Difference between revisions of "IPSEC-Racoon"
Jump to navigation
Jump to search
(initial commit of the ipsec/racoon howto) |
m (2 revisions) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 11: | Line 11: | ||
Once the tunnel is up, we can begin securing it before we use it. | Once the tunnel is up, we can begin securing it before we use it. | ||
| + | |||
| + | |||
| + | Follow the configuration for Host A and B at about the same pace. | ||
| + | |||
| + | For example, when you setup the unencrypted tunnel on A, do it on B, then continue to the next step for each. | ||
| + | |||
| + | |||
| + | What this document assumes is that 'Host A' is the "client", and 'Host B' is the "server". | ||
| + | |||
| + | |||
| + | YMMV, but if it doesn't work try setting B up first. | ||
| Line 24: | Line 35: | ||
* For clarity, this is a FreeBSD 6.1-STABLE machine. | * For clarity, this is a FreeBSD 6.1-STABLE machine. | ||
* External Address/Mask: 1.2.3.4/32 | * External Address/Mask: 1.2.3.4/32 | ||
| − | * Internal Address/Mask: 10.10.10.0/24 | + | * Internal Address/Mask: 10.10.10.1/24 |
| + | |||
| + | * Now lets bring up one end of the [http://www.freebsd.org/cgi/man.cgi?query=gif&apropos=0&sektion=4&manpath=FreeBSD+6.1-RELEASE&format=html gif(4)] tunnel: | ||
| + | |||
| + | <code> | ||
| + | # ifconfig gif0 create | ||
| + | # ifconfig gif0 inet 10.10.10.1 192.168.20.1 netmask 0xffffffff | ||
| + | # ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up | ||
| + | </code> | ||
| + | |||
| + | * To access the entire remote network instead of just the endpoint (192.168.20.1): | ||
| + | |||
| + | # route add 192.168.20.0/24 192.168.20.1 | ||
| + | |||
| + | * Create 'ipsec.conf' (which I place in /usr/local/etc/racoon): | ||
| + | |||
| + | <code> | ||
| + | spdadd 1.2.3.4/32 5.6.7.8/32 ipencap -P out ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; | ||
| + | spdadd 5.6.7.8/32 1.2.3.4/32 ipencap -P in ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; | ||
| + | </code> | ||
| + | |||
| + | * Create 'psk.txt' (which I also place in /usr/local/etc/racoon): | ||
| + | |||
| + | <code> | ||
| + | 5.6.7.8 MYpreSHAREDkey | ||
| + | </code> | ||
| + | |||
| + | * Create 'racoon.conf' (again in /usr/local/etc/racoon): | ||
| + | |||
| + | <code> | ||
| + | path pre_shared_key "/usr/local/etc/racoon/psk.txt"; | ||
| + | log debug2; | ||
| + | |||
| + | padding | ||
| + | { | ||
| + | maximum_length 20; # maximum padding length. | ||
| + | randomize off; # enable randomize length. | ||
| + | strict_check off; # enable strict check. | ||
| + | exclusive_tail off; # extract last one octet. | ||
| + | } | ||
| + | |||
| + | listen | ||
| + | { | ||
| + | isakmp 1.2.3.4 [500]; | ||
| + | } | ||
| + | |||
| + | timer | ||
| + | { | ||
| + | # These value can be changed per remote node. | ||
| + | counter 5; # maximum trying count to send. | ||
| + | interval 20 sec; # maximum interval to resend. | ||
| + | persend 1; # the number of packets per send. | ||
| + | |||
| + | # maximum time to wait for completing each phase. | ||
| + | phase1 30 sec; | ||
| + | phase2 15 sec; | ||
| + | } | ||
| + | |||
| + | remote 5.6.7.8 | ||
| + | { | ||
| + | exchange_mode main,aggressive; | ||
| + | doi ipsec_doi; | ||
| + | situation identity_only; | ||
| + | nonce_size 16; | ||
| + | initial_contact on; | ||
| + | passive off; | ||
| + | proposal_check obey; # obey, strict, or claim | ||
| + | |||
| + | proposal { | ||
| + | encryption_algorithm 3des; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method pre_shared_key ; | ||
| + | dh_group 2; | ||
| + | } | ||
| + | } | ||
| + | |||
| + | sainfo anonymous | ||
| + | { | ||
| + | pfs_group 2; | ||
| + | encryption_algorithm 3des; | ||
| + | authentication_algorithm hmac_sha1; | ||
| + | compression_algorithm deflate; | ||
| + | } | ||
| + | </code> | ||
| + | |||
| + | * Add the following to '/etc/rc.conf': | ||
| + | |||
| + | racoon_enable="YES" | ||
| + | |||
| + | * Add the following to '/etc/rc.local': | ||
| + | |||
| + | if [ -f /usr/local/etc/racoon/ipsec.conf ]; then | ||
| + | /sbin/ifconfig gif0 create | ||
| + | /sbin/ifconfig gif0 inet 10.10.10.1 192.168.20.1 netmask 0xffffffff | ||
| + | /sbin/ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up | ||
| + | /sbin/route add 192.168.20.0/24 192.168.20.1 | ||
| + | /sbin/setkey -f /usr/local/etc/racoon/ipsec.conf | ||
| + | fi | ||
| + | |||
| + | * At this point, its testing time. You'll want more than one terminal open for debugging purposes. | ||
| + | |||
| + | * In terminal 1: | ||
| + | |||
| + | # tail -f /var/log/messages | ||
| + | |||
| + | * In terminal 2: | ||
| + | |||
| + | # /sbin/setkey -f /etc/racoon/ipsec.conf | ||
| + | # /usr/local/etc/rc.d/racoon start | ||
| + | |||
| + | * Continue at the end of 'Host B' for more info. | ||
| Line 31: | Line 152: | ||
* For clarity, this is a NetBSD 2.1_STABLE machine. | * For clarity, this is a NetBSD 2.1_STABLE machine. | ||
* External Address/Mask: 5.6.7.8/32 | * External Address/Mask: 5.6.7.8/32 | ||
| − | * Internal Address/Mask: 192.168.20.0/24 | + | * Internal Address/Mask: 192.168.20.1/24 |
| + | |||
| + | * Time to bring up the other end of the tunnel: | ||
| + | |||
| + | <code> | ||
| + | # ifconfig gif0 create | ||
| + | # ifconfig gif0 inet 192.168.20.1 10.10.10.1 netmask 0xffffffff | ||
| + | # ifconfig gif0 tunnel 5.6.7.8 1.2.3.4 up | ||
| + | </code> | ||
| + | |||
| + | * To access the entire remote network instead of just the endpoint (10.10.10.1): | ||
| + | |||
| + | # route add 10.10.10.0/24 10.10.10.1 | ||
| + | |||
| + | * After this point on both ends of the tunnel; you can begin doing some basic link tests--ping some remote hosts, etc. Just remember that the link is unencrypted as of yet, so don't send much more than ping across it for now. | ||
| + | |||
| + | * Create 'ipsec.conf' (which on NetBSD I place in the default location of /etc/racoon): | ||
| + | |||
| + | <code> | ||
| + | spdadd 5.6.7.8/32 1.2.3.4/32 ipencap -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; | ||
| + | spdadd 1.2.3.4/32 5.6.7.8/32 ipencap -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; | ||
| + | </code> | ||
| + | |||
| + | * Create 'psk.txt' (which I also place in /etc/racoon): | ||
| + | |||
| + | <code> | ||
| + | 1.2.3.4 MYpreSHAREDkey | ||
| + | </code> | ||
| + | |||
| + | * Now create 'racoon.conf' (which again goes in /etc/racoon): | ||
| + | |||
| + | <code> | ||
| + | path pre_shared_key "/etc/racoon/psk.txt" ; | ||
| + | path certificate "/etc/openssl/certs" ; | ||
| + | log debug2; | ||
| + | |||
| + | listen | ||
| + | { | ||
| + | isakmp 5.6.7.8 [500]; | ||
| + | } | ||
| + | |||
| + | remote 1.2.3.4 | ||
| + | { | ||
| + | exchange_mode main,base; | ||
| + | |||
| + | certificate_type x509 "vpngw.crt" "vpngw.key" ; | ||
| + | |||
| + | lifetime time 24 hour ; # sec,min,hour | ||
| + | |||
| + | initial_contact off ; | ||
| + | passive on ; | ||
| + | |||
| + | proposal { | ||
| + | encryption_algorithm 3des; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method pre_shared_key ; | ||
| + | dh_group 2 ; | ||
| + | } | ||
| + | |||
| + | proposal_check obey; | ||
| + | |||
| + | generate_policy on; | ||
| + | } | ||
| + | |||
| + | sainfo anonymous | ||
| + | { | ||
| + | pfs_group 2; | ||
| + | lifetime time 12 hour ; | ||
| + | encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; | ||
| + | authentication_algorithm hmac_sha1, hmac_md5 ; | ||
| + | compression_algorithm deflate ; | ||
| + | } | ||
| + | </code> | ||
| + | |||
| + | * Now, if you were paying attention, you'd notice that Host B has a couple of differences in the way racoon.conf is setup. Specifically, this one has OpenSSL nonsense in it. Yeah.. time to generate a certificate. | ||
| + | |||
| + | * I chose to use a self-signed certificate; it was cheaper and this is for my own personal use. | ||
| + | |||
| + | * Follow [http://www.netbsd.org/Documentation/network/ipsec/rasvpn.html#cert netbsd.org's documentation] on that, so that I don't need to reproduce it here. | ||
| + | |||
| + | * After the certificate generation step, add the following to '/etc/rc.conf': | ||
| + | |||
| + | racoon=YES | ||
| + | |||
| + | * After that, add the following to '/etc/rc.local': | ||
| + | |||
| + | if [ -f /etc/racoon/ipsec.conf ]; then | ||
| + | /sbin/ifconfig gif0 create | ||
| + | /sbin/ifconfig gif0 inet 192.168.20.1 10.10.10.1 netmask 0xffffffff | ||
| + | /sbin/ifconfig gif0 tunnel 5.6.7.8 1.2.3.4 up | ||
| + | /sbin/route add 10.10.10.0/24 10.10.10.1 | ||
| + | /sbin/setkey -f /etc/racoon/ipsec.conf | ||
| + | fi | ||
| + | |||
| + | * At this point, its testing time. You'll want more than one terminal open for debugging purposes. | ||
| + | |||
| + | * In terminal 1: | ||
| + | |||
| + | # tail -f /var/log/messages | ||
| + | |||
| + | * In terminal 2: | ||
| + | |||
| + | # /sbin/setkey -f /etc/racoon/ipsec.conf | ||
| + | # /etc/rc.d/racoon start | ||
| + | |||
| + | * Start the other end of the tunnel and watch the logs. | ||
| + | * Now ping from one end to the other and the tunnel should come up. Using tcpdump on the external interfaces should confirm that it is an encrypted tunnel now. Congratulations. | ||
== Reference Material == | == Reference Material == | ||
Latest revision as of 22:44, 4 January 2013
Theory
To set this up, we're going to use gif(4) to setup a regular [unencrypted] IPv4-IPv4 tunnel from
one host to another; nothing that special but still quite neat. This way we don't have to worry
about IP negotiations etc, its less interoperable but MUCH nicer to deal with if both of your
endpoints support gif(4).
Once the tunnel is up, we can begin securing it before we use it.
Follow the configuration for Host A and B at about the same pace.
For example, when you setup the unencrypted tunnel on A, do it on B, then continue to the next step for each.
What this document assumes is that 'Host A' is the "client", and 'Host B' is the "server".
YMMV, but if it doesn't work try setting B up first.
Requirements
- On both FreeBSD and NetBSD, you'll probably have to rebuild your kernel to include a few options: "IPSEC", "IPSEC_ESP", "IPSEC_DEBUG", and "IPSEC_FILTERGIF" would be helpful. I'd also add some firewalling abilities, and don't forget "device gif".
- On FreeBSD, you'll probably have to install 'ipsec-tools' from 'ports/security/ipsec-tools'.
Host A
- For clarity, this is a FreeBSD 6.1-STABLE machine.
- External Address/Mask: 1.2.3.4/32
- Internal Address/Mask: 10.10.10.1/24
- Now lets bring up one end of the gif(4) tunnel:
# ifconfig gif0 create
# ifconfig gif0 inet 10.10.10.1 192.168.20.1 netmask 0xffffffff
# ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up
- To access the entire remote network instead of just the endpoint (192.168.20.1):
# route add 192.168.20.0/24 192.168.20.1
- Create 'ipsec.conf' (which I place in /usr/local/etc/racoon):
spdadd 1.2.3.4/32 5.6.7.8/32 ipencap -P out ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 5.6.7.8/32 1.2.3.4/32 ipencap -P in ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
- Create 'psk.txt' (which I also place in /usr/local/etc/racoon):
5.6.7.8 MYpreSHAREDkey
- Create 'racoon.conf' (again in /usr/local/etc/racoon):
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 1.2.3.4 [500];
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote 5.6.7.8
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
initial_contact on;
passive off;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
- Add the following to '/etc/rc.conf':
racoon_enable="YES"
- Add the following to '/etc/rc.local':
if [ -f /usr/local/etc/racoon/ipsec.conf ]; then
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 inet 10.10.10.1 192.168.20.1 netmask 0xffffffff
/sbin/ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up
/sbin/route add 192.168.20.0/24 192.168.20.1
/sbin/setkey -f /usr/local/etc/racoon/ipsec.conf
fi
- At this point, its testing time. You'll want more than one terminal open for debugging purposes.
- In terminal 1:
# tail -f /var/log/messages
- In terminal 2:
# /sbin/setkey -f /etc/racoon/ipsec.conf # /usr/local/etc/rc.d/racoon start
- Continue at the end of 'Host B' for more info.
Host B
- For clarity, this is a NetBSD 2.1_STABLE machine.
- External Address/Mask: 5.6.7.8/32
- Internal Address/Mask: 192.168.20.1/24
- Time to bring up the other end of the tunnel:
# ifconfig gif0 create
# ifconfig gif0 inet 192.168.20.1 10.10.10.1 netmask 0xffffffff
# ifconfig gif0 tunnel 5.6.7.8 1.2.3.4 up
- To access the entire remote network instead of just the endpoint (10.10.10.1):
# route add 10.10.10.0/24 10.10.10.1
- After this point on both ends of the tunnel; you can begin doing some basic link tests--ping some remote hosts, etc. Just remember that the link is unencrypted as of yet, so don't send much more than ping across it for now.
- Create 'ipsec.conf' (which on NetBSD I place in the default location of /etc/racoon):
spdadd 5.6.7.8/32 1.2.3.4/32 ipencap -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 1.2.3.4/32 5.6.7.8/32 ipencap -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
- Create 'psk.txt' (which I also place in /etc/racoon):
1.2.3.4 MYpreSHAREDkey
- Now create 'racoon.conf' (which again goes in /etc/racoon):
path pre_shared_key "/etc/racoon/psk.txt" ;
path certificate "/etc/openssl/certs" ;
log debug2;
listen
{
isakmp 5.6.7.8 [500];
}
remote 1.2.3.4
{
exchange_mode main,base;
certificate_type x509 "vpngw.crt" "vpngw.key" ;
lifetime time 24 hour ; # sec,min,hour
initial_contact off ;
passive on ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
proposal_check obey;
generate_policy on;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
- Now, if you were paying attention, you'd notice that Host B has a couple of differences in the way racoon.conf is setup. Specifically, this one has OpenSSL nonsense in it. Yeah.. time to generate a certificate.
- I chose to use a self-signed certificate; it was cheaper and this is for my own personal use.
- Follow netbsd.org's documentation on that, so that I don't need to reproduce it here.
- After the certificate generation step, add the following to '/etc/rc.conf':
racoon=YES
- After that, add the following to '/etc/rc.local':
if [ -f /etc/racoon/ipsec.conf ]; then
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 inet 192.168.20.1 10.10.10.1 netmask 0xffffffff
/sbin/ifconfig gif0 tunnel 5.6.7.8 1.2.3.4 up
/sbin/route add 10.10.10.0/24 10.10.10.1
/sbin/setkey -f /etc/racoon/ipsec.conf
fi
- At this point, its testing time. You'll want more than one terminal open for debugging purposes.
- In terminal 1:
# tail -f /var/log/messages
- In terminal 2:
# /sbin/setkey -f /etc/racoon/ipsec.conf # /etc/rc.d/racoon start
- Start the other end of the tunnel and watch the logs.
- Now ping from one end to the other and the tunnel should come up. Using tcpdump on the external interfaces should confirm that it is an encrypted tunnel now. Congratulations.
Reference Material
A few resources I used to learn this the first time.