FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon) - Part 1
PART 1: FreeBSD to FreeBSD - OSPF over GRE over Ipsec (racoon)How to run OSPF routing protocol between two FreeBSD routers/servers. Since multicasting is not supported by racoon (ipsec-tools) IPSEC in tunel mode, this ball needs to be played using Ipsec transport mode and GRE tunnels.
A little ipsec background from Ipsec illustrated (
http://www.unixwiz.net/techtips/iguide-ipsec.html). Quote:
Quote:
"Transport Mode provides a secure connection between two endpoints as it encapsulates IP's payload, while Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop" between two gateways. The latter is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across an untrusted Internet. "
So at first glance, in order to connect multiple remote subnets through ipsec, using tunnel mode would be an obvious choice, but dynamic routing protocols (ospf in this case) need multicast to exchange route information. Ipsec tunnel mode doesn't support this, but it supports GRE tunnels and FreeBSD GRE implementation supports multicast traffic.
Why not used GRE over IPSEC in tunnel mode ? My reason was to avoid extra overhead (encapsulation starts with GRE header instead of original IP header).
Code:
MTU Note:
External interface MTU on both sides: 1500 bytes
Ipsec header: 58 bytes
GRE header: 24 bytes
FreeBSD RC config for racoon/setkey for both nodes.Code:
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
Networking configuration.FreeBSD-A nodeIPA: A1.A1.A1.A1
GreIPA: A2.A2.A2.A2
cloned_interfaces="gre0"
Code:
ifconfig_gre0="A2.A2.A2.A2 B2.B2.B2.B2 netmask 0xfffffffc link0 link1 tunnel A1.A1.A1.A1 B1.B1.B1.B1 up mtu 1400" #MTU 1400 to be safe
FreeBSD-B nodeIPB: B1.B1.B1.B1
GreIPB B2.B2.B2.B2
cloned_interfaces="gre0"
Code:
ifconfig_gre0="B2.B2.B2.B2 A2.A2.A2.A2 netmask 0xfffffffc link0 link1 tunnel B1.B1.B1.B1 A1.A1.A1.A1 up mtu 1400"
Racoon relevant configuration in racoon.confFreeBSD-ACode:
remote B1.B1.B1.B1 [500] {
ike_frag force;
exchange_mode main;
situation identity_only;
dpd_delay 20; # DPD poll every 20 seconds
dpd_maxfail 2;
passive off;
initial_contact on;
proposal_check obey;
lifetime time 8 hour; # sec,min,hour
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 4 hour;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
FreeBSD-BCode:
remote A1.A1.A1.A1 [500] {
ike_frag force;
exchange_mode main;
situation identity_only;
dpd_delay 20; # DPD poll every 20 seconds
dpd_maxfail 2;
passive off;
initial_contact on;
proposal_check obey;
lifetime time 8 hour; # sec,min,hour
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 4 hour;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Both PSK files have to be edited with the IP of the remote device and a common key (watch the permission/ownership on this file !!!!! ).
Setkey configuration.
Background info: Unix kernel supports static routes, dynamic routes and also tunnel routes (IPSEC security policies) which don't show up in netstat output.
In this scenario, all packets between FreeBSD nodes carying GRE traffic will be routed through the IPSEC transport tunnel (transport mode) between the two hosts. "setkey" (Tool to manipulate and dump the kernel Security Policy Database (SPD) and Security Association Database (SAD).
) is the utility to manipulate these tunnel routes / ipsec policies.
Code:
FreeBSD-A# cat setkey.conf
flush;
spdflush;
spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P out ipsec esp/transport//unique;
spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P in ipsec esp/transport//unique;
Code:
FreeBSD-B# cat setkey.conf
flush;
spdflush;
spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P out ipsec esp/transport//unique;
spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P in ipsec esp/transport//unique;
Both nodes are encrypting GRE packets to the other FreeBSD node with Ipsec transport mode ESP protocol. For more info, see "man setkey".
To check if the policies are loaded in the kernel, use "
Code:
setkey -DP
". To load the ipsec policies in kernel, use "
Code:
setkey -f /usr/local/etc/racoon/setkey.conf
".
Some vendors refer to the ipsec policies as “Proxy IDs”.
After above config is loaded, first thing to check is the ISAKMP SA (Security Association) and Ipsec SA.
Code:
FreeBSD-A# /usr/local/sbin/racoonctl ss isakmp
send: Bad file descriptor
FreeBSD-A# alias racoonctl
alias racoonctl='racoonctl -s /var/run/racoon.sock'
This error appears because racoonctl utility doesn't use the racoon sock file.
Code:
FreeBSD-A# racoonctl -ll ss isakmp # (double lowercase L)
Source Destination Cookies ST S V E Created Phase2
A1.A1.A1.A1.500 B1.B1.B1.B1.500 b518a208c0cdef51:18dd3d67744682b2 9 R 10 M 2011-10-16 17:09:35 1
The output shows FreeBSD-A node IKE cookies, receiver side, IKE Main mode is used and date created (meaning it is UP).
Code:
FreeBSD-A# racoonctl ss esp
A1.A1.A1.A1 B1.B1.B1.B1
esp mode=tunnel spi=3686516100(0xdbbbc584) reqid=16459(0x0000404b)
E: 3des-cbc 6cb4c681 aed403d6 4ba678e6 dafc124e 840058ae 49c35166
A: hmac-sha1 9347891b 87d8c8dd 101f0561 2e396a69 9cbddd11
seq=0x000010b4 replay=4 flags=0x00000000 state=mature
created: Oct 16 22:55:06 2011 current: Oct 16 23:36:17 2011
diff: 2471(s) hard: 3600(s) soft: 2880(s)
last: Oct 16 23:36:17 2011 hard: 0(s) soft: 0(s)
current: 686976(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4276 hard: 0 soft: 0
sadb_seq=5 pid=71441 refcnt=2
B1.B1.B1.B1 A1.A1.A1.A1
esp mode=tunnel spi=116916671(0x06f801bf) reqid=16460(0x0000404c)
E: 3des-cbc feeca111 51043654 fe62327e ad2d2ca0 94a1e23d 13893210
A: hmac-sha1 37f145cf b81574ff cd3f0f7c 510a9d3c 2c1bd74f
seq=0x00001170 replay=4 flags=0x00000000 state=mature
created: Oct 16 22:55:06 2011 current: Oct 16 23:36:17 2011
diff: 2471(s) hard: 3600(s) soft: 2880(s)
last: Oct 16 23:36:17 2011 hard: 0(s) soft: 0(s)
current: 414937(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4464 hard: 0 soft: 0
sadb_seq=3 pid=71441 refcnt=1
There is one Ipsec Security Association for each direction and both are in "mature" state.
Checking Ipsec Security Policy Database (SPD):
Code:
FreeBSD-A# setkey -DP
B1.B1.B1.B1 A1.A1.A1.A1 gre
in ipsec
esp/transport//unique#16457
created: Oct 12 16:55:50 2011 lastused: Oct 16 23:42:13 2011
lifetime: 0(s) validtime: 0(s)
spid=16691 seq=5 pid=65746
refcnt=1
A1.A1.A1.A1 B1.B1.B1.B1 gre
out ipsec
esp/transport//unique#16457
created: Oct 12 16:55:50 2011 lastused: Oct 16 23:42:13 2011
lifetime: 0(s) validtime: 0(s)
spid=16691 seq=5 pid=65746
refcnt=1
man setkey: flushing/dumping racoon ipsec security databaseQuote:
SETKEY(8) FreeBSD System Manager's Manual SETKEY(8)
NAME
setkey -- manually manipulate the IPsec SA/SP database
SYNOPSIS
setkey [-v] -c
setkey [-v] -f filename
setkey [-aPlv] -D
setkey [-Pv] -F
setkey [-h] -x
DESCRIPTION
The setkey utility adds, updates, dumps, or flushes Security Association
Database (SAD) entries as well as Security Policy Database (SPD) entries
in the kernel.
The setkey utility takes a series of operations from the standard input
(if invoked with -c) or the file named filename (if invoked with -f
filename).
-D Dump the SAD entries. If with -P, the SPD entries are dumped.
-F Flush the SAD entries. If with -P, the SPD entries are flushed.
...
Now, to test GRE tunnel is up: From FreeBSD-A ping B2.B2.B2.B2 IP address and vice versa.
OSPF in Part2.
PART 2: FreeBSD to FreeBSD - OSPF over GRE over Ipsec (racoon) - coming soon.