IPSEC with NetBSD & KAME

tested with netbsd8,9 (tunnel mode)

     \_||_~
     (*||*)
  /-------\||/
 / |     ||
*  ||----||
   OO    }{

ARCHITECTUREARCHITECTURE

Do it on gns3 if you wish, we are here assuming KVM with manually configured bridges.

node1     node2        node3          node4
bravo --> netbsd/ipsec --> ipsec2/netbsd2 --> netbsd3
     virbr0    dummybr0   dummybr1

Don’t forget to bring those up

brctl addbr dummybr0
brctl addbr dummybr1
ifconfig dummybr0 up
ifconfig dummybr1 up

Eventually tune the virtual NIC names as such, so you can see clear on the bridges

netbsd

    <interface type='bridge'>
      <source bridge='dummybr0'/>
      <target dev='ipsec'/>
      <model type='virtio'/>
    </interface>
    <interface type='bridge'>
      <source bridge='virbr0'/>
      <target dev='netbsd'/>
      <model type='virtio'/>
    </interface>

netbsd2

    <interface type='bridge'>
      <source bridge='dummybr0'/>
      <target dev='ipsec2'/>
      <model type='virtio'/>
    </interface>
    <interface type='bridge'>
      <source bridge='dummybr1'/>
      <target dev='netbsd2'/>
      <model type='virtio'/>
    </interface>

netbsd3

    <interface type='bridge'>
      <source bridge='dummybr1'/>
      <target dev='netbsd3'/>
      <model type='virtio'/>
    </interface>

On both IPSEC end-points, define shared static name resolution (and eventually push those to some internal node for further acceptance testing).

10.8.8.1    ipsec
192.168.122.11  netbsd
192.168.122.1   bravo

10.8.8.2    ipsec2
10.1.1.254  netbsd2
10.1.1.1    netbsd3

SETUPSETUP

IPSEC is enabled by default in the NetBSD/i386 and /amd64 GENERIC kernels, no need to recompile it.

Setting up the private keys manually with ^add and the ESP tunnel with ^spdadd. You obviously not only have to change the IP address ranges but also the two secrets here. And in case you’re considering this for production, you should also plan for some key scheduling (w/o IKE if you wish).

bravo (linux)

route add -net 10.8.8.0/24 gw 192.168.122.11
route add -net 10.1.1.0/24 gw 192.168.122.11

netbsd – using default route instead of fine-grained routing

echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf

vi /etc/myname

netbsd

vi /etc/mygate

10.8.8.2

vi /etc/hosts
...

vi /etc/ifconfig.vioif0

inet 10.8.8.1/24 up

vi /etc/ifconfig.vioif1

inet 192.168.122.11/24 up
#!echo
#!/sbin/route add -net 10.1.1.0/24 192.168.122.11

vi /etc/ipsec.conf

add 10.8.8.1 10.8.8.2 esp 13245 -E blowfish-cbc "blowfishtest.001";
add 10.8.8.2 10.8.8.1 esp 13246 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef;
spdadd 192.168.122.0/24 10.1.1.0/24 any -P out ipsec esp/tunnel/10.8.8.1-10.8.8.2/require;
spdadd 10.1.1.0/24 192.168.122.0/24 any -P in ipsec esp/tunnel/10.8.8.2-10.8.8.1/require;

grep ipsec /etc/defaults/rc.conf
echo ipsec=yes >> /etc/rc.conf

shutdown -r now

netbsd2 – using default route instead of fine-grained routing

echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf

vi /etc/myname

netbsd2

vi /etc/mygate

10.8.8.1

vi /etc/hosts
...

vi /etc/ifconfig.vioif0

inet 10.8.8.2/24 up

vi /etc/ifconfig.vioif1

inet 10.1.1.254/24 up
#!echo
#!/sbin/route add -net 192.168.122.0/24 10.1.1.254

vi /etc/ipsec.conf

add 10.8.8.1 10.8.8.2 esp 13245 -E blowfish-cbc "blowfishtest.001";
add 10.8.8.2 10.8.8.1 esp 13246 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef;
spdadd 192.168.122.0/24 10.1.1.0/24 any -P in ipsec esp/tunnel/10.8.8.1-10.8.8.2/require;
spdadd 10.1.1.0/24 192.168.122.0/24 any -P out ipsec esp/tunnel/10.8.8.2-10.8.8.1/require;

grep ipsec /etc/defaults/rc.conf
echo ipsec=yes >> /etc/rc.conf

shutdown -r now

netbsd3

vi /etc/myname

netbsd3

vi /etc/hosts
...

vi /etc/ifconfig.vioif0

inet 10.1.1.1/24 up

vi /etc/mygate

10.1.1.254

shutdown -r now

OperationsOperations

start

setkey -f /etc/ipsec.conf

status

setkey -D
setkey -DP

stop

/sbin/setkey -F
/sbin/setkey -FP

flush

setkey

flush;
spdflush;

AcceptanceAcceptance

netbsd

ping ipsec2
ping netbsd2
ping netbsd3

bravo (linux)

ping netbsd
ping ipsec # works without ip4fwd??!
ping ipsec2
ping netbsd2
ping netbsd3

ResourcesResources

KVM/qemu, libvirt, virt-manager – persistent names for virtual network interfaces of guest systems https://linux-blog.anracom.com/2016/02/07/kvmqemu-libvirt-virt-manager-persistent-names-for-the-virtual-network-interfaces-of-guest-systems/

setkey – manually manipulate the IPsec SA/SP database https://man.netbsd.org/setkey.8

NetBSD IPsec FAQ https://www.netbsd.org/docs/network/ipsec/

\3. IPsec on OpenBSD http://www.kernel-panic.it/openbsd/vpn/vpn3.html

Linux Kernel 2.6 using KAME-tools http://www.ipsec-howto.org/x299.html

Linux Kernel 2.6 using KAME-tools http://www.ipsec-howto.org/x304.html

details on the spi

Re: IPsec vs ssh https://mail-index.netbsd.org/tech-net/2013/11/12/msg004359.html

Setting Up and Using Secure IP (IPsec) http://osr600doc.sco.com/en/NET_ipsec/ipsec_top.html

sed -r '
    3s/-P out/-P in/;
    4s/-P in/-P out/;
    ' /etc/ipsec.conf.tpl > /etc/ipsec.conf
chmod 400 /etc/ipsec*

HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT