Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
public:ipsec [2011/01/27 20:25] – Nico | public:ipsec [2012/03/09 22:43] (current) – [IPSec for FreeBSD's jails communication] typo Nico | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== IPSec for FreeBSD' | ====== IPSec for FreeBSD' | ||
- | **Abstract**: | + | **Abstract**: |
+ | |||
+ | ===== Preparation on both hosts ===== | ||
* [[http:// | * [[http:// | ||
Line 18: | Line 20: | ||
</ | </ | ||
- | * On host A: | + | ===== Steps to follow on each host ===== |
- | / | + | |
+ | ==== On host A ==== | ||
+ | |||
+ | === Configuration === | ||
+ | == / | ||
< | < | ||
cloned_interfaces=" | cloned_interfaces=" | ||
ifconfig_gif0=" | ifconfig_gif0=" | ||
+ | static_routes=" | ||
+ | route_internalnet2=" | ||
+ | |||
+ | ipv6_ifconfig_gif0=" | ||
+ | ipv6_static_routes=" | ||
+ | ipv6_route_b=" | ||
+ | |||
+ | ipsec_enable=" | ||
+ | ipsec_program="/ | ||
+ | ipsec_file="/ | ||
+ | racoon_flags=" | ||
+ | racoon_enable=" | ||
+ | |||
+ | gateway_enable=" | ||
+ | </ | ||
+ | |||
+ | == / | ||
+ | |||
+ | < | ||
+ | # | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 192.168.3.0/ | ||
+ | spdadd 192.168.6.0/ | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | </ | ||
+ | |||
+ | == / | ||
+ | |||
+ | < | ||
+ | # / | ||
+ | # IPv4/v6 addresses | ||
+ | # | ||
+ | 2.2.2.2 | ||
+ | 2001: | ||
+ | </ | ||
+ | |||
+ | == / | ||
+ | |||
+ | < | ||
+ | path pre_shared_key | ||
+ | log | ||
+ | |||
+ | padding # options are not to be changed | ||
+ | { | ||
+ | maximum_length | ||
+ | randomize | ||
+ | strict_check | ||
+ | exclusive_tail | ||
+ | } | ||
+ | |||
+ | timer # timing options. change as needed | ||
+ | { | ||
+ | counter | ||
+ | interval | ||
+ | persend | ||
+ | # | ||
+ | phase1 | ||
+ | phase2 | ||
+ | } | ||
+ | |||
+ | listen | ||
+ | { | ||
+ | isakmp | ||
+ | isakmp | ||
+ | | ||
+ | } | ||
+ | |||
+ | remote 2.2.2.2 [500] | ||
+ | { | ||
+ | exchange_mode | ||
+ | doi | ||
+ | situation | ||
+ | my_identifier | ||
+ | peers_identifier | ||
+ | lifetime | ||
+ | passive | ||
+ | proposal_check | ||
+ | | ||
+ | generate_policy off; | ||
+ | |||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | lifetime time 30 sec; | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | remote 2001: | ||
+ | { | ||
+ | exchange_mode | ||
+ | doi | ||
+ | situation | ||
+ | my_identifier | ||
+ | peers_identifier | ||
+ | lifetime | ||
+ | passive | ||
+ | proposal_check | ||
+ | | ||
+ | generate_policy off; | ||
+ | |||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | lifetime time 30 sec; | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo (address 192.168.3.0/ | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | sainfo | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | |||
+ | sainfo | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | sainfo | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Start === | ||
+ | |||
+ | == Manual startup == | ||
+ | |||
+ | < | ||
+ | # ifconfig gif0 create | ||
+ | # ifconfig gif0 192.168.3.1 192.168.6.1 | ||
+ | # ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 | ||
+ | # ifconfig gif0 inet6 2001: | ||
+ | # route add 192.168.6.0 192.168.6.1 255.255.255.0 | ||
+ | # route add -inet6 2001: | ||
+ | # / | ||
+ | # / | ||
+ | </ | ||
+ | |||
+ | == Automatic startup == | ||
+ | |||
+ | < | ||
+ | # reboot | ||
+ | </ | ||
+ | :-) | ||
+ | |||
+ | ==== On host B ==== | ||
+ | |||
+ | == / | ||
+ | |||
+ | < | ||
+ | cloned_interfaces=" | ||
+ | ifconfig_gif0=" | ||
static_routes=" | static_routes=" | ||
- | route_internalnet1=" | + | route_internalnet1=" |
+ | |||
+ | ipv6_ifconfig_gif0=" | ||
+ | ipv6_static_routes=" | ||
+ | ipv6_route_a=" | ||
ipsec_enable=" | ipsec_enable=" | ||
Line 35: | Line 224: | ||
</ | </ | ||
+ | == / | ||
+ | |||
+ | < | ||
+ | # | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 192.168.6.0/ | ||
+ | spdadd 192.168.3.0/ | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | </ | ||
+ | |||
+ | == / | ||
+ | |||
+ | < | ||
+ | # / | ||
+ | # IPv4/v6 addresses | ||
+ | # | ||
+ | 1.1.1.1 | ||
+ | 2001: | ||
+ | </ | ||
+ | |||
+ | == / | ||
+ | |||
+ | < | ||
+ | path pre_shared_key | ||
+ | log | ||
+ | |||
+ | padding # options are not to be changed | ||
+ | { | ||
+ | maximum_length | ||
+ | randomize | ||
+ | strict_check | ||
+ | exclusive_tail | ||
+ | } | ||
+ | |||
+ | timer # timing options. change as needed | ||
+ | { | ||
+ | counter | ||
+ | interval | ||
+ | persend | ||
+ | # | ||
+ | phase1 | ||
+ | phase2 | ||
+ | } | ||
+ | |||
+ | listen | ||
+ | { | ||
+ | isakmp | ||
+ | isakmp | ||
+ | } | ||
+ | |||
+ | remote 1.1.1.1 [500] | ||
+ | { | ||
+ | exchange_mode | ||
+ | doi | ||
+ | situation | ||
+ | my_identifier | ||
+ | peers_identifier | ||
+ | lifetime | ||
+ | passive | ||
+ | proposal_check | ||
+ | | ||
+ | generate_policy off; | ||
+ | |||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | lifetime time 30 sec; | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | remote 2001: | ||
+ | { | ||
+ | exchange_mode | ||
+ | doi | ||
+ | situation | ||
+ | my_identifier | ||
+ | peers_identifier | ||
+ | lifetime | ||
+ | passive | ||
+ | proposal_check | ||
+ | | ||
+ | generate_policy off; | ||
+ | |||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | lifetime time 30 sec; | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo (address 192.168.3.0/ | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | sainfo | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | |||
+ | sainfo | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | sainfo | ||
+ | { # $network must be the two internal networks you are joining. | ||
+ | pfs_group | ||
+ | lifetime | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | === Start === | ||
+ | |||
+ | == Manual startup == | ||
+ | |||
+ | < | ||
+ | # ifconfig gif0 create | ||
+ | # ifconfig gif0 192.168.6.1 192.168.3.1 | ||
+ | # ifconfig gif0 tunnel 2.2.2.2 1.1.1.1 | ||
+ | # ifconfig gif0 inet6 2001: | ||
+ | # route add 192.168.3.0 192.168.3.1 255.255.255.0 | ||
+ | # route add -inet6 2001: | ||
+ | # / | ||
+ | # / | ||
+ | </ | ||
+ | |||
+ | == Automatic startup == | ||
+ | |||
+ | < | ||
+ | # reboot | ||
+ | </ | ||
+ | :-) | ||
+ | |||
+ | ===== Testing ===== | ||
+ | |||
+ | on host A, run the following command: | ||
+ | |||
+ | < | ||
+ | # tcpdump -i re0 host 2.2.2.2 and dst 1.1.1.1 | ||
+ | </ | ||
+ | |||
+ | * example of unencrypted traffic (ping) from B to A, on public IPs | ||
+ | |||
+ | < | ||
+ | 23: | ||
+ | 23: | ||
+ | </ | ||
+ | |||
+ | * example of encrypted traffic (ping) from B to A, on private IPs | ||
+ | |||
+ | < | ||
+ | 23: | ||
+ | 23: | ||
+ | </ |