Date: Tue, 14 Jul 2009 21:43:56 -0400 From: rascal <rascal1981@gmail.com> To: rascal <rascal1981@gmail.com>, freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup Message-ID: <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> In-Reply-To: <20090715001514.GU6896@verio.net> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> <20090715001514.GU6896@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks very much David, I really appreciate it! I have the racoon2 package; does this make a big difference or do these configs work close to the same? On Tue, Jul 14, 2009 at 8:15 PM, David DeSimone <fox@verio.net> wrote: > rascal <rascal1981@gmail.com> wrote: > > > > Thanks for the input on this everyone! Eugene, I'll take you up on > > your offer of examples! I have a good idea of how to do this, I > > just want to make sure I get it right and if I have some examples to > > compare to that would be great! Thanks much! > > Here is an example IPSEC config that we use, that interoperates with > Cisco, Checkpoint, and probably other standard IPSEC implementations. > > We're using PF for firewalling. > > Example config: > > Here: 11.22.33.44 (FreeBSD machine) > > Networks behind: > 10.10.30.40/24 > 10.10.30.50/24 > > There: 55.66.77.88 (Some other IPSEC) > > Networks behind: > 10.20.50.60/24 > 10.20.50.70/24 > > Parameters: > IKE: > Phase 1: > Pre-shared Secret > AES + SHA1 > DH Group 2 > Lifetime 24 hours > Phase 2: > One SPI per subnet pair > No PFS > Lifetime 1 hour > ESP: > AES + SHA1 > > Kernel build options: > > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG > > /etc/rc.conf: > > gateway_enable="YES" > > pf_enable="YES" > pf_rules="/usr/local/etc/pf.conf" > > racoon_enable="YES" > ipsec_enable="YES" > ipsec_file="/usr/local/etc/ipsec.conf" > > Partial /usr/local/etc/pf.conf: > > EXT="dc0" # Interface for external traffic > EXTIP="(dc0)" # External virtual IP > > table <IPSEC_PEERS> file "/usr/local/etc/ipsec.peers" > > pass in log quick on $EXT proto udp from <IPSEC_PEERS> to $EXTIP port > 500 keep state > pass in quick on $EXT proto esp from <IPSEC_PEERS> to $EXTIP > keep state > > /usr/local/etc/ipsec.peers: > > 55.66.77.88 > > /usr/local/etc/ipsec.conf: > > spdflush; > > spdadd 10.20.50.60/24 10.10.30.40/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.40/24 10.20.50.60/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.60/24 10.10.30.50/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.50/24 10.20.50.60/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.70/24 10.10.30.40/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.40/24 10.20.50.70/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.70/24 10.10.30.50/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.50/24 10.20.50.70/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > /usr/local/etc/racoon/racoon.conf: > > log debug; # notify(*), debug, debug2 > > path pre_shared_key "/usr/local/etc/ipsec.keys"; > path pidfile "/var/run/racoon.pid"; > > listen > { > isakmp 11.22.33.44; > strict_address; # Needed? > } > > remote 55.66.77.88 > { > exchange_mode aggressive,main,base; > > my_identifier address 11.22.33.44; > peers_identifier address 55.66.77.88; > > verify_identifier off; > > proposal_check claim; # obey, strict, claim(*), exact(*) > > proposal > { > encryption_algorithm aes; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > lifetime time 24 hours; > } > } > > > sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > /usr/local/etc/ipsec.keys: (chmod 600!) > > # Keys for IPSEC > # Remote IP, shared key > > 55.66.77.88 SecretKey!! > > > The main difficulty is making sure you've got every different direction > of source and destination subnet cross-referenced in your SPD config and > the exact same entries configured in your racoon config. > > In our setup, we auto-generate these files from a master config file, > but regretably I cannot release the code for this... > > > Anyway, I hope this gives you some idea how to setup IPSEC. Debugging > is of course the next step. Never assume that your peer has configured > everything right. :) > > Make sure your ipsec.keys file is not readable by anyone but root, or > raccoon will silently ignore it. > > -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately by > return e-mail and permanently delete this message and any attachments. > Verio, Inc. makes no warranty that this email is error or virus free. Thank > you. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3228ef7c0907141843s30df148eu2c6c64acd7748029>