IPSEC with NetBSD & KAME (tunnel mode)

 / |     ||
*  ||----||
   OO    }{


IPSEC is enabled by default in the NetBSD/i386 and /amd64 GENERIC kernels, no need to recompile it.

On both IPSEC end-points, here ipsec and nbsd, define shared static name resolution (and eventually push those to some internal nodes for further acceptance testing, here ssdhb and slack9)

vi /etc/hosts

#Nethence office ipsec.nethence.com ipsec     ipsecgw     ipsechb     ssdhb

#OS3 office nbsd.os3.su nbsd nbsdgw     nbsdhb     slack9

First, make sure every IPSEC peer can reach its own public gateway

ping ipsecgw
traceroute ipsecgw

ping nbsdgw
traceroute nbsdgw

and also make sure they can reach their peer(s) through the public network

ping nbsd
traceroute nbsd

ping ipsec
traceroute ipsec

Then make sure every IPSEC peer also has a valid internal network link with some host or station

ping ssdhb

ping slack9

Setting up the private keys manually with ^add and the ESP tunnel with ^spdadd. You obviously not only have to change the IP address ranges but also the two secrets here, in case you’re considering this for production.

cat > /etc/ipsec.conf.ipsec <<-EOF
add esp 13245 -E blowfish-cbc "blowfishtest.001" ;
add esp 13246 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef;
spdadd any -P out ipsec esp/tunnel/;
spdadd any -P in ipsec esp/tunnel/;
sed -r '3s/-P out/-P in/; 4s/-P in/-P out/' /etc/ipsec.conf.ipsec > /etc/ipsec.conf.nbsd
chmod 400 /etc/ipsec*
ls -lF /etc/ipsec*
diff -bu /etc/ipsec.conf.ipsec /etc/ipsec.conf.nbsd

only on ipsec.nethence.com

ln -sf ipsec.conf.ipsec /etc/ipsec.conf

only on nbsd.os3.su

ln -sf ipsec.conf.nbsd /etc/ipsec.conf

back to both

We are willing to route the traffic from the other network to ours. Note this is only required if you have a network on your own to share. It is not needed if only tap0 or single server.

sysctl net.inet.ip.forwarding
sysctl -w net.inet.ip.forwarding=1
#sysctl -w net.inet.ipsec.debug=1

cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
cat >> /etc/sysctl.conf <<-EOF
cat /etc/sysctl.conf

And the other way around, we need to reach our peer’s network


route -n add -net -netmask
netstat -rn -f inet
vi /etc/ifconfig.xennet1

inet up
!/sbin/route -n add -net -netmask


route -n add -net -netmask
netstat -rn -f inet
vi /etc/ifconfig.xennet1

inet up
!/sbin/route -n add -net -netmask


enable & start

grep ipsec /etc/defaults/rc.conf
echo ipsec=yes >> /etc/rc.conf
/etc/rc.d/ipsec start
#setkey -f /etc/ipsec.conf


setkey -D
setkey -DP




NAT vs PoC

In case this is a PoC and the internal nodes do not use their IPSEC end-point as default route

on ssd (gnu/linux)

route add -net gw

on slack9 (gnu/linux)

route add -net gw

Otherwise you’re in a more realistic setup, and it does not even interfere with NAT.

Acceptance Testing

From Nethence office, sniff the end-point network interface and watch non-ciphered outgoing and incoming traffic

tcpdump -n -vvv -i xennet0 host nbsd or host nbsdgw

ping -c1 nbsdgw
ping -c1 nbsd

now this should be ciphered (watch ESP packets)

ping -c1 nbsdhb
ping -c1 slack9

further test from ssdhb

ping -c1 nbsdhb
ping -c1 slack9

From OS3 office, sniff the other end-point network interface and watch non-ciphered outgoing and incoming traffic

tcpdump -n -vvv -i xennet0 host ipsec or host ipsecgw

ping -c1 ipsecgw
ping -c1 ipsec

now this should be ciphered (watch ESP packets)

ping -c1 ipsechb
ping -c1 ssdhb

further test from slack9

ping -c1 ipsechb
ping -c1 ssdhb

On both sides some statistics should show up ESP packets that are being handled

netstat -sn | sed -rn '/^ipsec:/,/^ip6:/p'     


setkey – manually manipulate the IPsec SA/SP database https://netbsd.gw.com/cgi-bin/man-cgi?setkey++NetBSD-current

NetBSD IPsec FAQ https://www.netbsd.org/docs/network/ipsec/

\3. IPsec on OpenBSD http://www.kernel-panic.it/openbsd/vpn/vpn3.html

IPsec в Linux http://xgu.ru/wiki/IPsec_%D0%B2_Linux

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml