Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
public:ipsec [2011/01/27 23:31] Nicopublic:ipsec [2012/03/09 22:43] (current) – [IPSec for FreeBSD's jails communication] typo Nico
Line 1: Line 1:
 ====== IPSec for FreeBSD's jails communication ====== ====== IPSec for FreeBSD's jails communication ======
  
-**Abstract**: Here we assume we have two FreeBSD hosts, A using public IP 1.1.1.1 and internal virtual net 192.168.3.0 for jails, and B using public IP 2.2.2.2 and internal net 192.168.6.0 for jails. We need hosts and jails to communicate together, preferably in a encrypted way.+**Abstract**: Here we assume we have two FreeBSD hosts, **A** using public IP 1.1.1.1 and internal virtual net 192.168.3.0 for jails, and **B** using public IP 2.2.2.2 and internal net 192.168.6.0 for jails. We need hosts and jails to communicate together, preferably in a crypted way.
  
 ===== Preparation on both hosts ===== ===== Preparation on both hosts =====
Line 30: Line 30:
 cloned_interfaces="gif0" cloned_interfaces="gif0"
 ifconfig_gif0="inet 192.168.3.1 192.168.6.1 tunnel 1.1.1.1 2.2.2.2" ifconfig_gif0="inet 192.168.3.1 192.168.6.1 tunnel 1.1.1.1 2.2.2.2"
-static_routes="internalnet1+static_routes="internalnet2
-route_internalnet1="-net 192.168.6.0/24 192.168.6.1"+route_internalnet2="-net 192.168.6.0/24 192.168.6.1
 + 
 +ipv6_ifconfig_gif0="2001:db8:ab01::1 2001:db8:ab02::1 prefixlen 128" 
 +ipv6_static_routes="b" 
 +ipv6_route_b="2001:db8:ab02::1 -interface gif0"
  
 ipsec_enable="YES" ipsec_enable="YES"
Line 50: Line 54:
 spdadd 192.168.3.0/24 192.168.6.0/24 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; spdadd 192.168.3.0/24 192.168.6.0/24 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
 spdadd 192.168.6.0/24 192.168.3.0/24 any -P in  ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; spdadd 192.168.6.0/24 192.168.3.0/24 any -P in  ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
 +spdadd 2001:db8:ab01::/64 2001:db8:ab02::/64 any -P out ipsec esp/tunnel/2001:db8:ab01::1-2001:db8:ab02::1/require;
 +spdadd 2001:db8:ab02::/64 2001:db8:ab01::/64 any -P out ipsec esp/tunnel/2001:db8:ab02::1-2001:db8:ab01::1/require;
 </code> </code>
  
Line 58: Line 64:
 # IPv4/v6 addresses # IPv4/v6 addresses
 # #
-2.2.2.2     myfookinunforgettablepassword+2.2.2.2           myfookinunforgettablepassword 
 +2001:db8:ab02::1  myfookinunforgettablepassword
 </code> </code>
  
Line 88: Line 95:
 { {
         isakmp          1.1.1.1 [500];         isakmp          1.1.1.1 [500];
 +        isakmp          2001:db8:ab01::1 [500];
 +        
 } }
  
 remote 2.2.2.2 [500] remote 2.2.2.2 [500]
 +{
 +        exchange_mode   main,aggressive;
 +        doi             ipsec_doi;
 +        situation       identity_only;
 +        my_identifier   address 1.1.1.1;
 +        peers_identifier        address 2.2.2.2;
 +        lifetime        time 8 hour;
 +        passive         off;
 +        proposal_check  obey;
 +       nat_traversal   off;
 +        generate_policy off;
 +
 +                        proposal {
 +                                encryption_algorithm    blowfish;
 +                                hash_algorithm          md5;
 +                                authentication_method   pre_shared_key;
 +                                lifetime time           30 sec;
 +                                dh_group                1;
 +                        }
 +}
 +
 +remote 2001:db8:ab02::1 [500]
 { {
         exchange_mode   main,aggressive;         exchange_mode   main,aggressive;
Line 129: Line 160:
 } }
  
 +sainfo  address 2001:db8:ab01::/64 any address 2001:db8:ab02::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +sainfo  address 2001:db8:ab02::/64 any address 2001:db8:ab01::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 </code> </code>
 +
  
 === Start === === Start ===
Line 139: Line 187:
 # ifconfig gif0 192.168.3.1 192.168.6.1 # ifconfig gif0 192.168.3.1 192.168.6.1
 # ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 # ifconfig gif0 tunnel 1.1.1.1 2.2.2.2
 +# ifconfig gif0 inet6 2001:db8:ab01::1 2001:db8:ab02::1 prefixlen 128
 # route add 192.168.6.0 192.168.6.1 255.255.255.0 # route add 192.168.6.0 192.168.6.1 255.255.255.0
 +# route add -inet6 2001:db8:ab02:: -interface gif0
 # /etc/rc.d/ipsec start # /etc/rc.d/ipsec start
 # /usr/local/etc/rc.d/racoon start # /usr/local/etc/rc.d/racoon start
Line 160: Line 210:
 static_routes="internalnet1" static_routes="internalnet1"
 route_internalnet1="-net 192.168.3.0/24 192.168.3.1" route_internalnet1="-net 192.168.3.0/24 192.168.3.1"
 +
 +ipv6_ifconfig_gif0="2001:db8:ab02::1 2001:db8:ab01::1 prefixlen 128"
 +ipv6_static_routes="a"
 +ipv6_route_a="2001:db8:ab01::1 -interface gif0"
  
 ipsec_enable="YES" ipsec_enable="YES"
Line 178: Line 232:
 spdadd 192.168.6.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; spdadd 192.168.6.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
 spdadd 192.168.3.0/24 192.168.6.0/24 any -P in  ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; spdadd 192.168.3.0/24 192.168.6.0/24 any -P in  ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
 +spdadd 2001:db8:ab02::/64 2001:db8:ab01::/64 any -P out ipsec esp/tunnel/2001:db8:ab02::1-2001:db8:ab01::1/require;
 +spdadd 2001:db8:ab01::/64 2001:db8:ab02::/64 any -P out ipsec esp/tunnel/2001:db8:ab01::1-2001:db8:ab02::1/require;
 </code> </code>
  
Line 186: Line 242:
 # IPv4/v6 addresses # IPv4/v6 addresses
 # #
-1.1.1.1     myfookinunforgettablepassword+1.1.1.1           myfookinunforgettablepassword 
 +2001:db8:ab01::1  myfookinunforgettablepassword
 </code> </code>
  
Line 216: Line 273:
 { {
         isakmp          2.2.2.2 [500];         isakmp          2.2.2.2 [500];
 +        isakmp          2001:db8:ab02::1 [500];
 } }
  
 remote 1.1.1.1 [500] remote 1.1.1.1 [500]
 +{
 +        exchange_mode   main,aggressive;
 +        doi             ipsec_doi;
 +        situation       identity_only;
 +        my_identifier   address 2.2.2.2;
 +        peers_identifier        address 1.1.1.1;
 +        lifetime        time 8 hour;
 +        passive         off;
 +        proposal_check  obey;
 +       nat_traversal   off;
 +        generate_policy off;
 +
 +                        proposal {
 +                                encryption_algorithm    blowfish;
 +                                hash_algorithm          md5;
 +                                authentication_method   pre_shared_key;
 +                                lifetime time           30 sec;
 +                                dh_group                1;
 +                        }
 +}
 +
 +remote 2001:db8:ab01::1 [500]
 { {
         exchange_mode   main,aggressive;         exchange_mode   main,aggressive;
Line 257: Line 337:
 } }
  
 +sainfo  address 2001:db8:ab02::/64 any address 2001:db8:ab01::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +sainfo  address 2001:db8:ab01::/64 any address 2001:db8:ab02::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 </code> </code>
  
Line 267: Line 363:
 # ifconfig gif0 192.168.6.1 192.168.3.1 # ifconfig gif0 192.168.6.1 192.168.3.1
 # ifconfig gif0 tunnel 2.2.2.2 1.1.1.1 # ifconfig gif0 tunnel 2.2.2.2 1.1.1.1
 +# ifconfig gif0 inet6 2001:db8:ab02::1 2001:db8:ab01::1 prefixlen 128
 # route add 192.168.3.0 192.168.3.1 255.255.255.0 # route add 192.168.3.0 192.168.3.1 255.255.255.0
 +# route add -inet6 2001:db8:ab01:: -interface gif0
 # /etc/rc.d/ipsec start # /etc/rc.d/ipsec start
 # /usr/local/etc/rc.d/racoon start # /usr/local/etc/rc.d/racoon start