**This is an old revision of the document!**
Table of Contents
IPSec for FreeBSD's jails communication
Abstract: Here we assume we have two FreeBSD hosts, A using public IP 1.1.1.1 and internal virtual net 192.168.3.0 for jails, and B using public IP 2.2.2.2 and internal net 192.168.6.0 for jails.
Preparation on both hosts
* [[http://www.freebsd.org/doc/en/books/handbook/kernelconfig-building.html|Compile]] a custom kernel with the following additional options
options IPSEC options IPSEC_FILTERTUNNEL device crypto
- Install racoon
# cd /usr/ports/sysutils/ipsec-tools/ # make install
Separate configuration
On host A
/etc/rc.conf
cloned_interfaces="gif0" ifconfig_gif0="inet 192.168.3.1 192.168.6.1 tunnel 1.1.1.1 2.2.2.2" static_routes="internalnet1" route_internalnet1="-net 192.168.6.0/24 192.168.6.1" ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot racoon_flags="-l /var/log/racoon.log && echo -n 'racoon'" racoon_enable="yes" gateway_enable="YES"
/usr/local/etc/racoon/setkey.conf
#!/sbin/setkey -f flush; spdflush; spdadd 192.168.3.0/24 192.168.6.0/24 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; spdadd 192.168.6.0/24 192.168.3.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
/usr/local/etc/racoon/psk.txt
# /usr/local/etc/racoon/psk.txt # IPv4/v6 addresses # 2.2.2.2 myfookinunforgettablepassword
/usr/local/etc/racoon/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file log notify; #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer # timing options. change as needed { counter 5; interval 20 sec; persend 1; # natt_keepalive 15 sec; phase1 30 sec; phase2 15 sec; } listen # address [port] that racoon will listening on { isakmp 1.1.1.1 [500]; } remote 2.2.2.2 [500] { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 1.1.1.1; peers_identifier address 2.2.2.2; lifetime time 8 hour; passive off; proposal_check obey; nat_traversal off; generate_policy off; proposal { encryption_algorithm blowfish; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 30 sec; dh_group 1; } } sainfo (address 192.168.3.0/24 any address 192.168.6.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp) { # $network must be the two internal networks you are joining. pfs_group 1; lifetime time 36000 sec; encryption_algorithm blowfish,3des,des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate; } sainfo (address 192.168.6.0/24 any address 192.168.3.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp) { # $network must be the two internal networks you are joining. pfs_group 1; lifetime time 36000 sec; encryption_algorithm blowfish,3des,des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate; }
On host B
/etc/rc.conf
cloned_interfaces="gif0" ifconfig_gif0="inet 192.168.6.1 192.168.3.1 tunnel 2.2.2.2 1.1.1.1" static_routes="internalnet1" route_internalnet1="-net 192.168.3.0/24 192.168.3.1" ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot racoon_flags="-l /var/log/racoon.log && echo -n 'racoon'" racoon_enable="yes" gateway_enable="YES"
/usr/local/etc/racoon/setkey.conf
#!/sbin/setkey -f flush; spdflush; spdadd 192.168.6.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; spdadd 192.168.3.0/24 192.168.6.0/24 any -P in ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
/usr/local/etc/racoon/psk.txt
# /usr/local/etc/racoon/psk.txt # IPv4/v6 addresses # 1.1.1.1 myfookinunforgettablepassword
/usr/local/etc/racoon/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file log notify; #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer # timing options. change as needed { counter 5; interval 20 sec; persend 1; # natt_keepalive 15 sec; phase1 30 sec; phase2 15 sec; } listen # address [port] that racoon will listening on { isakmp 2.2.2.2 [500]; } remote 1.1.1.1 [500] { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 2.2.2.2; peers_identifier address 1.1.1.1; lifetime time 8 hour; passive off; proposal_check obey; nat_traversal off; generate_policy off; proposal { encryption_algorithm blowfish; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 30 sec; dh_group 1; } } sainfo (address 192.168.3.0/24 any address 192.168.6.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp) { # $network must be the two internal networks you are joining. pfs_group 1; lifetime time 36000 sec; encryption_algorithm blowfish,3des,des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate; } sainfo (address 192.168.6.0/24 any address 192.168.3.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp) { # $network must be the two internal networks you are joining. pfs_group 1; lifetime time 36000 sec; encryption_algorithm blowfish,3des,des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate; }