IPSEC with NetBSD & KAME (tunnel mode)

         \_||_~
         (*||*)
  /-------\||/
 / |     ||
*  ||----||
   OO    }{

Deployment

IPSEC is enabled by default in the NetBSD/i386 and /amd64 GENERIC kernels, no need to recompile it.

On both IPSEC end-points, here ipsec and nbsd, define shared static name resolution (and eventually push those to some internal nodes for further acceptance testing, here ssdhb and slack9)

vi /etc/hosts

#Nethence office
212.83.171.255 ipsec.nethence.com ipsec
62.210.0.1     ipsecgw
10.6.6.254     ipsechb
10.6.6.253     ssdhb

#OS3 office
188.130.155.57 nbsd.os3.su nbsd
188.130.155.33 nbsdgw
10.1.1.252     nbsdhb
10.1.1.253     slack9

First, make sure every IPSEC peer can reach its own public gateway

ping ipsecgw
traceroute ipsecgw

ping nbsdgw
traceroute nbsdgw

and also make sure they can reach their peer(s) through the public network

ping nbsd
traceroute nbsd

ping ipsec
traceroute ipsec

Then make sure every IPSEC peer also has a valid internal network link with some host or station

ping ssdhb

ping slack9

Setting up the private keys manually with ^add and the ESP tunnel with ^spdadd. You obviously not only have to change the IP address ranges but also the two secrets here, in case you’re considering this for production.

cat > /etc/ipsec.conf.ipsec <<-EOF
add 212.83.171.255 188.130.155.57 esp 13245 -E blowfish-cbc "blowfishtest.001" ;
add 188.130.155.57 212.83.171.255 esp 13246 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef;
spdadd 10.6.6.0/24 10.1.1.0/24 any -P out ipsec esp/tunnel/212.83.171.255-188.130.155.57/require;
spdadd 10.1.1.0/24 10.6.6.0/24 any -P in ipsec esp/tunnel/188.130.155.57-212.83.171.255/require;
EOF
sed -r '3s/-P out/-P in/; 4s/-P in/-P out/' /etc/ipsec.conf.ipsec > /etc/ipsec.conf.nbsd
chmod 400 /etc/ipsec*
ls -lF /etc/ipsec*
diff -bu /etc/ipsec.conf.ipsec /etc/ipsec.conf.nbsd

only on ipsec.nethence.com

ln -sf ipsec.conf.ipsec /etc/ipsec.conf

only on nbsd.os3.su

ln -sf ipsec.conf.nbsd /etc/ipsec.conf

back to both

We are willing to route the traffic from the other network to ours. Note this is only required if you have a network on your own to share. It is not needed if only tap0 or single server.

sysctl net.inet.ip.forwarding
sysctl -w net.inet.ip.forwarding=1
#sysctl -w net.inet.ipsec.debug=1

cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
cat >> /etc/sysctl.conf <<-EOF
net.inet.ip.forwarding=1
#net.inet.ipsec.debug=1
EOF
cat /etc/sysctl.conf

And the other way around, we need to reach our peer’s network

ipsec.nethence.com

route -n add -net 10.1.1.0 -netmask 255.255.255.0 10.6.6.254
netstat -rn -f inet
vi /etc/ifconfig.xennet1

inet 10.6.6.254/24 up
!/sbin/route -n add -net 10.1.1.0 -netmask 255.255.255.0 10.6.6.254

nbsd.os3.su

route -n add -net 10.6.6.0 -netmask 255.255.255.0 10.1.1.252
netstat -rn -f inet
vi /etc/ifconfig.xennet1

inet 10.1.1.252/24 up
!/sbin/route -n add -net 10.6.6.0 -netmask 255.255.255.0 10.1.1.252

Operations

enable & start

grep ipsec /etc/defaults/rc.conf
echo ipsec=yes >> /etc/rc.conf
/etc/rc.d/ipsec start
#setkey -f /etc/ipsec.conf

status

setkey -D
setkey -DP

flush

setkey

flush;
spdflush;

NAT vs PoC

In case this is a PoC and the internal nodes do not use their IPSEC end-point as default route

on ssd (gnu/linux)

route add -net 10.1.1.0/24 gw 10.6.6.254

on slack9 (gnu/linux)

route add -net 10.6.6.0/24 gw 10.1.1.252

Otherwise you’re in a more realistic setup, and it does not even interfere with NAT.

Acceptance Testing

From Nethence office, sniff the end-point network interface and watch non-ciphered outgoing and incoming traffic

tcpdump -n -vvv -i xennet0 host nbsd or host nbsdgw

ping -c1 nbsdgw
ping -c1 nbsd

now this should be ciphered (watch ESP packets)

ping -c1 nbsdhb
ping -c1 slack9

further test from ssdhb

ping -c1 nbsdhb
ping -c1 slack9

From OS3 office, sniff the other end-point network interface and watch non-ciphered outgoing and incoming traffic

tcpdump -n -vvv -i xennet0 host ipsec or host ipsecgw

ping -c1 ipsecgw
ping -c1 ipsec

now this should be ciphered (watch ESP packets)

ping -c1 ipsechb
ping -c1 ssdhb

further test from slack9

ping -c1 ipsechb
ping -c1 ssdhb

On both sides some statistics should show up ESP packets that are being handled

netstat -sn | sed -rn '/^ipsec:/,/^ip6:/p'     

Resources

setkey – manually manipulate the IPsec SA/SP database https://netbsd.gw.com/cgi-bin/man-cgi?setkey++NetBSD-current

NetBSD IPsec FAQ https://www.netbsd.org/docs/network/ipsec/

\3. IPsec on OpenBSD http://www.kernel-panic.it/openbsd/vpn/vpn3.html

IPsec в Linux http://xgu.ru/wiki/IPsec_%D0%B2_Linux


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml