Configuring FreeBSD IPSEC ========================= Shanker Balan http://shankerbalan.com/ Overview ======== (FreeBSD 5.1 -CURRENT) Godzilla <---------> Buffy (OpenBSD 3.2) 192.168.1.21 <---------> 192.168.1.95 This Host: 192.168.1.24 Peer: 192.168.1.95 Encryption: 3DES Hashing Algo: HMAC-SHA1 PFS: YES The CIPHER SUITE is: "QM-ESP-3DES-SHA-PFS-SUITE" Install Racoon: The KAME racoon IKE daemon ========================================== [godzilla] ~# portinstall security/racoon Config Files ============ [godzilla] /usr/local/etc/racoon# chmod 600 racoon.conf psk.txt ### ### racoon/racoon.conf ### # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 192.168.1.24 [500]; } # Buffy remote 192.168.1.95 { exchange_mode aggressive; my_identifier address 192.168.1.24; peers_identifier address 192.168.1.95; nonce_size 16; lifetime time 1 hour; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address 192.168.1.24 any address 192.168.1.95 any { pfs_group 2; lifetime time 1 hour; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } ### ### racoon/psk.conf ### # buffy 192.168.1.95 mekmitasdigoat ### ### /etc/ipsec.conf ### spdadd 192.168.1.24/32 192.168.1.95/32 any -P out ipsec esp/tunnel/192.168.1.24-192.168.1.95/require; spdadd 192.168.1.95/32 192.168.1.24/32 any -P in ipsec esp/tunnel/192.168.1.95-192.168.1.24/require; Start IKE and Security Association ================================== [godzilla] ~# /usr/local/etc/rc.d/racoon.sh start [godzilla] ~# setkey -f /etc/ipsec.conf View Current Policies: See setkey(8) for details. [godzilla] ~# setkey -D 192.168.1.24 192.168.1.95 esp mode=tunnel spi=2529261240(0x96c176b8) reqid=0(0x00000000) E: 3des-cbc 95c369f4 77a27bfb 598f1da8 2a925a92 1f28b22c b1a79c21 A: hmac-sha1 ab2c4511 9fd3d487 ee180297 e5740830 a68971b2 seq=0x000001d6 replay=4 flags=0x00000000 state=mature created: Sep 12 14:44:33 2003 current: Sep 12 15:27:34 2003 diff: 2581(s) hard: 3600(s) soft: 2880(s) last: Sep 12 15:22:14 2003 hard: 0(s) soft: 0(s) current: 68344(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 470 hard: 0 soft: 0 sadb_seq=1 pid=33156 refcnt=1 192.168.1.95 192.168.1.24 esp mode=tunnel spi=81140534(0x04d61b36) reqid=0(0x00000000) E: 3des-cbc 57ffcfda 0717acfd 58e8acc1 58f8889f a4d5bb4b e7ed59b9 A: hmac-sha1 dd041adb 20494be2 c7eb7b6a d001fa88 06460773 seq=0x00000174 replay=4 flags=0x00000000 state=mature created: Sep 12 14:44:33 2003 current: Sep 12 15:27:34 2003 diff: 2581(s) hard: 3600(s) soft: 2880(s) last: Sep 12 15:22:14 2003 hard: 0(s) soft: 0(s) current: 107583(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 372 hard: 0 soft: 0 sadb_seq=0 pid=33156 refcnt=1 TesTing ======= [godzilla] ~> ping -c 3 buffy PING buffy.exocore.com (192.168.1.95): 56 data bytes 64 bytes from 192.168.1.95: icmp_seq=0 ttl=255 time=1.714 ms 64 bytes from 192.168.1.95: icmp_seq=1 ttl=255 time=1.701 ms 64 bytes from 192.168.1.95: icmp_seq=2 ttl=255 time=1.686 ms --- buffy.exocore.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.686/1.700/1.714/0.011 ms [godzilla] ~# tcpdump esp tcpdump: listening on rl0 15:29:06.425086 godzilla.exocore.com > buffy.exocore.com: ESP(spi=0x96c176b8,seq=0x1d9) 15:29:06.426424 buffy.exocore.com > godzilla.exocore.com: ESP(spi=0x04d61b36,seq=0x179) 15:29:12.562413 godzilla.exocore.com > buffy.exocore.com: ESP(spi=0x96c176b8,seq=0x1da) 15:29:12.563787 buffy.exocore.com > godzilla.exocore.com: ESP(spi=0x04d61b36,seq=0x17a) 15:29:13.564737 godzilla.exocore.com > buffy.exocore.com: ESP(spi=0x96c176b8,seq=0x1db) 15:29:13.566104 buffy.exocore.com > godzilla.exocore.com: ESP(spi=0x04d61b36,seq=0x17c) ^C 154 packets received by filter 0 packets dropped by kernel Debugging ========= - Set "log debug;" in racoon.conf and tail -f /var/log/debug. The log file gets turned over by newsyslog every 100kb, so watch out for it. ** NOTE ** - Peer configuration is mentioned elsewhere on the page. - FreeBSD GENERIC kernel does not have IPSEC. Rebuild kernel with the following options: options IPSEC options IPSEC_ESP Changelog: * Fri Sep 12 15:11:19 IST 2003 - I will not forget to document... I will not forget to document...