiwaay.net,FreeBSD-stable@FreeBSD.ORG
X-Qmail-Scanner: 1.15 (Clear:. Processed in 0.522423 secs)
Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23)
  by host185.dolanmedia.com with SMTP; 15 Nov 2002 15:47:27 -0000
Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 15 Nov 2002 09:47:27 -0600
Message-ID: <3DD5170E.5C32DF02@dolaninformation.com>
Date: Fri, 15 Nov 2002 09:47:26 -0600
From: Greg Panula <greg.panula@dolaninformation.com>
Reply-To: greg.panula@dolaninformation.com
Organization: Dolan Information Center Inc
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: David Kelly <dkelly@hiwaay.net>
Cc: FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?
References: <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com> <20021115145342.GA4032@grumpy.dyndns.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

David Kelly wrote:
> 
> On Fri, Nov 15, 2002 at 07:21:21AM -0600, Greg Panula wrote:
> 
> > If you are using gif tunnels for passing your ipsec traffic thru you
> > might want to try not using them.  I ran into some similar funkyness a
> > while back.  Packets traverse the gif tunnel, get decrypted and then get
> > rejected by the firewall rules for the external interface.
> >
> > If you would like a quickie example of ipsec tunnel setup between two
> > freebsd boxes, let me know.
> 
> Have a suspicion I'm not really using gif altho I've configured the
> interfaces. Earlier yesterday found I had not updated an IP address in
> the gif0 device which changed a month or to prior. Yet things were still
> working.
> 
> So yes, please, I'd like to see your notes on how to IPsec tunnel
> without gif.
> 

Quickie how-to for ipsec tunnel between two freebsd gateways.  Assumes
racoon is installed & gateways use automatic key exchange.  Usable
sample racoon.conf included.

Network A: 10.1.1.0/24
Gateway A: int nic=10.1.1.1  ext nic=1.1.1.1

Network B: 10.2.2.0/24
Gateway B: int nic=10.2.2.1  ext nic=2.2.2.1


SPD setup on Gateway A:
setkey -c < EOF
spdadd 10.1.1.0/24 10.2.2.0/24 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.1/unique;
spdadd 10.2.2.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/2.2.2.1-1.1.1.1/unique;
EOF

SPD setup on Gateway B:
setkey -c < EOF
spdadd 10.1.1.0/24 10.2.2.0/24 any -P in ipsec
esp/tunnel/1.1.1.1-2.2.2.1/unique;
spdadd 10.2.2.0/24 10.1.1.0/24 any -P out ipsec
esp/tunnel/2.2.2.1-1.1.1.1/unique;
EOF

**The above 'spdadd' commands are *one* line each.  Adding the spdadd
lines to /etc/ipsec.conf will get the spds added in at boot-time.

Next is either adding a pre-shared secret to
/usr/local/etc/racoon/psk.txt or setting up certificates.  Sorry haven't
done certs, yet.  Format of psk.txt is <hostname/ip
address><tab><pre-shared secret>.


Here is a fairly generic /usr/local/etc/racoon/racoon.conf
configuration.  It should be usable on both gateways. (works for
me<grin>).

### begin ###
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to
confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;

# "log" specifies logging level.  
# It is followed by either "notify", "debug"
# or "debug2".
#log debug;
log notify;

# "padding" defines some parameter of padding.  
# You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize on;           # enable randomize length.
        randomize_length on;
        strict_check off;       # enable strict check.
        exclusive_tail on;      # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
        #isakmp ::1 [7000];
        #isakmp 202.249.11.124 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 40 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 300 sec;
        phase2 300 sec;
}

remote anonymous
{
        #exchange_mode main,aggressive;
        exchange_mode main,aggressive,base;
        doi ipsec_doi;
        #situation identity_only;
        verify_identifier off;
        send_cert off;
        send_cr off;

        nonce_size 16;
        lifetime time 15 min;   # sec,min,hour
        #lifetime byte 5 MB;    # B,KB,GB
        initial_contact on;
        support_mip6 off;
        proposal_check claim;   # obey, strict or claim
	# If clients are connecting from dynamic addresses
	# set generate_policy to "on"
        generate_policy off;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        #pfs_group 1;
        # commented out pfs_group so that any pfs_group would be
accepted
        lifetime time 3600 sec;
        #lifetime byte 50 MB;
        encryption_algorithm blowfish,3des,des,cast128 ;
        authentication_algorithm hmac_md5,hmac_sha1;
        compression_algorithm deflate;
}

### end ###

If connecting your freebsd ipsec gateway to other equipment, e.g.
linksys vpn router, you might want to set net.key.prefered_oldsa to
zero.

Let me know if you have questions or problems.  I might be able to help.

greg

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message