Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Jul 2009 19:15:14 -0500
From:      "David DeSimone" <fox@verio.net>
To:        "rascal" <rascal1981@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: question regarding IPSEC Setup
Message-ID:  <20090715001514.GU6896@verio.net>
In-Reply-To: <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com>
References:  <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
rascal <rascal1981@gmail.com> wrote:
>
> Thanks for the input on this everyone!  Eugene, I'll take you up on
> your offer of examples!  I have a good idea of how to do this, I
> just want to make sure I get it right and if I have some examples to
> compare to that would be great!  Thanks much!

Here is an example IPSEC config that we use, that interoperates with
Cisco, Checkpoint, and probably other standard IPSEC implementations.

We're using PF for firewalling.

Example config:

    Here:  11.22.33.44	(FreeBSD machine)

	Networks behind:
	    10.10.30.40/24
	    10.10.30.50/24

    There:  55.66.77.88  (Some other IPSEC)

	Networks behind:
	    10.20.50.60/24
	    10.20.50.70/24

    Parameters:
	IKE:
	    Phase 1:
		Pre-shared Secret
		AES + SHA1
		DH Group 2
		Lifetime 24 hours
	    Phase 2:
		One SPI per subnet pair
		No PFS
		Lifetime 1 hour
	ESP:
	    AES + SHA1

Kernel build options:

    options  IPSEC
    options  IPSEC_ESP
    options  IPSEC_DEBUG

/etc/rc.conf:

    gateway_enable="YES"

    pf_enable="YES"
    pf_rules="/usr/local/etc/pf.conf"

    racoon_enable="YES"
    ipsec_enable="YES"
    ipsec_file="/usr/local/etc/ipsec.conf"

Partial /usr/local/etc/pf.conf:

    EXT="dc0"                       # Interface for external traffic
    EXTIP="(dc0)"                   # External virtual IP

    table <IPSEC_PEERS> file "/usr/local/etc/ipsec.peers"

    pass in log quick on $EXT proto udp from <IPSEC_PEERS> to $EXTIP port 500 keep state
    pass in     quick on $EXT proto esp from <IPSEC_PEERS> to $EXTIP          keep state

/usr/local/etc/ipsec.peers:

    55.66.77.88

/usr/local/etc/ipsec.conf:

    spdflush;

    spdadd 10.20.50.60/24  10.10.30.40/24  any \
	-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
    spdadd 10.10.30.40/24  10.20.50.60/24  any \
	-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;

    spdadd 10.20.50.60/24  10.10.30.50/24  any \
	-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
    spdadd 10.10.30.50/24  10.20.50.60/24  any \
	-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;

    spdadd 10.20.50.70/24  10.10.30.40/24  any \
	-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
    spdadd 10.10.30.40/24  10.20.50.70/24  any \
	-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;

    spdadd 10.20.50.70/24  10.10.30.50/24  any \
	-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
    spdadd 10.10.30.50/24  10.20.50.70/24  any \
	-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;

/usr/local/etc/racoon/racoon.conf:

    log  debug;             # notify(*), debug, debug2

    path  pre_shared_key  "/usr/local/etc/ipsec.keys";
    path  pidfile         "/var/run/racoon.pid";

    listen
    {
	isakmp  11.22.33.44;
	strict_address;             # Needed?
    }

    remote  55.66.77.88
    {
	exchange_mode  aggressive,main,base;

	my_identifier     address  11.22.33.44;
	peers_identifier  address  55.66.77.88;

	verify_identifier  off;

	proposal_check  claim;      # obey, strict, claim(*), exact(*)

	proposal
	{
	    encryption_algorithm    aes;
	    hash_algorithm          sha1;
	    authentication_method   pre_shared_key;
	    dh_group                2;
	    lifetime        time    24 hours;
	}
    }


    sainfo  address  10.20.50.60/24 any   address  10.10.30.40/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

    sainfo  address  10.10.30.40/24 any   address  10.20.50.60/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

    sainfo  address  10.20.50.60/24 any   address  10.10.30.50/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

    sainfo  address  10.10.30.50/24 any   address  10.20.50.60/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

    sainfo  address  10.20.50.70/24 any   address  10.10.30.40/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

    sainfo  address  10.10.30.40/24 any   address  10.20.50.70/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

    sainfo  address  10.20.50.70/24 any   address  10.10.30.50/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

    sainfo  address  10.10.30.50/24 any   address  10.20.50.70/24 any
    {
	lifetime            time    1 hour;

	encryption_algorithm        aes;
	authentication_algorithm    hmac_sha1;
	compression_algorithm       deflate;
    }

/usr/local/etc/ipsec.keys:   (chmod 600!)

    # Keys for IPSEC
    # Remote IP, shared key

    55.66.77.88    SecretKey!!


The main difficulty is making sure you've got every different direction
of source and destination subnet cross-referenced in your SPD config and
the exact same entries configured in your racoon config.

In our setup, we auto-generate these files from a master config file,
but regretably I cannot release the code for this...


Anyway, I hope this gives you some idea how to setup IPSEC.  Debugging
is of course the next step.  Never assume that your peer has configured
everything right.  :)

Make sure your ipsec.keys file is not readable by anyone but root, or
raccoon will silently ignore it.

-- 
David DeSimone == Network Admin == fox@verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090715001514.GU6896>