Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
public:ipsec [2011/01/27 20:25] Nicopublic:ipsec [2012/03/09 22:43] (current) – [IPSec for FreeBSD's jails communication] typo Nico
Line 1: Line 1:
 ====== IPSec for FreeBSD's jails communication ====== ====== IPSec for FreeBSD's jails communication ======
  
-**Abstract**: Here we assume we have two FreeBSD hosts, A using public IP 1.1.1.1 and internal virtual net 192.168.3.0 for jails, and B using public IP 2.2.2.2 and internal net 192.168.6.0 for jails.+**Abstract**: Here we assume we have two FreeBSD hosts, **A** using public IP 1.1.1.1 and internal virtual net 192.168.3.0 for jails, and **B** using public IP 2.2.2.2 and internal net 192.168.6.0 for jails. We need hosts and jails to communicate together, preferably in a crypted way. 
 + 
 +===== Preparation on both hosts =====
  
     * [[http://www.freebsd.org/doc/en/books/handbook/kernelconfig-building.html|Compile]] a custom kernel with the following additional options     * [[http://www.freebsd.org/doc/en/books/handbook/kernelconfig-building.html|Compile]] a custom kernel with the following additional options
Line 18: Line 20:
 </code> </code>
  
-    * On host A: +===== Steps to follow on each host ===== 
-/etc/rc.conf+ 
 +==== On host A ==== 
 + 
 +=== Configuration === 
 +== /etc/rc.conf == 
 <code> <code>
 cloned_interfaces="gif0" cloned_interfaces="gif0"
 ifconfig_gif0="inet 192.168.3.1 192.168.6.1 tunnel 1.1.1.1 2.2.2.2" ifconfig_gif0="inet 192.168.3.1 192.168.6.1 tunnel 1.1.1.1 2.2.2.2"
 +static_routes="internalnet2"
 +route_internalnet2="-net 192.168.6.0/24 192.168.6.1"
 +
 +ipv6_ifconfig_gif0="2001:db8:ab01::1 2001:db8:ab02::1 prefixlen 128"
 +ipv6_static_routes="b"
 +ipv6_route_b="2001:db8:ab02::1 -interface gif0"
 +
 +ipsec_enable="YES"
 +ipsec_program="/usr/local/sbin/setkey"
 +ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
 +racoon_flags="-l /var/log/racoon.log && echo -n 'racoon'"
 +racoon_enable="yes"
 +
 +gateway_enable="YES"
 +</code>
 +
 +== /usr/local/etc/racoon/setkey.conf ==
 +
 +<code>
 +#!/sbin/setkey -f
 +flush;
 +spdflush;
 +spdadd 192.168.3.0/24 192.168.6.0/24 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
 +spdadd 192.168.6.0/24 192.168.3.0/24 any -P in  ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
 +spdadd 2001:db8:ab01::/64 2001:db8:ab02::/64 any -P out ipsec esp/tunnel/2001:db8:ab01::1-2001:db8:ab02::1/require;
 +spdadd 2001:db8:ab02::/64 2001:db8:ab01::/64 any -P out ipsec esp/tunnel/2001:db8:ab02::1-2001:db8:ab01::1/require;
 +</code>
 +
 +== /usr/local/etc/racoon/psk.txt ==
 +
 +<code>
 +# /usr/local/etc/racoon/psk.txt
 +# IPv4/v6 addresses
 +#
 +2.2.2.2           myfookinunforgettablepassword
 +2001:db8:ab02:: myfookinunforgettablepassword
 +</code>
 +
 +== /usr/local/etc/racoon/racoon.conf ==
 +
 +<code>
 +path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
 +log     notify;  #log verbosity setting: set to 'notify' when testing and debugging is complete
 +
 +padding # options are not to be changed
 +{
 +        maximum_length  20;
 +        randomize       off;
 +        strict_check    off;
 +        exclusive_tail  off;
 +}
 +
 +timer   # timing options. change as needed
 +{
 +        counter         5;
 +        interval        20 sec;
 +        persend         1;
 +#       natt_keepalive  15 sec;
 +        phase1          30 sec;
 +        phase2          15 sec;
 +}
 +
 +listen  # address [port] that racoon will listening on
 +{
 +        isakmp          1.1.1.1 [500];
 +        isakmp          2001:db8:ab01::1 [500];
 +        
 +}
 +
 +remote 2.2.2.2 [500]
 +{
 +        exchange_mode   main,aggressive;
 +        doi             ipsec_doi;
 +        situation       identity_only;
 +        my_identifier   address 1.1.1.1;
 +        peers_identifier        address 2.2.2.2;
 +        lifetime        time 8 hour;
 +        passive         off;
 +        proposal_check  obey;
 +       nat_traversal   off;
 +        generate_policy off;
 +
 +                        proposal {
 +                                encryption_algorithm    blowfish;
 +                                hash_algorithm          md5;
 +                                authentication_method   pre_shared_key;
 +                                lifetime time           30 sec;
 +                                dh_group                1;
 +                        }
 +}
 +
 +remote 2001:db8:ab02::1 [500]
 +{
 +        exchange_mode   main,aggressive;
 +        doi             ipsec_doi;
 +        situation       identity_only;
 +        my_identifier   address 1.1.1.1;
 +        peers_identifier        address 2.2.2.2;
 +        lifetime        time 8 hour;
 +        passive         off;
 +        proposal_check  obey;
 +       nat_traversal   off;
 +        generate_policy off;
 +
 +                        proposal {
 +                                encryption_algorithm    blowfish;
 +                                hash_algorithm          md5;
 +                                authentication_method   pre_shared_key;
 +                                lifetime time           30 sec;
 +                                dh_group                1;
 +                        }
 +}
 +
 +sainfo (address 192.168.3.0/24 any address 192.168.6.0/24 any)     # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +sainfo  (address 192.168.6.0/24 any address 192.168.3.0/24 any)    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +
 +sainfo  address 2001:db8:ab01::/64 any address 2001:db8:ab02::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +sainfo  address 2001:db8:ab02::/64 any address 2001:db8:ab01::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +</code>
 +
 +
 +=== Start ===
 +
 +== Manual startup ==
 +
 +<code>
 +# ifconfig gif0 create
 +# ifconfig gif0 192.168.3.1 192.168.6.1
 +# ifconfig gif0 tunnel 1.1.1.1 2.2.2.2
 +# ifconfig gif0 inet6 2001:db8:ab01::1 2001:db8:ab02::1 prefixlen 128
 +# route add 192.168.6.0 192.168.6.1 255.255.255.0
 +# route add -inet6 2001:db8:ab02:: -interface gif0
 +# /etc/rc.d/ipsec start
 +# /usr/local/etc/rc.d/racoon start
 +</code>
 +
 +== Automatic startup ==
 +
 +<code>
 +# reboot
 +</code>
 +:-)
 +
 +==== On host B ====
 +
 +== /etc/rc.conf ==
 +
 +<code>
 +cloned_interfaces="gif0"
 +ifconfig_gif0="inet 192.168.6.1 192.168.3.1 tunnel 2.2.2.2 1.1.1.1"
 static_routes="internalnet1" static_routes="internalnet1"
-route_internalnet1="-net 192.168.6.0/24 192.168.6.1"+route_internalnet1="-net 192.168.3.0/24 192.168.3.1
 + 
 +ipv6_ifconfig_gif0="2001:db8:ab02::1 2001:db8:ab01::1 prefixlen 128" 
 +ipv6_static_routes="a" 
 +ipv6_route_a="2001:db8:ab01::1 -interface gif0"
  
 ipsec_enable="YES" ipsec_enable="YES"
Line 35: Line 224:
 </code> </code>
  
 +== /usr/local/etc/racoon/setkey.conf ==
 +
 +<code>
 +#!/sbin/setkey -f
 +flush;
 +spdflush;
 +spdadd 192.168.6.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
 +spdadd 192.168.3.0/24 192.168.6.0/24 any -P in  ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
 +spdadd 2001:db8:ab02::/64 2001:db8:ab01::/64 any -P out ipsec esp/tunnel/2001:db8:ab02::1-2001:db8:ab01::1/require;
 +spdadd 2001:db8:ab01::/64 2001:db8:ab02::/64 any -P out ipsec esp/tunnel/2001:db8:ab01::1-2001:db8:ab02::1/require;
 +</code>
 +
 +== /usr/local/etc/racoon/psk.txt ==
 +
 +<code>
 +# /usr/local/etc/racoon/psk.txt
 +# IPv4/v6 addresses
 +#
 +1.1.1.1           myfookinunforgettablepassword
 +2001:db8:ab01:: myfookinunforgettablepassword
 +</code>
 +
 +== /usr/local/etc/racoon/racoon.conf ==
 +
 +<code>
 +path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
 +log     notify;  #log verbosity setting: set to 'notify' when testing and debugging is complete
 +
 +padding # options are not to be changed
 +{
 +        maximum_length  20;
 +        randomize       off;
 +        strict_check    off;
 +        exclusive_tail  off;
 +}
 +
 +timer   # timing options. change as needed
 +{
 +        counter         5;
 +        interval        20 sec;
 +        persend         1;
 +#       natt_keepalive  15 sec;
 +        phase1          30 sec;
 +        phase2          15 sec;
 +}
 +
 +listen  # address [port] that racoon will listening on
 +{
 +        isakmp          2.2.2.2 [500];
 +        isakmp          2001:db8:ab02::1 [500];
 +}
 +
 +remote 1.1.1.1 [500]
 +{
 +        exchange_mode   main,aggressive;
 +        doi             ipsec_doi;
 +        situation       identity_only;
 +        my_identifier   address 2.2.2.2;
 +        peers_identifier        address 1.1.1.1;
 +        lifetime        time 8 hour;
 +        passive         off;
 +        proposal_check  obey;
 +       nat_traversal   off;
 +        generate_policy off;
 +
 +                        proposal {
 +                                encryption_algorithm    blowfish;
 +                                hash_algorithm          md5;
 +                                authentication_method   pre_shared_key;
 +                                lifetime time           30 sec;
 +                                dh_group                1;
 +                        }
 +}
 +
 +remote 2001:db8:ab01::1 [500]
 +{
 +        exchange_mode   main,aggressive;
 +        doi             ipsec_doi;
 +        situation       identity_only;
 +        my_identifier   address 2.2.2.2;
 +        peers_identifier        address 1.1.1.1;
 +        lifetime        time 8 hour;
 +        passive         off;
 +        proposal_check  obey;
 +       nat_traversal   off;
 +        generate_policy off;
 +
 +                        proposal {
 +                                encryption_algorithm    blowfish;
 +                                hash_algorithm          md5;
 +                                authentication_method   pre_shared_key;
 +                                lifetime time           30 sec;
 +                                dh_group                1;
 +                        }
 +}
 +
 +sainfo (address 192.168.3.0/24 any address 192.168.6.0/24 any)     # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +sainfo  (address 192.168.6.0/24 any address 192.168.3.0/24 any)    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +
 +sainfo  address 2001:db8:ab02::/64 any address 2001:db8:ab01::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +sainfo  address 2001:db8:ab01::/64 any address 2001:db8:ab02::/64 any    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 +{                               # $network must be the two internal networks you are joining.
 +        pfs_group       1;
 +        lifetime        time    36000 sec;
 +        encryption_algorithm    blowfish,3des,des;
 +        authentication_algorithm        hmac_md5,hmac_sha1;
 +        compression_algorithm   deflate;
 +}
 +</code>
 +
 +=== Start ===
 +
 +== Manual startup ==
 +
 +<code>
 +# ifconfig gif0 create
 +# ifconfig gif0 192.168.6.1 192.168.3.1
 +# ifconfig gif0 tunnel 2.2.2.2 1.1.1.1
 +# ifconfig gif0 inet6 2001:db8:ab02::1 2001:db8:ab01::1 prefixlen 128
 +# route add 192.168.3.0 192.168.3.1 255.255.255.0
 +# route add -inet6 2001:db8:ab01:: -interface gif0
 +# /etc/rc.d/ipsec start
 +# /usr/local/etc/rc.d/racoon start
 +</code>
 +
 +== Automatic startup ==
 +
 +<code>
 +# reboot
 +</code>
 +:-)
 +
 +===== Testing =====
 +
 +on host A, run the following command:
 +
 +<code>
 +# tcpdump -i re0 host 2.2.2.2 and dst 1.1.1.1
 +</code>
 +
 +  * example of unencrypted traffic (ping) from B to A, on public IPs
 +
 +<code>
 +23:24:42.762845 IP 2.2.2.2 > 1.1.1.1: ICMP echo request, id 37718, seq 1, length 64
 +23:24:43.791147 IP 2.2.2.2 > 1.1.1.1: ICMP echo request, id 37718, seq 2, length 64
 +</code>
 +
 +  * example of encrypted traffic (ping) from B to A, on private IPs
 +
 +<code>
 +23:27:51.035045 IP 2.2.2.2 > 1.1.1.1: ESP(spi=0x0601db40,seq=0xaf3), length 116
 +23:27:52.063482 IP 2.2.2.2 > 1.1.1.1: ESP(spi=0x0601db40,seq=0xaf4), length 116
 +</code>