IPSEC with NetBSD & KAME

tested with netbsd8,9 (tunnel mode)

         \_||_~
         (*||*)
  /-------\||/
 / |     ||
*  ||----||
   OO    }{

ARCHITECTURE

Do it on gns3 if you wish, we are here assuming KVM with manually configured bridges.

node1     node2        node3          node4
bravo --> netbsd/ipsec --> ipsec2/netbsd2 --> netbsd3
     virbr0           dummybr0          dummybr1

Don’t forget to bring those up

brctl addbr dummybr0
brctl addbr dummybr1
ifconfig dummybr0 up
ifconfig dummybr1 up

Eventually tune the virtual NIC names as such, so you can see clear on the bridges

netbsd

    <interface type='bridge'>
      <source bridge='dummybr0'/>
      <target dev='ipsec'/>
      <model type='virtio'/>
    </interface>
    <interface type='bridge'>
      <source bridge='virbr0'/>
      <target dev='netbsd'/>
      <model type='virtio'/>
    </interface>

netbsd2

    <interface type='bridge'>
      <source bridge='dummybr0'/>
      <target dev='ipsec2'/>
      <model type='virtio'/>
    </interface>
    <interface type='bridge'>
      <source bridge='dummybr1'/>
      <target dev='netbsd2'/>
      <model type='virtio'/>
    </interface>

netbsd3

    <interface type='bridge'>
      <source bridge='dummybr1'/>
      <target dev='netbsd3'/>
      <model type='virtio'/>
    </interface>

On both IPSEC end-points, define shared static name resolution (and eventually push those to some internal node for further acceptance testing).

10.8.8.1    ipsec
192.168.122.11  netbsd
192.168.122.1   bravo

10.8.8.2    ipsec2
10.1.1.254  netbsd2
10.1.1.1    netbsd3

SETUP

IPSEC is enabled by default in the NetBSD/i386 and /amd64 GENERIC kernels, no need to recompile it.

Setting up the private keys manually with ^add and the ESP tunnel with ^spdadd. You obviously not only have to change the IP address ranges but also the two secrets here. And in case you’re considering this for production, you should also plan for some key scheduling (w/o IKE if you wish).

bravo (linux)

route add -net 10.8.8.0/24 gw 192.168.122.11
route add -net 10.1.1.0/24 gw 192.168.122.11

netbsd – using default route instead of fine-grained routing

echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf

vi /etc/myname

netbsd

vi /etc/mygate

10.8.8.2

vi /etc/hosts
...

vi /etc/ifconfig.vioif0

inet 10.8.8.1/24 up

    vi /etc/ifconfig.vioif1

inet 192.168.122.11/24 up
#!echo
#!/sbin/route add -net 10.1.1.0/24 192.168.122.11

vi /etc/ipsec.conf

add 10.8.8.1 10.8.8.2 esp 13245 -E blowfish-cbc "blowfishtest.001";
add 10.8.8.2 10.8.8.1 esp 13246 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef;
spdadd 192.168.122.0/24 10.1.1.0/24 any -P out ipsec esp/tunnel/10.8.8.1-10.8.8.2/require;
spdadd 10.1.1.0/24 192.168.122.0/24 any -P in ipsec esp/tunnel/10.8.8.2-10.8.8.1/require;

grep ipsec /etc/defaults/rc.conf
    echo ipsec=yes >> /etc/rc.conf

shutdown -r now

netbsd2 – using default route instead of fine-grained routing

echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf

vi /etc/myname

netbsd2

vi /etc/mygate

10.8.8.1

vi /etc/hosts
...

vi /etc/ifconfig.vioif0

inet 10.8.8.2/24 up

vi /etc/ifconfig.vioif1

inet 10.1.1.254/24 up
#!echo
#!/sbin/route add -net 192.168.122.0/24 10.1.1.254

vi /etc/ipsec.conf

add 10.8.8.1 10.8.8.2 esp 13245 -E blowfish-cbc "blowfishtest.001";
add 10.8.8.2 10.8.8.1 esp 13246 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef;
spdadd 192.168.122.0/24 10.1.1.0/24 any -P in ipsec esp/tunnel/10.8.8.1-10.8.8.2/require;
spdadd 10.1.1.0/24 192.168.122.0/24 any -P out ipsec esp/tunnel/10.8.8.2-10.8.8.1/require;

grep ipsec /etc/defaults/rc.conf
    echo ipsec=yes >> /etc/rc.conf

shutdown -r now

netbsd3

vi /etc/myname

netbsd3

vi /etc/hosts
...

vi /etc/ifconfig.vioif0

inet 10.1.1.1/24 up

vi /etc/mygate

10.1.1.254

shutdown -r now

Operations

start

setkey -f /etc/ipsec.conf

status

setkey -D
setkey -DP

stop

    /sbin/setkey -F
    /sbin/setkey -FP

flush

setkey

flush;
spdflush;

Acceptance

netbsd

ping ipsec2
ping netbsd2
ping netbsd3

bravo (linux)

ping netbsd
ping ipsec # works without ip4fwd??!
ping ipsec2
ping netbsd2
ping netbsd3

Resources

KVM/qemu, libvirt, virt-manager – persistent names for virtual network interfaces of guest systems https://linux-blog.anracom.com/2016/02/07/kvmqemu-libvirt-virt-manager-persistent-names-for-the-virtual-network-interfaces-of-guest-systems/

setkey – manually manipulate the IPsec SA/SP database https://netbsd.gw.com/cgi-bin/man-cgi?setkey++NetBSD-current

NetBSD IPsec FAQ https://www.netbsd.org/docs/network/ipsec/

\3. IPsec on OpenBSD http://www.kernel-panic.it/openbsd/vpn/vpn3.html

Linux Kernel 2.6 using KAME-tools http://www.ipsec-howto.org/x299.html

Linux Kernel 2.6 using KAME-tools http://www.ipsec-howto.org/x304.html

spi

Re: IPsec vs ssh https://mail-index.netbsd.org/tech-net/2013/11/12/msg004359.html

Setting Up and Using Secure IP (IPsec) http://osr600doc.sco.com/en/NET_ipsec/ipsec_top.html


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH