question on tunnels (VPN)

Julian Elischer julian at elischer.org
Wed Sep 22 18:19:54 PDT 2004 


Mikhail P. wrote:

>On Wednesday 22 September 2004 21:26, Julian Elischer wrote:
>  
>
>>I use MPD using the "UDP" transport.
>>
>>in other words packets get sent as udp packets.
>>
>>I then set up IPSEC to encrypt the UDP packets..
>>
>>when I had a NAT in the way I did further encapsulate the GRE packets in
>>UDP again :-)
>>    
>>
>
>Julian,
>
>Thank you for your quick response.
>Do you have any pointers on how to implement such setup to send traffic as UDP 
>in MPD?
>  
>

look under 'link commands' in  the mpd docs.

here are my (obfuscated) config files..
# cat mpd.conf

default:
        set login ConsoleLogin
        log -console
        load vpn-lax
        load vpn-chi

vpn_standard:
        set iface disable on-demand
        set iface idle 0
        set iface mtu 1500
        set ipcp yes vjcomp
        set bundle enable multilink
#       set bundle enable round-robin

tun_standard:
        set link yes acfcomp protocomp
        set link no pap
        set link no chap
        set link keep-alive 2 15
        set link mru 900
        set link mtu 900
#       set link bandwidth 1440000

############### per-link settings #################
vpn-lax:
        new -i ng0 vpn-lax lax-ISP-B lax-ISP-A
        set iface addrs 10.x.x.x 10.z.z.z
        set iface route 192.168.aa.0/24
        set ipcp ranges 10.x.x.x/32 10.z.z.z/32
        load vpn_standard
        link lax-ISP-B
        load tun_standard
        link lax-ISP-A
        load tun_standard
        open

vpn-chi:
        new -i ng1 vpn-chi chi-ISP-B chi-ISP-A
        set iface addrs 10.x.x.x 10.y.y.y
        set iface route 192.168.bb.0/24
        set ipcp ranges 10.x.x.x/32 10.y.y.y/32
        load vpn_standard
        link chi-ISP-B
        load tun_standard
        link chi-ISP-A
        load tun_standard
        open


# cat mpd.links


lax-ISP-B:
        set link type udp
        set udp self bb.bb.bb.bb 4029
        set udp peer aa.aa.aa.aa 4029

lax-ISP-A:
        set link type udp
        set udp self dd.dd.dd.dd 4029
        set udp peer cc.cc.cc.cc 4029

chi-ISP-B:
        set link type udp
        set udp self bb.bb.bb.bb 4028
        set udp peer ee.ee.ee.ee 4028

chi-ISP-A:
        set link type udp
        set udp self dd.dd.dd.dd 4028
        set udp peer ff.ff.ff.ff 4028




these are the config files for a machine on the
internet that is connected to 2 other sites. in LA and Chicago for example,

Each site has a network behind it in the 192.168 range.
The links themselves are in the 10.xx.xx.xx range.

There are two LINKs for each bundle as we connect to the interent via 2 ISPs
at each site and use MPDs bonding to provide failover and soft degradation.
probably you don't have 2 ISPs..

In addition to this we have ipsec set up as follows:

# cat /etc/ipsec.conf
flush;
spdflush;


# LAX
spdadd aa.aa.aa.aa bb.bb.bb.bb any -P in ipsec esp/transport//require;
spdadd bb.bb.bb.bb aa.aa.aa.aa any -P out ipsec esp/transport//require;
spdadd cc.cc.cc.cc dd.dd.dd.dd any -P in ipsec esp/transport//require;
spdadd dd.dd.dd.dd cc.cc.cc.cc any -P out ipsec esp/transport//require;

# Chicago
spdadd bb.bb.bb.bb ee.ee.ee.ee any -P out ipsec esp/transport//require;
spdadd ee.ee.ee.ee bb.bb.bb.bb any -P in ipsec esp/transport//require;
spdadd dd.dd.dd.dd ff.ff.ff.ff any -P out ipsec esp/transport//require;
spdadd ff.ff.ff.ff dd.dd.dd.dd any -P in ipsec esp/transport//require;


and we run racoon for key serving..

this is the simplest config file we sometimes use:
(when we have just pre-shared secrets to start off the sequence)
normally we use certs but it gets trickier..


path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

path certificate "/usr/local/etc/cert" ;

log notify;

padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        isakmp bb.bb.bb.bb [500];
        isakmp dd.dd.dd.dd [500];
        strict_address;         # required all addresses must be bound.
}

timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous
{
        #exchange_mode main,aggressive;
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier address;
 
        nonce_size 16;
        lifetime time 10 min;   # sec,min,hour
        initial_contact on;
        support_mip6 off;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 10 min;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}


don't forget to set..
sysctl net.key.prefered_oldsa=0

I'll leave the firewalls and routing to you :-)


>regards,
>M.
>  
>

More information about the freebsd-net mailing list