Subject: Re: ipsec help? trying to tunnel to freeswan
To: Ken Raeburn <raeburn@raeburn.org>
From: Wayne Knowles <wdk@netbsd.org>
List: tech-net
Date: 11/10/2001 23:05:09
On Fri, 9 Nov 2001, Ken Raeburn wrote:
> I'd like to use IPsec for at least some of the tunnels I'm using at
> home, but haven't managed to figure out how to get it working yet.
Earlier this year I managed to get FreeS/WAN talking in tunnel mode.
I don't have the configs handy, but I do have the configs I used for the
proof-of-concept testing using transport mode. Have tested against
FreeS/WAN 1.8 and 1.9
The main problems that I discovered when attempting to interop with
FreeS/WAN were:
1) FreeS/WAN does not support agressive mode. You MUST configure
racoon to use main mode. At the time there was no capability to fall
back to a 2nd phase1 protocol.
2) FreeS/WAN does not support DES encryption because it is too weak.
However, 3DES is supported
3) "situation identity_only; identifier address;" was needed in racoon
this was not the default.
4) Key renogitation is a little quirky. Quick mode to renegotiate keys
fails, and it has to fall back to main mode.
Config files for you to try follow. It shouldn't take much effort to get
tunnel mode working after you have tested transport mode.
Preshared keys are text strings (if you put HEX in there they will be
treated as the text they represent :-) Replace the work PreSharedKey in
the examples below retaining quotes (FreeS/WAN wants quotes, racoon
doesn't)
Certificate's add an extra level of complication (there is some info and
examples at the KAME site that may help) - my suggestion is to start with
PSK's and work upward small steps at a time.
Cannot assist with the NAT/IPF issue, except to say that NAT breaks
Authentication in IPsec (because the packet is re-written). Avoid setting
up an authentication header (AH) in the IPsec payload, as it won't work
with NAT unless you NAT before you encapsulate in IPsec.
#-----------------------------------------------------------------------------
# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
keyingtries=0
authby=secret
keylife=30m
# sample connection
conn REMOTE1
authby=secret
keylife=30m
type=transport
# Left security gateway, subnet behind it, next hop toward right.
left=%defaultroute
#leftsubnet=
#leftnexthop=%defaultroute
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.10.1
#rightsubnet=
#rightnexthop=
auto=start
#-----------------------------------------------------------------------------
# /etc/ipsec.secrets for FreeS/Wan
#
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# Shared secret (an arbitrary character string, which should be both long
# and hard to guess, enclosed in quotes) for a pair of negotiating hosts.
# Must be same on both; generate on one and copy to the other.
192.168.10.94 192.168.10.1 : PSK "PreSharedKey"
#-----------------------------------------------------------------------------
# /usr/local/etc/racoon/racoon.conf
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log notify;
log debug2;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 40 sec;
phase2 15 sec;
}
#
# IKE exchange with FreeS/WAN PLUTO client
#
remote 192.168.10.94
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
identifier address;
nonce_size 16;
lifetime time 30 min; # sec,min,hour
lifetime byte 50 MB; # B,KB,GB
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
#my_identifier user_fqdn "wdk@netbsd.org";
#peers_identifier user_fqdn "wdk@netbsd.org";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 30 min; # sec,min,hour
lifetime byte 50 MB; # B,KB,GB
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 1800 sec;
lifetime byte 5000 KB;
encryption_algorithm 3des,des,cast128,blowfish ;
authentication_algorithm hmac_md5,hmac_sha1 ;
compression_algorithm deflate ;
}
#-----------------------------------------------------------------------------
# /usr/local/etc/racoon/psk.txt
#
# Ensure permissions are 0600 for Racoon to trust this file
#
192.168.10.94 PreSharedKey
#-----------------------------------------------------------------------------
#!/bin/sh
#
# Load keys for interop tests between KAME and FreeS/WAN
#
SRC=192.168.10.94
DST=192.168.10.1
setkey -c << EOF_SETKEY
flush;
spdflush;
spdadd ${SRC} ${DST} any -P in ipsec
esp/transport/${SRC}-${DST}/require ;
spdadd ${DST} ${SRC} any -P out ipsec
esp/transport/${DST}-${SRC}/require ;
EOF_SETKEY
--
Wayne Knowles NetBSD/mipsco port maintainer
wdk@netbsd.org http://www.netbsd.org