Date: Tue, 14 Jul 2009 19:15:14 -0500 From: "David DeSimone" <fox@verio.net> To: "rascal" <rascal1981@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup Message-ID: <20090715001514.GU6896@verio.net> In-Reply-To: <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
rascal <rascal1981@gmail.com> wrote: > > Thanks for the input on this everyone! Eugene, I'll take you up on > your offer of examples! I have a good idea of how to do this, I > just want to make sure I get it right and if I have some examples to > compare to that would be great! Thanks much! Here is an example IPSEC config that we use, that interoperates with Cisco, Checkpoint, and probably other standard IPSEC implementations. We're using PF for firewalling. Example config: Here: 11.22.33.44 (FreeBSD machine) Networks behind: 10.10.30.40/24 10.10.30.50/24 There: 55.66.77.88 (Some other IPSEC) Networks behind: 10.20.50.60/24 10.20.50.70/24 Parameters: IKE: Phase 1: Pre-shared Secret AES + SHA1 DH Group 2 Lifetime 24 hours Phase 2: One SPI per subnet pair No PFS Lifetime 1 hour ESP: AES + SHA1 Kernel build options: options IPSEC options IPSEC_ESP options IPSEC_DEBUG /etc/rc.conf: gateway_enable="YES" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf" racoon_enable="YES" ipsec_enable="YES" ipsec_file="/usr/local/etc/ipsec.conf" Partial /usr/local/etc/pf.conf: EXT="dc0" # Interface for external traffic EXTIP="(dc0)" # External virtual IP table <IPSEC_PEERS> file "/usr/local/etc/ipsec.peers" pass in log quick on $EXT proto udp from <IPSEC_PEERS> to $EXTIP port 500 keep state pass in quick on $EXT proto esp from <IPSEC_PEERS> to $EXTIP keep state /usr/local/etc/ipsec.peers: 55.66.77.88 /usr/local/etc/ipsec.conf: spdflush; spdadd 10.20.50.60/24 10.10.30.40/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.40/24 10.20.50.60/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.60/24 10.10.30.50/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.50/24 10.20.50.60/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.70/24 10.10.30.40/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.40/24 10.20.50.70/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.70/24 10.10.30.50/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.50/24 10.20.50.70/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; /usr/local/etc/racoon/racoon.conf: log debug; # notify(*), debug, debug2 path pre_shared_key "/usr/local/etc/ipsec.keys"; path pidfile "/var/run/racoon.pid"; listen { isakmp 11.22.33.44; strict_address; # Needed? } remote 55.66.77.88 { exchange_mode aggressive,main,base; my_identifier address 11.22.33.44; peers_identifier address 55.66.77.88; verify_identifier off; proposal_check claim; # obey, strict, claim(*), exact(*) proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 24 hours; } } sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } /usr/local/etc/ipsec.keys: (chmod 600!) # Keys for IPSEC # Remote IP, shared key 55.66.77.88 SecretKey!! The main difficulty is making sure you've got every different direction of source and destination subnet cross-referenced in your SPD config and the exact same entries configured in your racoon config. In our setup, we auto-generate these files from a master config file, but regretably I cannot release the code for this... Anyway, I hope this gives you some idea how to setup IPSEC. Debugging is of course the next step. Never assume that your peer has configured everything right. :) Make sure your ipsec.keys file is not readable by anyone but root, or raccoon will silently ignore it. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090715001514.GU6896>