question regarding IPSEC Setup

rascal rascal1981 at gmail.com
Wed Jul 15 01:43:59 UTC 2009 

Thanks very much David, I really appreciate it!

I have the racoon2 package; does this make a big difference or do these
configs work close to the same?

On Tue, Jul 14, 2009 at 8:15 PM, David DeSimone <fox at verio.net> wrote:

> rascal <rascal1981 at gmail.com> wrote:
> >
> > Thanks for the input on this everyone!  Eugene, I'll take you up on
> > your offer of examples!  I have a good idea of how to do this, I
> > just want to make sure I get it right and if I have some examples to
> > compare to that would be great!  Thanks much!
>
> Here is an example IPSEC config that we use, that interoperates with
> Cisco, Checkpoint, and probably other standard IPSEC implementations.
>
> We're using PF for firewalling.
>
> Example config:
>
>    Here:  11.22.33.44  (FreeBSD machine)
>
>        Networks behind:
>            10.10.30.40/24
>            10.10.30.50/24
>
>    There:  55.66.77.88  (Some other IPSEC)
>
>        Networks behind:
>            10.20.50.60/24
>            10.20.50.70/24
>
>    Parameters:
>        IKE:
>            Phase 1:
>                Pre-shared Secret
>                AES + SHA1
>                DH Group 2
>                Lifetime 24 hours
>            Phase 2:
>                One SPI per subnet pair
>                No PFS
>                Lifetime 1 hour
>        ESP:
>            AES + SHA1
>
> Kernel build options:
>
>    options  IPSEC
>    options  IPSEC_ESP
>    options  IPSEC_DEBUG
>
> /etc/rc.conf:
>
>    gateway_enable="YES"
>
>    pf_enable="YES"
>    pf_rules="/usr/local/etc/pf.conf"
>
>    racoon_enable="YES"
>    ipsec_enable="YES"
>    ipsec_file="/usr/local/etc/ipsec.conf"
>
> Partial /usr/local/etc/pf.conf:
>
>    EXT="dc0"                       # Interface for external traffic
>    EXTIP="(dc0)"                   # External virtual IP
>
>    table <IPSEC_PEERS> file "/usr/local/etc/ipsec.peers"
>
>    pass in log quick on $EXT proto udp from <IPSEC_PEERS> to $EXTIP port
> 500 keep state
>    pass in     quick on $EXT proto esp from <IPSEC_PEERS> to $EXTIP
>  keep state
>
> /usr/local/etc/ipsec.peers:
>
>    55.66.77.88
>
> /usr/local/etc/ipsec.conf:
>
>    spdflush;
>
>    spdadd 10.20.50.60/24  10.10.30.40/24  any \
>        -P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>    spdadd 10.10.30.40/24  10.20.50.60/24  any \
>        -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
>    spdadd 10.20.50.60/24  10.10.30.50/24  any \
>        -P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>    spdadd 10.10.30.50/24  10.20.50.60/24  any \
>        -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
>    spdadd 10.20.50.70/24  10.10.30.40/24  any \
>        -P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>    spdadd 10.10.30.40/24  10.20.50.70/24  any \
>        -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
>    spdadd 10.20.50.70/24  10.10.30.50/24  any \
>        -P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>    spdadd 10.10.30.50/24  10.20.50.70/24  any \
>        -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
> /usr/local/etc/racoon/racoon.conf:
>
>    log  debug;             # notify(*), debug, debug2
>
>    path  pre_shared_key  "/usr/local/etc/ipsec.keys";
>    path  pidfile         "/var/run/racoon.pid";
>
>    listen
>    {
>        isakmp  11.22.33.44;
>        strict_address;             # Needed?
>    }
>
>    remote  55.66.77.88
>    {
>        exchange_mode  aggressive,main,base;
>
>        my_identifier     address  11.22.33.44;
>        peers_identifier  address  55.66.77.88;
>
>        verify_identifier  off;
>
>        proposal_check  claim;      # obey, strict, claim(*), exact(*)
>
>        proposal
>        {
>            encryption_algorithm    aes;
>            hash_algorithm          sha1;
>            authentication_method   pre_shared_key;
>            dh_group                2;
>            lifetime        time    24 hours;
>        }
>    }
>
>
>    sainfo  address  10.20.50.60/24 any   address  10.10.30.40/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
>    sainfo  address  10.10.30.40/24 any   address  10.20.50.60/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
>    sainfo  address  10.20.50.60/24 any   address  10.10.30.50/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
>    sainfo  address  10.10.30.50/24 any   address  10.20.50.60/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
>    sainfo  address  10.20.50.70/24 any   address  10.10.30.40/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
>    sainfo  address  10.10.30.40/24 any   address  10.20.50.70/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
>    sainfo  address  10.20.50.70/24 any   address  10.10.30.50/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
>    sainfo  address  10.10.30.50/24 any   address  10.20.50.70/24 any
>    {
>        lifetime            time    1 hour;
>
>        encryption_algorithm        aes;
>        authentication_algorithm    hmac_sha1;
>        compression_algorithm       deflate;
>    }
>
> /usr/local/etc/ipsec.keys:   (chmod 600!)
>
>    # Keys for IPSEC
>    # Remote IP, shared key
>
>    55.66.77.88    SecretKey!!
>
>
> The main difficulty is making sure you've got every different direction
> of source and destination subnet cross-referenced in your SPD config and
> the exact same entries configured in your racoon config.
>
> In our setup, we auto-generate these files from a master config file,
> but regretably I cannot release the code for this...
>
>
> Anyway, I hope this gives you some idea how to setup IPSEC.  Debugging
> is of course the next step.  Never assume that your peer has configured
> everything right.  :)
>
> Make sure your ipsec.keys file is not readable by anyone but root, or
> raccoon will silently ignore it.
>
> --
> David DeSimone == Network Admin == fox at verio.net
>  "I don't like spinach, and I'm glad I don't, because if I
>   liked it I'd eat it, and I just hate it." -- Clarence Darrow
>
>
> This email message is intended for the use of the person to whom it has
> been sent, and may contain information that is confidential or legally
> protected. If you are not the intended recipient or have received this
> message in error, you are not authorized to copy, distribute, or otherwise
> use this message or its attachments. Please notify the sender immediately by
> return e-mail and permanently delete this message and any attachments.
> Verio, Inc. makes no warranty that this email is error or virus free.  Thank
> you.
>

More information about the freebsd-net mailing list