Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Aug 23, 2017 8:57 am


VPN tunnels / IPSEC / GRE / iP-in-IP

Author Message
admin
Post  Post subject: FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon) - Part 1  |  Posted: Sun Oct 16, 2011 5:36 pm
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 95

Offline
 

FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon) - Part 1

PART 1: FreeBSD to FreeBSD - OSPF over GRE over Ipsec (racoon)


How to run OSPF routing protocol between two FreeBSD routers/servers.

Since multicasting is not supported by racoon (ipsec-tools) IPSEC in tunel mode, this ball needs to be played using Ipsec transport mode and GRE tunnels.

A little ipsec background from Ipsec illustrated (http://www.unixwiz.net/techtips/iguide-ipsec.html). Quote:
Quote:
"Transport Mode provides a secure connection between two endpoints as it encapsulates IP's payload, while Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop" between two gateways. The latter is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across an untrusted Internet. "


So at first glance, in order to connect multiple remote subnets through ipsec, using tunnel mode would be an obvious choice, but dynamic routing protocols (ospf in this case) need multicast to exchange route information. Ipsec tunnel mode doesn't support this, but it supports GRE tunnels and FreeBSD GRE implementation supports multicast traffic.

Why not used GRE over IPSEC in tunnel mode ? My reason was to avoid extra overhead (encapsulation starts with GRE header instead of original IP header).

Code:
MTU Note:
External interface MTU on both sides: 1500 bytes
Ipsec header: 58 bytes
GRE header: 24 bytes



FreeBSD RC config for racoon/setkey for both nodes.
Code:
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"


Networking configuration.
FreeBSD-A node
IPA: A1.A1.A1.A1
GreIPA: A2.A2.A2.A2
cloned_interfaces="gre0"
Code:
ifconfig_gre0="A2.A2.A2.A2 B2.B2.B2.B2 netmask 0xfffffffc link0 link1 tunnel A1.A1.A1.A1 B1.B1.B1.B1 up mtu 1400" #MTU 1400 to be safe


FreeBSD-B node
IPB: B1.B1.B1.B1
GreIPB B2.B2.B2.B2
cloned_interfaces="gre0"
Code:
ifconfig_gre0="B2.B2.B2.B2 A2.A2.A2.A2 netmask 0xfffffffc link0 link1 tunnel B1.B1.B1.B1 A1.A1.A1.A1 up mtu 1400"


Racoon relevant configuration in racoon.conf
FreeBSD-A
Code:
remote B1.B1.B1.B1 [500] {
    ike_frag force;
   exchange_mode main;
   situation identity_only;
   dpd_delay 20;        # DPD poll every 20 seconds
   dpd_maxfail 2;
   passive off;
   
   initial_contact on;
   proposal_check obey;
   lifetime time 8 hour;   # sec,min,hour

   proposal {
      encryption_algorithm aes;
      hash_algorithm sha1;
      authentication_method pre_shared_key;
      dh_group 2;
   }
}

sainfo anonymous
{
   pfs_group 2;
   lifetime time 4 hour;
   encryption_algorithm aes, 3des;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

FreeBSD-B
Code:
remote A1.A1.A1.A1 [500] {
    ike_frag force;
   exchange_mode main;
   situation identity_only;
   dpd_delay 20;        # DPD poll every 20 seconds
   dpd_maxfail 2;
   passive off;
   
   initial_contact on;
   proposal_check obey;
   lifetime time 8 hour;   # sec,min,hour

   proposal {
      encryption_algorithm aes;
      hash_algorithm sha1;
      authentication_method pre_shared_key;
      dh_group 2;
   }
}

sainfo anonymous
{
   pfs_group 2;
   lifetime time 4 hour;
   encryption_algorithm aes, 3des;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}



Both PSK files have to be edited with the IP of the remote device and a common key (watch the permission/ownership on this file !!!!! ).

Setkey configuration.
Background info: Unix kernel supports static routes, dynamic routes and also tunnel routes (IPSEC security policies) which don't show up in netstat output.
In this scenario, all packets between FreeBSD nodes carying GRE traffic will be routed through the IPSEC transport tunnel (transport mode) between the two hosts. "setkey" (Tool to manipulate and dump the kernel Security Policy Database (SPD) and Security Association Database (SAD).
) is the utility to manipulate these tunnel routes / ipsec policies.

Code:
FreeBSD-A# cat setkey.conf
flush;
spdflush;
spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P out ipsec esp/transport//unique;
spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P in ipsec esp/transport//unique;


Code:
FreeBSD-B# cat setkey.conf
flush;
spdflush;
spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P out ipsec esp/transport//unique;
spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P in ipsec esp/transport//unique;


Both nodes are encrypting GRE packets to the other FreeBSD node with Ipsec transport mode ESP protocol. For more info, see "man setkey".
To check if the policies are loaded in the kernel, use "
Code:
setkey -DP
". To load the ipsec policies in kernel, use "
Code:
setkey -f /usr/local/etc/racoon/setkey.conf
".
Some vendors refer to the ipsec policies as “Proxy IDs”.

After above config is loaded, first thing to check is the ISAKMP SA (Security Association) and Ipsec SA.

Code:
FreeBSD-A# /usr/local/sbin/racoonctl  ss isakmp
send: Bad file descriptor
FreeBSD-A# alias racoonctl
alias racoonctl='racoonctl -s /var/run/racoon.sock'

This error appears because racoonctl utility doesn't use the racoon sock file.
Code:
FreeBSD-A# racoonctl -ll ss isakmp # (double lowercase L)
Source                                        Destination                                   Cookies                           ST S  V E Created             Phase2
A1.A1.A1.A1.500                              B1.B1.B1.B1.500                            b518a208c0cdef51:18dd3d67744682b2  9 R 10 M 2011-10-16 17:09:35      1

The output shows FreeBSD-A node IKE cookies, receiver side, IKE Main mode is used and date created (meaning it is UP).
Code:
FreeBSD-A# racoonctl ss esp
A1.A1.A1.A1 B1.B1.B1.B1
        esp mode=tunnel spi=3686516100(0xdbbbc584) reqid=16459(0x0000404b)
        E: 3des-cbc  6cb4c681 aed403d6 4ba678e6 dafc124e 840058ae 49c35166
        A: hmac-sha1  9347891b 87d8c8dd 101f0561 2e396a69 9cbddd11
        seq=0x000010b4 replay=4 flags=0x00000000 state=mature
        created: Oct 16 22:55:06 2011   current: Oct 16 23:36:17 2011
        diff: 2471(s)   hard: 3600(s)   soft: 2880(s)
        last: Oct 16 23:36:17 2011      hard: 0(s)      soft: 0(s)
        current: 686976(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 4276 hard: 0 soft: 0
        sadb_seq=5 pid=71441 refcnt=2
B1.B1.B1.B1 A1.A1.A1.A1
        esp mode=tunnel spi=116916671(0x06f801bf) reqid=16460(0x0000404c)
        E: 3des-cbc  feeca111 51043654 fe62327e ad2d2ca0 94a1e23d 13893210
        A: hmac-sha1  37f145cf b81574ff cd3f0f7c 510a9d3c 2c1bd74f
        seq=0x00001170 replay=4 flags=0x00000000 state=mature
        created: Oct 16 22:55:06 2011   current: Oct 16 23:36:17 2011
        diff: 2471(s)   hard: 3600(s)   soft: 2880(s)
        last: Oct 16 23:36:17 2011      hard: 0(s)      soft: 0(s)
        current: 414937(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 4464 hard: 0 soft: 0
        sadb_seq=3 pid=71441 refcnt=1


There is one Ipsec Security Association for each direction and both are in "mature" state.

Checking Ipsec Security Policy Database (SPD):
Code:
FreeBSD-A# setkey -DP
B1.B1.B1.B1 A1.A1.A1.A1 gre
        in ipsec
        esp/transport//unique#16457
        created: Oct 12 16:55:50 2011  lastused: Oct 16 23:42:13 2011
        lifetime: 0(s) validtime: 0(s)
        spid=16691 seq=5 pid=65746
        refcnt=1
A1.A1.A1.A1 B1.B1.B1.B1 gre
        out ipsec
        esp/transport//unique#16457
        created: Oct 12 16:55:50 2011  lastused: Oct 16 23:42:13 2011
        lifetime: 0(s) validtime: 0(s)
        spid=16691 seq=5 pid=65746
        refcnt=1

man setkey: flushing/dumping racoon ipsec security database
Quote:
SETKEY(8) FreeBSD System Manager's Manual SETKEY(8)

NAME
setkey -- manually manipulate the IPsec SA/SP database

SYNOPSIS
setkey [-v] -c
setkey [-v] -f filename
setkey [-aPlv] -D
setkey [-Pv] -F
setkey [-h] -x

DESCRIPTION
The setkey utility adds, updates, dumps, or flushes Security Association
Database (SAD) entries as well as Security Policy Database (SPD) entries
in the kernel.

The setkey utility takes a series of operations from the standard input
(if invoked with -c) or the file named filename (if invoked with -f
filename).

-D Dump the SAD entries. If with -P, the SPD entries are dumped.

-F Flush the SAD entries. If with -P, the SPD entries are flushed.
...



Now, to test GRE tunnel is up: From FreeBSD-A ping B2.B2.B2.B2 IP address and vice versa.

OSPF in Part2.

PART 2: FreeBSD to FreeBSD - OSPF over GRE over Ipsec (racoon) - coming soon.

_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com





Top
Display posts from previous:  Sort by  
Print view

Topics related to - "FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon) - Part 1"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon) - Part 2

admin

0

1167

Sun Oct 30, 2011 7:36 am

admin View the latest post

There are no new unread posts for this topic. IPSEC vpn between IPHONE and Linux/FreeBSD racoon daemon

mandrei99

0

4435

Thu Feb 20, 2014 7:36 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO