This document describes the setup of an IPSEC tunnel between a OpenBSD machine running OpenBSD 3.5 and FreeS/WAN (IPCOP)
This document can be seen as an extension of a previously written document where I describe a normal tunnel setup between those two pieces of hardware. This document can be found here.
In another document I in described the setup of Linux FreeS/WAN and NAT-T setup. This document uses the same situation, but then I use OpenBSD instead of Linux.
I'm using a IPCop with Super FreeS/WAN 1.99kb2 and OpenBSD 3.5 which uses isakmpd for the IPSec stuff.
This is my setup:
| Corporate Networks (192.168.1.0/24;192.168.168.0/24) | IPCop (100.0.0.243) | Corporate Router (100.0.0.241) | [INTERNET] | Home (adsl) Router (200.0.0.1) | Home OpenBSD gateway (200.0.0.17 ; 192.168.10.110) | Home Network (192.168.20.0/24) |
For security reasons, public IP's are forged
Because there are multiple networks on the corporate side, you need to configure multiple SA's on the FreeS/WAN side as well as on the OpenBSD machine.
FreeS/Wan IPCop
The frees/wan setup is pretty similar as the ones I described in earlier setups.
/etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
conn wouter
left=200.0.0.17
compress=no
leftsubnet=192.168.20.0/24
leftnexthop=%defaultroute
right=100.0.0.243
rightsubnet=192.168.1.0/24
rightnexthop=%defaultroute
leftid=
rightid=
auto=start
conn woutertwee
left=200.0.0.17
compress=no
leftsubnet=192.168.20.0/24
leftnexthop=%defaultroute
right=100.0.0.243
rightsubnet=192.168.168.0/24
rightnexthop=%defaultroute
leftid=
rightid=
auto=start/etc/ipsec.secrets
200.0.0.17 100.0.0.243 : PSK "anicepassphrase"OpenBSD
/etc/isakmpd/isakmpd.policy
This policy file is pretty open and you should tighten it down when everything works. But just go with this when setting it up.
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";/etc/isakmpd/isakmpd.conf
[General]
Retransmits=5
Exchange-max-time=120
Listen-on=200.0.0.17
Shared-SADB=Defined
[Phase 1]
100.0.0.243=corporate
Default=corporate
# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.
[Phase 2]
Connections=home-corporate,home-corporate2
[corporate]
Phase=1
Transport=udp
Local-address= 200.0.0.17
Address=100.0.0.243
Configuration=Default-main-mode
Authentication= anicepassphrase
#Flags=
[corporate-aggressive]
Phase= 1
Transport= udp
Local-address= 200.0.0.17
Address= 100.0.0.243
Configuration= Default-aggressive-mode
Authentication= anicepassphrase
[home-corporate]
Phase=2
ISAKMP-peer=corporate
Configuration=Default-quick-mode
Local-ID=Net-home
Remote-ID=Net-corporate
[home-corporate2]
Phase=2
ISAKMP-peer=corporate
Configuration=Default-quick-mode
Local-ID=Net-home
Remote-ID=Net-corporate2
# Certificates stored in PEM format
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
[Net-corporate]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.1.0
Netmask=255.255.255.0
[Net-corporate2]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.168.0
Netmask=255.255.255.0
[Net-home]
ID-type=IPV4_ADDR_SUBNET
Network=192.168.20.0
Netmask=255.255.255.0
[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-SHA,3DES-MD5
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA,3DES-MD5
# Main mode transforms
########################
# 3DES
[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_180_SECS
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_180_SECS
# Quick mode description
########################
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE
# Quick mode protection suites
##############################
# 3DES
[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols= QM-ESP-3DES-SHA-PFS
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols= QM-ESP-3DES-MD5-PFS
[QM-ESP-3DES-SHA-SUITE]
Protocols= QM-ESP-3DES-SHA
[QM-ESP-3DES-MD5-SUITE]
Protocols= QM-ESP-3DES-MD5
# Quick mode protocols
#############################
# 3DES
[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-PFS-XF
[QM-ESP-3DES-SHA]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-XF
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-PFS-XF
[QM-ESP-3DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF
# Quick mode transforms
#############################
# 3DES
[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICAION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[LIFE_8_HOURS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 28800,25200:32400
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
[LIFE_180_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 180,120:240
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200Although we setup a PSK here, you should still create some keys. Replace 200.0.0.17 with whatever you want, but your IP would be the best choice.
This part is borrowed from Skyper
# openssl genrsa -out /etc/ssl/private/ca.key 1024
# openssl req -new -key /etc/ssl/private/ca.key \
-out /etc/ssl/private/ca.csr
# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \
-signkey /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
# openssl genrsa -out /etc/isakmpd/private/local.key 1024
# openssl req -new -key /etc/isakmpd/private/local.key \
-out /etc/isakmpd/private/200.0.0.17.csr
# openssl x509 -req -days 365 -in 200.0.0.17.csr \
-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
-CAcreateserial -out 200.0.0.17.crt certpatch -i 200.0.0.17 \
-k /etc/ssl/private/ca.key 200.0.0.17.crt 200.0.0.17.crt
# cp 200.0.0.17.crt /etc/isakmpd/certs
# cp ca.crt /etc/isakmpd/ca
# cp 200.0.0.17.csr local.key /etc/isakmpd/private
Now make sure some kernel parameters are correct:
# sysctl -w net.inet.esp.enable=1
# sysctl -w net.inet.ah.enable=1
# sysctl -w net.inet.ip.ipsec-enc-alg=3des
#sysctl -w net.inet.ip.ipsec-auth-alg=hmac-md5Or set them in /etc/sysctl.conf
Finally, make sure that your firewall doesn't reject IPSec and ISAKMP packets. Edit your /etc/pf.conf to something like this:
# Let all packets travel freely between the two networks
ipsec_if="enc0"
pass quick on { lo $int_if $ipsec_if }
# Accept all ESP packets on the external interface
pass in on $ext_if proto esp to ($ext_if)
# Accept all ISAKMP packets on the external interface
pass in on $ext_if proto udp to ($ext_if) port 500 keep stateNow run isakmpd -d to see if everything is ok
If you have any questions, mail them to freeswan at xinit.cx
Recent Comments