14-11-11

VPN o er IPsec

Prev

F eeBSD Handbook Chapter 15 Security

Next

15.9 VPN o e IP ec
Written b Nik Cla ton. Creating a VPN between two networks, separated by the Internet, using FreeBSD gateways.

15.9.1 Unde

anding IP ec

Written b Hiten M. Pand a. This section will guide you through the process of setting up IPsec. In order to set up IPsec, it is necessary that you are familiar with the concepts of building a custom kernel (see Chapter 9). IPsec is a protocol which sits on top of the Internet Protocol (IP) layer. It allows two or more hosts to communicate in a secure manner (hence the name). The FreeBSD IPsec network stack is based on the KAME implementation, which has support for both protocol families, IPv4 and IPv6. IPsec consists of two sub-protocols: Encapsulated Securit Pa load (ESP), protects the IP packet data from third party interference, by encrypting the contents using symmetric cryptography algorithms (like Blowfish, 3DES). Authentication Header (AH), protects the IP packet header from third party interference and spoofing, by computing a cryptographic checksum and hashing the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the information in the packet to be authenticated. ESP and AH can either be used together or separately, depending on the environment. IPsec can either be used to directly encrypt the traffic between two hosts (known as Transport Mode); or to build virtual tunnels between two subnets, which could be used for secure communication between two corporate networks (known as Tunnel Mode). The latter is more commonly known as a Virtual Private Network (VPN). The ipsec(4) manual page should be consulted for detailed information on the IPsec subsystem in FreeBSD. To add IPsec support to your kernel, add the following options to your kernel configuration file:
otos pin dvc eie ISC PE c po r t #Pscrt I eui

If IPsec debugging support is desired, the following kernel option should also be added:
otos pin ISCDBG #eu frI scrt PE_EU dbg o P eui

15.9.2 The P oblem

There is no standard for what constitutes a VPN. VPNs can be implemented using a number of different technologies, each of which have their own strengths and weaknesses. This section presents a scenario, and the strategies used for implementing a VPN for this scenario.

15.9.3 The Scena io: T o ne o k , one home ba ed and one co po a e ba ed. Bo h a e connec ed o he In e ne , and e pec ed, ia hi VPN o beha e a one.
The premise is as follows: You have at least two sites Both sites are using IP internally Both sites are connected to the Internet, through a gateway that is running FreeBSD. The gateway on each network has at least one public IP address. The internal addresses of the two networks can be public or private IP addresses, it does not matter. They just may not collide; e.g.: may not both use 1 2 1 8 1 . 9.6..

15.9.4 Config

ing IP ec on F eeBSD

Written b Tom Rhodes. To begin, the s c r t / p e - o l must be installed from the Ports Collection. This third party software package provides a number of eui isctos applications which will help support the configuration. The next requirement is to create two gif(4) pseudo-devices which will be used to tunnel packets and allow both networks to communicate properly. As r o , run the following commands, replacing the i t r a and e t r a items with the real internal and external gateways: ot nenl enl

.freebsd.org/doc/handbook/ipsec.html

1/4

14-11-11
#icni gf cet fofg i0 rae #icni gf itra1itra2 fofg i0 nenl nenl

VPN o er IPsec

#icni gf tne etra1etra2 fofg i0 unl enl enl

Fo e ample, he co po a e LAN' p blic IP i 1 2 1 . . ha ing a p i a e IP of 1 . 4 . 8 1 The home LAN' p blic IP i 1 2 1 8 1 1 i h 7.654 0263.. 9.6..2 an in e nal p i a e IP of 1 . . . . 0005 Thi ma eem conf ing, o e ie he follo ing e ample o p f om he ifconfig(8) command:

Gtwy1 aea : gf:fas85 mu18 i0 lg=01 t 20 tne ie 121.. ->121811 unl nt 7.654 - 9.6..2 ie6f8:208f:e258%i0peiln6 soed06 nt e0:e:1ff0:81gf rfxe 4 cpi x ie 1.4.81->1... ntak0fff0 nt 0263. - 0005 ems xfff0 Gtwy2 aea : gf:fas85 mu18 i0 lg=01 t 20 tne ie 121811 ->121.. unl nt 9.6..2 - 7.654 ie 1... ->1.4.81ntak0fff0 nt 0005 - 0263. ems xfff0 ie6f8:20bf:eacfgf peiln6 soed04 nt e0:5:fff3:1%i0 rfxe 4 cpi x

Once comple e, bo h p i a e IP

ho ld be eachable

ing he ping(8) command like he follo ing o p

gge :

pi-e#pn 1... rvnt ig 0005 PN 1... (0005:5 dt bts IG 0005 1...) 6 aa ye 6 btsfo 1...:im_e= tl6 tm=276m 4 ye rm 0005 cpsq0 t=4 ie4.8 s 6 btsfo 1...:im_e= tl6 tm=925m 4 ye rm 0005 cpsq1 t=4 ie1.5 s 6 btsfo 1...:im_e= tl6 tm=040m 4 ye rm 0005 cpsq2 t=4 ie2.4 s 6 btsfo 1...:im_e= tl6 tm=106m 4 ye rm 0005 cpsq3 t=4 ie2.3 s --1... pn saitc -- 0005 ig ttsis 4pcestasitd 4pcesrcie,0 pce ls akt rnmte, akt eevd % akt os rudti mnagmxsde =1.5/5894.8/.8 m on-rp i/v/a/tdv 9252.7/276972 s cr-e#pn 1.4.81 opnt ig 0263. PN 1.4.81(0263.) 5 dt bts IG 0263. 1.4.81: 6 aa ye 6 btsfo 1.4.81 im_e= tl6 tm=816m 4 ye rm 0263.: cpsq0 t=4 ie2.0 s 6 btsfo 1.4.81 im_e= tl6 tm=297m 4 ye rm 0263.: cpsq1 t=4 ie4.1 s 6 btsfo 1.4.81 im_e= tl6 tm=2.2 m 4 ye rm 0263.: cpsq2 t=4 ie1755 s 6 btsfo 1.4.81 im_e= tl6 tm=1.9 m 4 ye rm 0263.: cpsq3 t=4 ie1986 s 6 btsfo 1.4.81 im_e= tl6 tm=5.2 m 4 ye rm 0263.: cpsq4 t=4 ie1454 s --1.4.81pn saitc -- 0263. ig ttsis 5pcestasitd 5pcesrcie,0 pce ls akt rnmte, akt eevd % akt os rudti mnagmxsde =2.0/45414544.1 m on-rp i/v/a/tdv 8169.9/5.2/984 s

A e pec ed, bo h ide ha e he abili o end and ecei e ICMP packe f om he p i a el config ed add e e . Ne , bo h ga e a ho o o e packe in o de o co ec l end affic f om ei he ne o k. The follo ing command ill achie e hi goal:
#cr-e#ruead1... 1... 2525250 opnt ot d 0000 0005 5.5.5. #cr-e#rueadnt1...:gt a 1... opnt ot d e 0000 ae 0005 #pi-e#ruead1.4.801.4.812525250 rvnt ot d 0263. 0263. 5.5.5. #pi-e#rueadhs 1.4.80 gt a 1.4.81 rvnt ot d ot 0263.: ae 0263.

be old

A hi poin , in e nal machine ho ld be eachable f om each ga e a a he follo ing e ample:

ell a f om machine behind he ga e a . Thi i ea il de e mined f om

cr-e#pn 1... opnt ig 0008 PN 1... (0008:5 dt bts IG 0008 1...) 6 aa ye 6 btsfo 1...:im_e= tl6 tm=231m 4 ye rm 0008 cpsq0 t=3 ie9.9 s 6 btsfo 1...:im_e= tl6 tm=180m 4 ye rm 0008 cpsq1 t=3 ie2.7 s 6 btsfo 1...:im_e= tl6 tm=9.2 m 4 ye rm 0008 cpsq2 t=3 ie1802 s 6 btsfo 1...:im_e= tl6 tm=221m 4 ye rm 0008 cpsq3 t=3 ie2.4 s 6 btsfo 1...:im_e= tl6 tm=7.0 m 4 ye rm 0008 cpsq4 t=3 ie1475 s --1... pn saitc -- 0008 ig ttsis 5pcestasitd 5pcesrcie,0 pce ls akt rnmte, akt eevd % akt os rudti mnagmxsde =2.7/0.4/9.2/401m on-rp i/v/a/tdv 180118618027.0 s pi-e#pn 1.4.817 rvnt ig 0263.0 PN 1.4.81(0263.0) 5 dt bts IG 0263. 1.4.817: 6 aa ye 6 btsfo 1.4.817 im_e= tl6 tm=341m 4 ye rm 0263.0: cpsq0 t=4 ie5.9 s 6 btsfo 1.4.817 im_e= tl6 tm=335m 4 ye rm 0263.0: cpsq1 t=4 ie2.9 s 6 btsfo 1.4.817 im_e= tl6 tm=385m 4 ye rm 0263.0: cpsq2 t=4 ie2.6 s 6 btsfo 1.4.817 im_e= tl6 tm=115m 4 ye rm 0263.0: cpsq3 t=4 ie2.4 s 6 btsfo 1.4.817 im_e= tl6 tm=678m 4 ye rm 0263.0: cpsq4 t=4 ie3.0 s --1.4.817pn saitc -- 0263.0 ig ttsis 5pcestasitd 5pcesrcie,0 pce ls akt rnmte, akt eevd % akt os rudti mnagmxsde =2.4/1715.9/219m on-rp i/v/a/tdv 1153.2/3411.7 s

Se ing p he nnel i he ea pa . Config ing a ec e link i a m ch mo e in dep h p oce . The follo ing config a ion e p e- ha ed (PSK) RSA ke . A ide f om he IP add e e , bo h / s / o a / t / a o n r c o . o ffile ill be iden ical and look imila o urlclecrco/aoncn
pt ah lg o pesae_e "urlclecrco/s.x" #oaino pesae kyfl r_hrdky /s/oa/t/aonpktt; lcto f r-hrd e ie dbg #o vroiystig stt 'oiy we tsigaddbgigi cmlt eu; lg ebst etn: e o ntf' hn etn n eugn s opee

pdig#otosaentt b cagd adn pin r o o e hne { mxmmlnt 2; aiu_egh 0 rnoie admz of f; src_hc titcek of f; ecuieti of xlsv_al f;

.freebsd.org/doc/handbook/ipsec.html

2/4

14-11-11
tmr ie {

VPN o er IPsec
#tmn otos cag a nee iig pin. hne s edd cutr one itra nevl pred esn nt_eplv atkeaie pae hs1 pae hs2 5 ; 2 sc 0 e; 1 ; 1 sc 5 e; 3 sc 0 e; 1 sc 5 e;

lse #ades[ot ta rco wl lseigo itn drs pr] ht aon il itnn n { iam skp 121.. [0] 7.654 50; iam_at skpnt 121.. [50; 7.654 40] rmt 121811 [0] eoe 9.6..2 50 { ecag_oe mi,grsie xhnemd anagesv; di o iscdi pe_o; stain iuto iett_ny dniyol; m_dniir ades121..; yietfe drs 7.654 pesietfe er_dniir ades121811; drs 9.6..2 lftm ieie tm 8hu; ie or psie asv of f; pooa_hc oe; rpslcek by # nttaesl of a_rvra f; gnrt_oiyof eeaeplc f; pooa { rpsl ecyto_loih nrpinagrtm hs_loih ahagrtm atetcto_ehd uhniainmto lftm tm ieie ie d_ru hgop bofs; lwih m5 d; pesae_e; r_hrdky 3 sc 0 e; 1 ;

sif (drs 1.4.802 ayades1.../4ay ano ades 0263./4 n drs 00002 n) #ades$ewr/ntak$yeades$ewr/ntak$ye( drs ntok$ems tp drs ntok$ems tp { #$ewr ms b tetoitra ntok yuaejiig ntok ut e h w nenl ewrs o r onn. psgop f_ru 1 ; lftm ieie tm ie 300sc 60 e; ecyto_loih nrpinagrtm bofs,dsds lwih3e,e; atetcto_loih uhniainagrtm ha_d,mcsa; mcm5ha_h1 cmrsinagrtm dfae opeso_loih elt;

E ai i g e e a aiab e i he acoon c fig a i The SPD icie eed

i , a g i h h e i ed i he e e a a a age. be c fig ed

e i be e c

d he c e f hi d c a d dec he c e

e . The e i affic be ee h

e .

f ee a i f

ai

F eeBSD a d acoon i ab e

Thi a a be de a e i h a i e he c i i ia he f i g hich i i i ia i a i a d h d be a ed a / s / o a / t / a o n s t e . o f urlclecrco/ekycn.

a e ga e a . Thi fie i be

ed d i g

fuh ls; sdls; pfuh #T tehm ntok o h oe ewr sdd 1.4.802 1.../4ay- otisceptne/7.654121811/s; pad 0263./4 00002 n P u pe s/unl121..-9.6..2ue sdd 1.../41.4.802 ay- i isceptne/9.6..2121../s; pad 00002 0263./4 n P n pe s/unl121811-7.654ue

O ce i

ace, acoon a be a ed

b h ga e a

i g he f

i gc

a d:

#/s/oa/bnrco - - /s/oa/t/aonrco.of- /a/o/aonlg urlclsi/aon F f urlclecrco/aoncn l vrlgrco.o

The

d be i ia

he f

i g:

cr-e#/s/oa/bnrco - - /s/oa/t/aonrco.of opnt urlclsi/aon F f urlclecrco/aoncn Frgon md. oerud oe 20-13 0:54:IF:bgnIett Poeto md. 060-0 13:7 NO ei dniy rtcin oe 20-13 0:54:IF:rcie Vno I:KM/aon 060-0 13:8 NO eevd edr D AErco 20-13 0:55:IF:rcie Vno I:KM/aon 060-0 13:5 NO eevd edr D AErco 20-13 0:60:IF:IAM-Aetbihd121..[0]121811[0]si6393d425:da8d4f0a 060-0 13:4 NO SKPS salse 7.65450-9.6..250 p:2bbb29427eb25f74 20-13 0:60:IF:iiit nwpae2ngtain 121..[]9.6..20 060-0 13:5 NO ntae e hs eoito: 7.6540121811[] 20-13 0:60:IF:IscS etbihd EPTne 121811[]>7.6540 si2469(xbde) 060-0 13:9 NO Pe-A salse: S/unl 9.6..20-121..[] p=890801202 20-13 0:60:IF:IscS etbihd EPTne 121..[]>9.6..20 si4749(xd22) 060-0 13:9 NO Pe-A salse: S/unl 7.6540-121811[] p=789802946 20-13 0:61:IF:rsodnwpae2ngtain 121..[]9.6..20 060-0 13:3 NO epn e hs eoito: 7.6540121811[] 20-13 0:61:IF:IscS etbihd EPTne 121811[]>7.6540 si1494707a7b 060-0 13:8 NO Pe-A salse: S/unl 9.6..20-121..[] p=2376(x629) 20-13 0:61:IF:IscS etbihd EPTne 121..[]>9.6..20 si155920abd6 060-0 13:8 NO Pe-A salse: S/unl 7.6540-121811[] p=7820(x746)

T e
e0 m

e he i h he e

e i

ig e , i ch i e face ca d a e i ed.

he c

ea d

e c d

(1)

ie

affic

i g he f

i gc

a d. Re ace

#tpup- e0hs 121.. add cdm i m ot 7.654 n

121811 9.6..2

Da a i ia

he f

ig h

d a ea

he c

e. If

, he e i a i

e, a d deb ggi g he e

ed da a i be e i ed.

0:73.263I croaeewr.o >121811.rvtntokcm EPsi00ab9,e=x) 14:2018 P oprtntokcm 9.6..2piaeewr.o: S(p=x2cffsq0a 0:73.242I croaeewr.o >121811.rvtntokcm EPsi00ab9,e=x) 14:3024 P oprtntokcm 9.6..2piaeewr.o: S(p=x2cffsq0b 0:73.228I croaeewr.o >121811.rvtntokcm EPsi00ab9,e=x) 14:4041 P oprtntokcm 9.6..2piaeewr.o: S(p=x2cffsq0c

A hi i ,b h e h d be a aiab e a d ee he h d be. T a affic f be ee he , e f igie he fi e a c fig a i fie:

.freebsd.org/doc/handbook/ipsec.html

be a f he a e e eed be added a

.M i e b h e ac e bac a d f h. F

ae ec ed b a fi e a , a he i f (8) fi e a , add he

3/4

14-11-11

VPN o er IPsec
if ad021alwlgepfo a t a pw d 00 lo o s rm n o n if ad022alwlga fo a t a pw d 00 lo o h rm n o n if ad023alwlgiecpfo a t a pw d 00 lo o pna rm n o n if ad024alwlgupfo a 50t a pw d 00 lo o d rm n 0 o n

No e: The le n mbe ma need o be al e ed depending on he c

en ho config a ion.

Fo

e of pf(4) o ipf(8), he follo ing le ho ld do he ick:

ps i qikpooepfo a t a as n uc rt s rm n o n ps i qikpooa fo a t a as n uc rt h rm n o n ps i qikpooiecpfo a t a as n uc rt pna rm n o n ps i qikpooupfo a pr =50t a pr =50 as n uc rt d rm n ot 0 o n ot 0 ps i qiko gf fo a t a as n uc n i0 rm n o n ps otqikpooepfo a t a as u uc rt s rm n o n ps otqikpooa fo a t a as u uc rt h rm n o n ps otqikpooiecpfo a t a as u uc rt pna rm n o n ps otqikpooupfo a pr =50t a pr =50 as u uc rt d rm n ot 0 o n ot 0 ps otqiko gf fo a t a as u uc n i0 rm n o n

Finall , o allo

he machine o a

ppo fo he VPN d ing

em ini iali a ion, add he follo ing line o / t / c c n : ecr.of

isceal=YS pe_nbe"E" iscporm"urlclsi/ek " pe_rga=/s/oa/bnste iscfl=/s/oa/t/aonste.of #alw stigu sdplce o bo pe_ie"urlclecrco/ek cn" los etn p p oiis n ot rco_nbe"e" aoneal= s

Pe OpenSSL

Home Up

Ne OpenSSH

.freebsd.org/doc/handbook/ipsec.html

4/4