IPSEC-Racoon

From WTFwiki
Revision as of 21:44, 4 January 2013 by Jontow (talk | contribs) (2 revisions)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Theory

To set this up, we're going to use gif(4) to setup a regular [unencrypted] IPv4-IPv4 tunnel from

one host to another; nothing that special but still quite neat. This way we don't have to worry

about IP negotiations etc, its less interoperable but MUCH nicer to deal with if both of your

endpoints support gif(4).


Once the tunnel is up, we can begin securing it before we use it.


Follow the configuration for Host A and B at about the same pace.

For example, when you setup the unencrypted tunnel on A, do it on B, then continue to the next step for each.


What this document assumes is that 'Host A' is the "client", and 'Host B' is the "server".


YMMV, but if it doesn't work try setting B up first.


Requirements

  • On both FreeBSD and NetBSD, you'll probably have to rebuild your kernel to include a few options: "IPSEC", "IPSEC_ESP", "IPSEC_DEBUG", and "IPSEC_FILTERGIF" would be helpful. I'd also add some firewalling abilities, and don't forget "device gif".
  • On FreeBSD, you'll probably have to install 'ipsec-tools' from 'ports/security/ipsec-tools'.


Host A

  • For clarity, this is a FreeBSD 6.1-STABLE machine.
  • External Address/Mask: 1.2.3.4/32
  • Internal Address/Mask: 10.10.10.1/24
  • Now lets bring up one end of the gif(4) tunnel:

 # ifconfig gif0 create
 # ifconfig gif0 inet 10.10.10.1 192.168.20.1 netmask 0xffffffff
 # ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up

  • To access the entire remote network instead of just the endpoint (192.168.20.1):
 # route add 192.168.20.0/24 192.168.20.1
  • Create 'ipsec.conf' (which I place in /usr/local/etc/racoon):

 spdadd 1.2.3.4/32 5.6.7.8/32 ipencap -P out ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
 spdadd 5.6.7.8/32 1.2.3.4/32 ipencap -P in ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;

  • Create 'psk.txt' (which I also place in /usr/local/etc/racoon):

 5.6.7.8      MYpreSHAREDkey

  • Create 'racoon.conf' (again in /usr/local/etc/racoon):

 path pre_shared_key "/usr/local/etc/racoon/psk.txt";
 log debug2;

 padding
 {
       maximum_length 20;      # maximum padding length.
       randomize off;          # enable randomize length.
       strict_check off;       # enable strict check.
       exclusive_tail off;     # extract last one octet.
 }

 listen
 {
       isakmp 1.2.3.4 [500];
 }

 timer
 {
       # These value can be changed per remote node.
       counter 5;              # maximum trying count to send.
       interval 20 sec;        # maximum interval to resend.
       persend 1;              # the number of packets per send.

       # maximum time to wait for completing each phase.
       phase1 30 sec;
       phase2 15 sec;
 }

 remote 5.6.7.8
 {
       exchange_mode main,aggressive;
       doi ipsec_doi;
       situation identity_only;
       nonce_size 16;
       initial_contact on;
       passive off;
       proposal_check obey;    # obey, strict, or claim

       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key ;
               dh_group 2;
       }
 }

 sainfo anonymous
 {
       pfs_group 2;
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
 }

  • Add the following to '/etc/rc.conf':
 racoon_enable="YES"
  • Add the following to '/etc/rc.local':
 if [ -f /usr/local/etc/racoon/ipsec.conf ]; then
       /sbin/ifconfig gif0 create
       /sbin/ifconfig gif0 inet 10.10.10.1 192.168.20.1 netmask 0xffffffff
       /sbin/ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up
       /sbin/route add 192.168.20.0/24 192.168.20.1
       /sbin/setkey -f /usr/local/etc/racoon/ipsec.conf
 fi
  • At this point, its testing time. You'll want more than one terminal open for debugging purposes.
  • In terminal 1:
 # tail -f /var/log/messages
  • In terminal 2:
 # /sbin/setkey -f /etc/racoon/ipsec.conf
 # /usr/local/etc/rc.d/racoon start
  • Continue at the end of 'Host B' for more info.


Host B

  • For clarity, this is a NetBSD 2.1_STABLE machine.
  • External Address/Mask: 5.6.7.8/32
  • Internal Address/Mask: 192.168.20.1/24
  • Time to bring up the other end of the tunnel:

 # ifconfig gif0 create
 # ifconfig gif0 inet 192.168.20.1 10.10.10.1 netmask 0xffffffff
 # ifconfig gif0 tunnel 5.6.7.8 1.2.3.4 up

  • To access the entire remote network instead of just the endpoint (10.10.10.1):
 # route add 10.10.10.0/24 10.10.10.1
  • After this point on both ends of the tunnel; you can begin doing some basic link tests--ping some remote hosts, etc. Just remember that the link is unencrypted as of yet, so don't send much more than ping across it for now.
  • Create 'ipsec.conf' (which on NetBSD I place in the default location of /etc/racoon):

 spdadd 5.6.7.8/32 1.2.3.4/32 ipencap -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
 spdadd 1.2.3.4/32 5.6.7.8/32 ipencap -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;

  • Create 'psk.txt' (which I also place in /etc/racoon):

 1.2.3.4      MYpreSHAREDkey

  • Now create 'racoon.conf' (which again goes in /etc/racoon):

 path pre_shared_key "/etc/racoon/psk.txt" ;
 path certificate "/etc/openssl/certs" ;
 log debug2;

 listen
 {
       isakmp 5.6.7.8 [500];
 }

 remote 1.2.3.4
 {
       exchange_mode main,base;

       certificate_type x509 "vpngw.crt" "vpngw.key" ;

       lifetime time 24 hour ; # sec,min,hour

       initial_contact off ;
       passive on ;

       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key ;
               dh_group 2 ;
       }

       proposal_check obey;

       generate_policy on;
 }

 sainfo anonymous
 {
       pfs_group 2;
       lifetime time 12 hour ;
       encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
       authentication_algorithm hmac_sha1, hmac_md5 ;
       compression_algorithm deflate ;
 }

  • Now, if you were paying attention, you'd notice that Host B has a couple of differences in the way racoon.conf is setup. Specifically, this one has OpenSSL nonsense in it. Yeah.. time to generate a certificate.
  • I chose to use a self-signed certificate; it was cheaper and this is for my own personal use.
  • After the certificate generation step, add the following to '/etc/rc.conf':
 racoon=YES
  • After that, add the following to '/etc/rc.local':
 if [ -f /etc/racoon/ipsec.conf ]; then
       /sbin/ifconfig gif0 create
       /sbin/ifconfig gif0 inet 192.168.20.1 10.10.10.1 netmask 0xffffffff
       /sbin/ifconfig gif0 tunnel 5.6.7.8 1.2.3.4 up
       /sbin/route add 10.10.10.0/24 10.10.10.1
       /sbin/setkey -f /etc/racoon/ipsec.conf
 fi
  • At this point, its testing time. You'll want more than one terminal open for debugging purposes.
  • In terminal 1:
 # tail -f /var/log/messages
  • In terminal 2:
 # /sbin/setkey -f /etc/racoon/ipsec.conf
 # /etc/rc.d/racoon start
  • Start the other end of the tunnel and watch the logs.
  • Now ping from one end to the other and the tunnel should come up. Using tcpdump on the external interfaces should confirm that it is an encrypted tunnel now. Congratulations.

Reference Material

 A few resources I used to learn this the first time.