Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides :: FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon)

"Transport Mode provides a secure connection between two endpoints as it encapsulates IP's payload, while Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop" between two gateways. The latter is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across an untrusted Internet. "

MTU Note:
External interface MTU on both sides: 1500 bytes
Ipsec header: 58 bytes
GRE header: 24 bytes

ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"

ifconfig_gre0="A2.A2.A2.A2 B2.B2.B2.B2 netmask 0xfffffffc link0 link1 tunnel A1.A1.A1.A1 B1.B1.B1.B1 up mtu 1400" #MTU 1400 to be safe

ifconfig_gre0="B2.B2.B2.B2 A2.A2.A2.A2 netmask 0xfffffffc link0 link1 tunnel B1.B1.B1.B1 A1.A1.A1.A1 up mtu 1400"

remote B1.B1.B1.B1 [500] {
ike_frag force;
exchange_mode main;
situation identity_only;
dpd_delay 20; # DPD poll every 20 seconds
dpd_maxfail 2;
passive off;

initial_contact on;
proposal_check obey;
lifetime time 8 hour; # sec,min,hour

proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
lifetime time 4 hour;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

remote A1.A1.A1.A1 [500] {
ike_frag force;
exchange_mode main;
situation identity_only;
dpd_delay 20; # DPD poll every 20 seconds
dpd_maxfail 2;
passive off;

initial_contact on;
proposal_check obey;
lifetime time 8 hour; # sec,min,hour

proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
lifetime time 4 hour;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

FreeBSD-A# cat setkey.conf
flush;
spdflush;
spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P out ipsec esp/transport//unique;
spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P in ipsec esp/transport//unique;

FreeBSD-B# cat setkey.conf
flush;
spdflush;
spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P out ipsec esp/transport//unique;
spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P in ipsec esp/transport//unique;

setkey -f /usr/local/etc/racoon/setkey.conf

FreeBSD-A# /usr/local/sbin/racoonctl ss isakmp
send: Bad file descriptor
FreeBSD-A# alias racoonctl
alias racoonctl='racoonctl -s /var/run/racoon.sock'

FreeBSD-A# racoonctl -ll ss isakmp # (double lowercase L)
Source Destination Cookies ST S V E Created Phase2
A1.A1.A1.A1.500 B1.B1.B1.B1.500 b518a208c0cdef51:18dd3d67744682b2 9 R 10 M 2011-10-16 17:09:35 1

FreeBSD-A# racoonctl ss esp
A1.A1.A1.A1 B1.B1.B1.B1
esp mode=tunnel spi=3686516100(0xdbbbc584) reqid=16459(0x0000404b)
E: 3des-cbc 6cb4c681 aed403d6 4ba678e6 dafc124e 840058ae 49c35166
A: hmac-sha1 9347891b 87d8c8dd 101f0561 2e396a69 9cbddd11
seq=0x000010b4 replay=4 flags=0x00000000 state=mature
created: Oct 16 22:55:06 2011 current: Oct 16 23:36:17 2011
diff: 2471(s) hard: 3600(s) soft: 2880(s)
last: Oct 16 23:36:17 2011 hard: 0(s) soft: 0(s)
current: 686976(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4276 hard: 0 soft: 0
sadb_seq=5 pid=71441 refcnt=2
B1.B1.B1.B1 A1.A1.A1.A1
esp mode=tunnel spi=116916671(0x06f801bf) reqid=16460(0x0000404c)
E: 3des-cbc feeca111 51043654 fe62327e ad2d2ca0 94a1e23d 13893210
A: hmac-sha1 37f145cf b81574ff cd3f0f7c 510a9d3c 2c1bd74f
seq=0x00001170 replay=4 flags=0x00000000 state=mature
created: Oct 16 22:55:06 2011 current: Oct 16 23:36:17 2011
diff: 2471(s) hard: 3600(s) soft: 2880(s)
last: Oct 16 23:36:17 2011 hard: 0(s) soft: 0(s)
current: 414937(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4464 hard: 0 soft: 0
sadb_seq=3 pid=71441 refcnt=1

FreeBSD-A# setkey -DP
B1.B1.B1.B1 A1.A1.A1.A1 gre
in ipsec
esp/transport//unique#16457
created: Oct 12 16:55:50 2011 lastused: Oct 16 23:42:13 2011
lifetime: 0(s) validtime: 0(s)
spid=16691 seq=5 pid=65746
refcnt=1
A1.A1.A1.A1 B1.B1.B1.B1 gre
out ipsec
esp/transport//unique#16457
created: Oct 12 16:55:50 2011 lastused: Oct 16 23:42:13 2011
lifetime: 0(s) validtime: 0(s)
spid=16691 seq=5 pid=65746
refcnt=1

SETKEY(8) FreeBSD System Manager's Manual SETKEY(8)

NAME
setkey -- manually manipulate the IPsec SA/SP database

SYNOPSIS
setkey [-v] -c
setkey [-v] -f filename
setkey [-aPlv] -D
setkey [-Pv] -F
setkey [-h] -x

DESCRIPTION
The setkey utility adds, updates, dumps, or flushes Security Association
Database (SAD) entries as well as Security Policy Database (SPD) entries
in the kernel.

The setkey utility takes a series of operations from the standard input
(if invoked with -c) or the file named filename (if invoked with -f
filename).

-D Dump the SAD entries. If with -P, the SPD entries are dumped.

-F Flush the SAD entries. If with -P, the SPD entries are flushed.
...

Author:	admin [ Sun Oct 16, 2011 5:36 pm ]
Post subject:	FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon) - Part 1
PART 1: FreeBSD to FreeBSD - OSPF over GRE over Ipsec (racoon) How to run OSPF routing protocol between two FreeBSD routers/servers. Since multicasting is not supported by racoon (ipsec-tools) IPSEC in tunel mode, this ball needs to be played using Ipsec transport mode and GRE tunnels. A little ipsec background from Ipsec illustrated (http://www.unixwiz.net/techtips/iguide-ipsec.html). Quote: Quote: "Transport Mode provides a secure connection between two endpoints as it encapsulates IP's payload, while Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop" between two gateways. The latter is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across an untrusted Internet. " So at first glance, in order to connect multiple remote subnets through ipsec, using tunnel mode would be an obvious choice, but dynamic routing protocols (ospf in this case) need multicast to exchange route information. Ipsec tunnel mode doesn't support this, but it supports GRE tunnels and FreeBSD GRE implementation supports multicast traffic. Why not used GRE over IPSEC in tunnel mode ? My reason was to avoid extra overhead (encapsulation starts with GRE header instead of original IP header). Code: MTU Note: External interface MTU on both sides: 1500 bytes Ipsec header: 58 bytes GRE header: 24 bytes FreeBSD RC config for racoon/setkey for both nodes. Code: ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot racoon_enable="YES" racoon_flags="-l /var/log/racoon.log" Networking configuration. FreeBSD-A node IPA: A1.A1.A1.A1 GreIPA: A2.A2.A2.A2 cloned_interfaces="gre0" Code: ifconfig_gre0="A2.A2.A2.A2 B2.B2.B2.B2 netmask 0xfffffffc link0 link1 tunnel A1.A1.A1.A1 B1.B1.B1.B1 up mtu 1400" #MTU 1400 to be safe FreeBSD-B node IPB: B1.B1.B1.B1 GreIPB B2.B2.B2.B2 cloned_interfaces="gre0" Code: ifconfig_gre0="B2.B2.B2.B2 A2.A2.A2.A2 netmask 0xfffffffc link0 link1 tunnel B1.B1.B1.B1 A1.A1.A1.A1 up mtu 1400" Racoon relevant configuration in racoon.conf FreeBSD-A Code: remote B1.B1.B1.B1 [500] { ike_frag force; exchange_mode main; situation identity_only; dpd_delay 20; # DPD poll every 20 seconds dpd_maxfail 2; passive off; initial_contact on; proposal_check obey; lifetime time 8 hour; # sec,min,hour proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 4 hour; encryption_algorithm aes, 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } FreeBSD-B Code: remote A1.A1.A1.A1 [500] { ike_frag force; exchange_mode main; situation identity_only; dpd_delay 20; # DPD poll every 20 seconds dpd_maxfail 2; passive off; initial_contact on; proposal_check obey; lifetime time 8 hour; # sec,min,hour proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 4 hour; encryption_algorithm aes, 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } Both PSK files have to be edited with the IP of the remote device and a common key (watch the permission/ownership on this file !!!!! ). Setkey configuration. Background info: Unix kernel supports static routes, dynamic routes and also tunnel routes (IPSEC security policies) which don't show up in netstat output. In this scenario, all packets between FreeBSD nodes carying GRE traffic will be routed through the IPSEC transport tunnel (transport mode) between the two hosts. "setkey" (Tool to manipulate and dump the kernel Security Policy Database (SPD) and Security Association Database (SAD). ) is the utility to manipulate these tunnel routes / ipsec policies. Code: FreeBSD-A# cat setkey.conf flush; spdflush; spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P out ipsec esp/transport//unique; spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P in ipsec esp/transport//unique; Code: FreeBSD-B# cat setkey.conf flush; spdflush; spdadd B1.B1.B1.B1/32 A1.A1.A1.A1/32 gre -P out ipsec esp/transport//unique; spdadd A1.A1.A1.A1/32 B1.B1.B1.B1/32 gre -P in ipsec esp/transport//unique; Both nodes are encrypting GRE packets to the other FreeBSD node with Ipsec transport mode ESP protocol. For more info, see "man setkey". To check if the policies are loaded in the kernel, use " Code: setkey -DP ". To load the ipsec policies in kernel, use " Code: setkey -f /usr/local/etc/racoon/setkey.conf ". Some vendors refer to the ipsec policies as “Proxy IDs”. After above config is loaded, first thing to check is the ISAKMP SA (Security Association) and Ipsec SA. Code: FreeBSD-A# /usr/local/sbin/racoonctl ss isakmp send: Bad file descriptor FreeBSD-A# alias racoonctl alias racoonctl='racoonctl -s /var/run/racoon.sock' This error appears because racoonctl utility doesn't use the racoon sock file. Code: FreeBSD-A# racoonctl -ll ss isakmp # (double lowercase L) Source Destination Cookies ST S V E Created Phase2 A1.A1.A1.A1.500 B1.B1.B1.B1.500 b518a208c0cdef51:18dd3d67744682b2 9 R 10 M 2011-10-16 17:09:35 1 The output shows FreeBSD-A node IKE cookies, receiver side, IKE Main mode is used and date created (meaning it is UP). Code: FreeBSD-A# racoonctl ss esp A1.A1.A1.A1 B1.B1.B1.B1 esp mode=tunnel spi=3686516100(0xdbbbc584) reqid=16459(0x0000404b) E: 3des-cbc 6cb4c681 aed403d6 4ba678e6 dafc124e 840058ae 49c35166 A: hmac-sha1 9347891b 87d8c8dd 101f0561 2e396a69 9cbddd11 seq=0x000010b4 replay=4 flags=0x00000000 state=mature created: Oct 16 22:55:06 2011 current: Oct 16 23:36:17 2011 diff: 2471(s) hard: 3600(s) soft: 2880(s) last: Oct 16 23:36:17 2011 hard: 0(s) soft: 0(s) current: 686976(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 4276 hard: 0 soft: 0 sadb_seq=5 pid=71441 refcnt=2 B1.B1.B1.B1 A1.A1.A1.A1 esp mode=tunnel spi=116916671(0x06f801bf) reqid=16460(0x0000404c) E: 3des-cbc feeca111 51043654 fe62327e ad2d2ca0 94a1e23d 13893210 A: hmac-sha1 37f145cf b81574ff cd3f0f7c 510a9d3c 2c1bd74f seq=0x00001170 replay=4 flags=0x00000000 state=mature created: Oct 16 22:55:06 2011 current: Oct 16 23:36:17 2011 diff: 2471(s) hard: 3600(s) soft: 2880(s) last: Oct 16 23:36:17 2011 hard: 0(s) soft: 0(s) current: 414937(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 4464 hard: 0 soft: 0 sadb_seq=3 pid=71441 refcnt=1 There is one Ipsec Security Association for each direction and both are in "mature" state. Checking Ipsec Security Policy Database (SPD): Code: FreeBSD-A# setkey -DP B1.B1.B1.B1 A1.A1.A1.A1 gre in ipsec esp/transport//unique#16457 created: Oct 12 16:55:50 2011 lastused: Oct 16 23:42:13 2011 lifetime: 0(s) validtime: 0(s) spid=16691 seq=5 pid=65746 refcnt=1 A1.A1.A1.A1 B1.B1.B1.B1 gre out ipsec esp/transport//unique#16457 created: Oct 12 16:55:50 2011 lastused: Oct 16 23:42:13 2011 lifetime: 0(s) validtime: 0(s) spid=16691 seq=5 pid=65746 refcnt=1 man setkey: flushing/dumping racoon ipsec security database Quote: SETKEY(8) FreeBSD System Manager's Manual SETKEY(8) NAME setkey -- manually manipulate the IPsec SA/SP database SYNOPSIS setkey [-v] -c setkey [-v] -f filename setkey [-aPlv] -D setkey [-Pv] -F setkey [-h] -x DESCRIPTION The setkey utility adds, updates, dumps, or flushes Security Association Database (SAD) entries as well as Security Policy Database (SPD) entries in the kernel. The setkey utility takes a series of operations from the standard input (if invoked with -c) or the file named filename (if invoked with -f filename). -D Dump the SAD entries. If with -P, the SPD entries are dumped. -F Flush the SAD entries. If with -P, the SPD entries are flushed. ... Now, to test GRE tunnel is up: From FreeBSD-A ping B2.B2.B2.B2 IP address and vice versa. OSPF in Part2. PART 2: FreeBSD to FreeBSD - OSPF over GRE over Ipsec (racoon) - coming soon.

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides https://forum.ivorde.com/

FreeBSD to FreeBSD - OSPF over GRE over Ipsec transport mode (racoon) - Part 1 https://forum.ivorde.com/freebsd-to-freebsd-ospf-over-gre-over-ipsec-transport-mode-racoon-part-1-t860.html	Page 1 of 1

Page 1 of 1	All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/