Om3ga Handbook of Ipsec VPN All OS

7/30/2019 Om3ga Handbook of Ipsec VPN All OS

http://slidepdf.com/reader/full/om3ga-handbook-of-ipsec-vpn-all-os 1/21

FreeBSD Handbook

Prev Chapter 14 Security Next

14.10 VPN over IPsec

Written by Nik Clayton.

Creating a VPN between two networks, separated by the Internet, using FreeBSD

gateways.

14.10.1 Understanding IPsec

Written by Hiten M. Pandya.

This section will guide you through the process of setting up IPsec. In order to set up IPsec,

it is necessary that you are familiar with the concepts of building a custom kernel (see

Chapter 8).

IPsec is a protocol which sits on top of the Internet Protocol (IP) layer. It allows two or

more hosts to communicate in a secure manner (hence the name). The FreeBSD IPsec

“network stack” is based on the KAME implementation, which has support for both

protocol families, IPv4 and IPv6.

IPsec consists of two sub-protocols:

• Encapsulated Security Payload (ESP), protects the IP packet data from third party

interference, by encrypting the contents using symmetric cryptography algorithms(like Blowfish, 3DES).

• Authentication Header (AH), protects the IP packet header from third party

interference and spoofing, by computing a cryptographic checksum and hashing the

IP packet header fields with a secure hashing function. This is then followed by an

additional header that contains the hash, to allow the information in the packet to

be authenticated.

ESP and AH can either be used together or separately, depending on the environment.

IPsec can either be used to directly encrypt the traffic between two hosts (known as

Transport Mode); or to build “virtual tunnels” between two subnets, which could be usedfor secure communication between two corporate networks (known as Tunnel Mode). The

latter is more commonly known as a Virtual Private Network (VPN). The ipsec(4) manual

page should be consulted for detailed information on the IPsec subsystem in FreeBSD.

To add IPsec support to your kernel, add the following options to your kernel

configuration file:

http://www.freebsd.org/doc/en/books/handbook/openssl.html

http://www.freebsd.org/doc/en/books/handbook/openssh.html

http://www.freebsd.org/doc/en/books/handbook/kernelconfig.html

http://www.kame.net/

http://www.freebsd.org/cgi/man.cgi?query=ipsec&sektion=4


http://www.freebsd.org/doc/en/books/handbook/openssh.html

http://www.freebsd.org/doc/en/books/handbook/kernelconfig.html

http://www.kame.net/


http://www.freebsd.org/doc/en/books/handbook/openssl.html



options IPSEC #IP securitydevice crypto

If IPsec debugging support is desired, the following kernel option should also be added:

options IPSEC_DEBUG #debug for IP security

14.10.2 The Problem

There is no standard for what constitutes a VPN. VPNs can be implemented using a

number of different technologies, each of which have their own strengths and weaknesses.

This section presents a scenario, and the strategies used for implementing a VPN for this

scenario.

14.10.3 The Scenario: Two networks, one home based andone corporate based. Both are connected to the Internet, and

expected, via this VPN to behave as one.

The premise is as follows:

• You have at least two sites

• Both sites are using IP internally

• Both sites are connected to the Internet, through a gateway that is running

FreeBSD.

•

The gateway on each network has at least one public IP address.• The internal addresses of the two networks can be public or private IP addresses, it

does not matter. They just may not collide; e.g.: may not both use 192.168.1.x.

14.10.4 Configuring IPsec on FreeBSD

Written by Tom Rhodes.

To begin, the security/ipsec-tools must be installed from the Ports Collection. This

third party software package provides a number of applications which will help support

the configuration.

The next requirement is to create two gif(4) pseudo-devices which will be used to tunnel

packets and allow both networks to communicate properly. As root, run the following

commands, replacing the internal and external items with the real internal and external

gateways:

# ifconfig gif0 create# ifconfig gif0 internal1 internal2

http://www.freebsd.org/cgi/url.cgi?ports/security/ipsec-tools/pkg-descr

http://www.freebsd.org/cgi/man.cgi?query=gif&sektion=4


http://www.freebsd.org/cgi/url.cgi?ports/security/ipsec-tools/pkg-descr




# ifconfig gif0 tunnel external1 external2

For example, the corporate LAN's public IP is 172.16.5.4 having a private IP of

10.246.38.1. The home LAN's public IP is 192.168.1.12 with an internal private IP of

10.0.0.5.

This may seem confusing, so review the following example output from the ifconfig(8)

command:

Gateway 1:

gif0: flags=8051 mtu 1280tunnel inet 172.16.5.4 --> 192.168.1.12inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00

Gateway 2:

gif0: flags=8051 mtu 1280tunnel inet 192.168.1.12 --> 172.16.5.4inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4

Once complete, both private IPs should be reachable using the ping(8) command like the

following output suggests:

priv-net# ping 10.0.0.5PING 10.0.0.5 (10.0.0.5): 56 data bytes64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms

64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms--- 10.0.0.5 ping statistics ---4 packets transmitted, 4 packets received, 0% packet lossround-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms

corp-net# ping 10.246.38.1PING 10.246.38.1 (10.246.38.1): 56 data bytes64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms--- 10.246.38.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms

As expected, both sides have the ability to send and receive ICMP packets from the

privately configured addresses. Next, both gateways must be told how to route packets in

order to correctly send traffic from either network. The following command will achieve

this goal:

http://www.freebsd.org/cgi/man.cgi?query=ifconfig&sektion=8

http://www.freebsd.org/cgi/man.cgi?query=ping&sektion=8

http://www.freebsd.org/cgi/man.cgi?query=ifconfig&sektion=8

http://www.freebsd.org/cgi/man.cgi?query=ping&sektion=8



# corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 # corp-net# route add net 10.0.0.0: gateway 10.0.0.5

# priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 # priv-net# route add host 10.246.38.0: gateway 10.246.38.1

At this point, internal machines should be reachable from each gateway as well as from

machines behind the gateways. This is easily determined from the following example:

corp-net# ping 10.0.0.8PING 10.0.0.8 (10.0.0.8): 56 data bytes64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=22.241 ms64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=174.705 ms--- 10.0.0.8 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms

priv-net# ping 10.246.38.107PING 10.246.38.1 (10.246.38.107): 56 data bytes64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms64 bytes from 10.246.38.107: icmp_seq=3 ttl=64 time=21.145 ms64 bytes from 10.246.38.107: icmp_seq=4 ttl=64 time=36.708 ms--- 10.246.38.107 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms

Setting up the tunnels is the easy part. Configuring a secure link is a much more in depth

process. The following configuration uses pre-shared (PSK) RSA keys. Aside from the IP

addresses, both /usr/local/etc/racoon/racoon.conf files will be identical and look similar to

path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key filelog debug; #log verbosity setting: set to 'notify' when testing and debugging is complete

padding # options are not to be changed {

maximum_length 20;randomize off;strict_check off;

exclusive_tail off;}

timer # timing options. change as needed {

counter 5;interval 20 sec;persend 1;

# natt_keepalive 15 sec;



phase1 30 sec;phase2 15 sec;

}

listen # address [port] that racoon will listening on{

isakmp 172.16.5.4 [500];isakmp_natt 172.16.5.4 [4500];

}

remote 192.168.1.12 [500]{

exchange_mode main,aggressive;doi ipsec_doi;situation identity_only;my_identifier address 172.16.5.4;peers_identifier address 192.168.1.12;lifetime time 8 hour;passive off;proposal_check obey;

# nat_traversal off;generate_policy off;

proposal {encryption_algorithm blowfish;hash_algorithm md5;authentication_method pre_shared_key;lifetime time 30 sec;dh_group 1;

}}

sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any) # address$network/$netmask $type address $network/$netmask $type ( $type being any oresp){ # $network must be the two internal networksyou are joining.

pfs_group 1;lifetime time 36000 sec;encryption_algorithm blowfish,3des,des;authentication_algorithm hmac_md5,hmac_sha1;compression_algorithm deflate;

}

Explaining every available option, along with those listed in these examples is beyond the

scope of this document. There is plenty of relevant information in the racoon configuration

manual page.

The SPD policies need to be configured so FreeBSD and racoon is able to encrypt and

decrypt network traffic between hosts.

This task may be undertaken with a simple shell script similar to the following which is on

the corporate gateway. This file will be used during system initialization and should be

saved as /usr/local/etc/racoon/setkey.conf .



flush;spdflush;# To the home networkspdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;

Once in place, racoon may be started on both gateways using the following command:

# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l/var/log/racoon.log

The output should be similar to the following:

corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.confForeground mode.2006-01-30 01:35:47: INFO: begin Identity Protection mode.2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation:172.16.5.4[0]192.168.1.12[0]2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)2006-01-30 01:36:13: INFO: respond new phase 2 negotiation:172.16.5.4[0]192.168.1.12[0]2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)

2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)

To ensure the tunnel is working properly, switch to another console and use tcpdump(1) to

view network traffic using the following command. Replace em0 with the network interface

card as required.

# tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12

Data similar to the following should appear on the console. If not, there is an issue, and

debugging the returned data will be required.

01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com:ESP(spi=0x02acbf9f,seq=0xa)01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com:ESP(spi=0x02acbf9f,seq=0xb)01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com:ESP(spi=0x02acbf9f,seq=0xc)

At this point, both networks should be available and seem to be part of the same network.

Most likely both networks are protected by a firewall, as they should be. To allow traffic to

http://www.freebsd.org/cgi/man.cgi?query=tcpdump&sektion=1

http://www.freebsd.org/cgi/man.cgi?query=tcpdump&sektion=1



flow between them, rules need to be added to pass packets back and forth. For the ipfw(8)

firewall, add the following lines to the firewall configuration file:

ipfw add 00201 allow log esp from any to anyipfw add 00202 allow log ah from any to anyipfw add 00203 allow log ipencap from any to any

ipfw add 00204 allow log udp from any 500 to any

Note: The rule numbers may need to be altered depending on the current host

configuration.

For users of pf(4) or ipf(8), the following rules should do the trick:

pass in quick proto esp from any to any pass in quick proto ah from any to any pass in quick proto ipencap from any to any pass in quick proto udp from any port = 500 to any port = 500 pass in quick on gif0 from any to any

pass out quick proto esp from any to any pass out quick proto ah from any to any pass out quick proto ipencap from any to any pass out quick proto udp from any port = 500 to any port = 500 pass out quick on gif0 from any to any

Finally, to allow the machine to start support for the VPN during system initialization, add

the following lines to /etc/rc.conf:

ipsec_enable="YES"ipsec_program="/usr/local/sbin/setkey"ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd

policies on bootracoon_enable="yes"

http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8

http://www.freebsd.org/cgi/man.cgi?query=pf&sektion=4

http://www.freebsd.org/cgi/man.cgi?query=ipf&sektion=8


http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8

http://www.freebsd.org/cgi/man.cgi?query=pf&sektion=4




UBUNTU

Style Cleanup Required: This article does not follow the style standards inthe Wiki Guide. More info...

Matthew Caron

This howto is primarily taken from IPSec - Linux Kernel 2.6 using KAME-tools; the native

IPSec stack in the 2.6 kernel series.

This covers using manually-keyed connections, and is geared toward very small or

primarily star toplogy networks (an NIS server and all it's clients, for example). Larger

networks (if all the NIS clients want to talk to each other in an encrypted fashion) would

benefit from the use of an automated keying agent, such as racoon. Discussion of suchagents is outside the scope of this draft of this document (maybe later).

1. Install the tools:

sudo apt-get install ipsec-tools

2. Edit /etc/ipsec-tools.conf file. This file should be of the general form:

# Configuration for 192.168.1.100

# Flush the SAD and SPD

flush;spdflush;

# Attention: Use this keys only for testing purposes!# Generate your own keys!

# AH SAs using 128 bit long keysadd 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5

0xc0291ff014dccdd03874d9e8e4cdf3e6;add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5

0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)

add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc

0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policiesspdadd 192.168.1.100 192.168.2.100 any -P out ipsec

esp/transport//requireah/transport//require;

https://help.ubuntu.com/community/IPSecHowTo?action=fullsearch&context=180&value=linkto%3A%22IPSecHowTo%22

https://help.ubuntu.com/community/Tag#StyleCleanup

mailto:[email protected]

http://www.ipsec-howto.org/x299.html


https://help.ubuntu.com/community/IPSecHowTo?action=fullsearch&context=180&value=linkto%3A%22IPSecHowTo%22

https://help.ubuntu.com/community/Tag#StyleCleanup

mailto:[email protected]




spdadd 192.168.2.100 192.168.1.100 any -P in ipsecesp/transport//requireah/transport//require;

It is important to understand this, so let me break it down:

# AH SAs using 128 bit long keysadd 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5

0xc0291ff014dccdd03874d9e8e4cdf3e6;add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5

0x96358c90783bbfa3d7b196ceabe0536b;

This section lists the 128 bit keys for the 192.168.2.100 and 192.168.1.100 connection. Each

IP pair has 2 keys - one for each direction (in and out). Each pair of machines needs to

know the this information. So, this means that, for each pair of IP's, you need to generate a

new key (hence why this works for small networks, but anything major probably wants a

daemon to handle this. Maybe if I feel ambitious, I'll set mine up to use it and update this

with that info).

Also, note the number right after the 'ah' for each of these keys. This number needs to be

unique for each 'add' statement. These keys are generated as follows:

dd if=/dev/random count=16 bs=1| xxd -ps

Don't forget to add the 0x in front of it.

Similarly, this section:

# ESP SAs using 192 bit long keys (168 + 24 parity)

add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc

0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

This works just like the AH keys, except that they are longer. Again, the number after 'esp'

must be unique. These keys are generated as follows:

dd if=/dev/random count=24 bs=1| xxd -ps

Again, don't forget to add the 0x in front of it.

So, these top two sections should list keys for all the IP addresses that the machine caresabout. These sections do not change when moving the file amongst machines on either side

of a connection. That brings us to the next section:

# Security policiesspdadd 192.168.1.100 192.168.2.100 any -P out ipsec




spdadd 192.168.2.100 192.168.1.100 any -P in ipsecesp/transport//requireah/transport//require;

This sets up the policies for in and out communications. So, the above version will work for

192.168.1.100, because all outgoing communication to 192.168.2.100 and all incoming

communication from 192.168.2.100 will be encrypted. To use this on the other machine(192.168.2.100), flip the in and out directives, as follows:

# Security policiesspdadd 192.168.1.100 192.168.2.100 any -P in ipsec


spdadd 192.168.2.100 192.168.1.100 any -P out ipsecesp/transport//requireah/transport//require;

3. Make the conf file not readable to the world:

sudo chmod 750 ipsec-tools.conf

Okay, do both sides of the connection have an ipsec-tools.conf? Everyone set? Good, now it

gets easy.

4. It will be started at boot by default on systems, so you don't have to worry about that.

5. Also, starting it wouldn't hurt either (make sure to do this on both sides of the

connection before trying to have them talk to each other; you could also reboot):

sudo /etc/init.d/setkey start



Mikrotik

Mikrotik RouterOS

If you are using ROS v3.x or above, be sure to check the end of this list to see a list of

necessary mod.

First should configure a Tunnel Interface:

/ interface ipipadd name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-

address=10.10.1.200 comment="" disabled=no

After that all interfaces are configured, than should asign IP addresses for interfaces:

/ ip addressadd address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255

interface=WAN comment="" disabled=noadd address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255

interface=LAN comment="" disabled=noadd address=172.16.0.1/30 network=172.16.0.0 broadcast=172.16.0.3

interface=Tunnel1 comment="" disabled=no

Enable Routing in Mikrotik Router, in this case RIP:

/ routing ripset redistribute-static=no redistribute-connected=no redistribute-ospf=no

redistribute-bgp=no metric-static=1 \metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-

timer=3m garbage-timer=2m / routing rip interfaceadd interface=Tunnel1 receive=v2 send=v2 authentication=none

authentication-key="" prefix-list-in="" prefix-list-out=""/ routing rip neighboradd address=172.16.0.2/ routing rip network

add address=192.168.1.0/24add address=172.16.0.0/30

In v3.x the bolded line will change on:

/ routing rip interfaceadd interface=Tunnel1 receive=v2 send=v2 authentication=none

authentication-key="" in-prefix-list="" out-prefix-list=""



IPSec setup, here should be defined the ipsec policy, peer and proposal. Make sure that

policy should not have enabled option tunnel, in this case tunel should be set to NO,

because it will be used the transport mode of IPSec not the tunnel mode:

/ ip ipsec proposaladd name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m

lifebytes=0 pfs-group=modp1024 disabled=no/ ip ipsec peeradd address=10.10.1.200 secret="ipsec" generate-policy=no exchange-

mode=main send-initial-contact=yes \proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-

group=modp1024 lifetime=1d lifebytes=0 disabled=no/ ip ipsec policyadd src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any

protocol=all action=encrypt level=require \ipsec-protocols=esp tunnel=no sa-src-address=10.10.1.100 sa-dst-

address=10.10.1.200 \proposal=IPSec manual-sa=none dont-fragment=clear disabled=no

In v3.x the bolded line will change on:

/ ip ipsec proposaladd name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-

group=modp1024 disabled=no/ ip ipsec peeradd address=10.10.1.200/32:500 secret="ipsec" generate-policy=no exchange-

mode=main send-initial-contact=yes \proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-

group=modp1024 lifetime=1d lifebytes=0 disabled=no/ ip ipsec policyadd src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any

protocol=all action=encrypt level=require \

ipsec-protocols=esp tunnel=no sa-src-address=10.10.1.100 sa-dst-address=10.10.1.200 \proposal=IPSec manual-sa=none disabled=no

Cisco IOS

Cisco Interfaces and addresses:

FastEthernet 0/0description *** WAN ***ip address 10.10.1.200 255.255.255.0crypto map vpnFastEthernet 0/1description *** LAN ***ip address 192.168.2.1 255.255.255.0

Cisco Tunnel Interface:

interface Tunnel1description **Cisco Peer**ip address 172.16.0.2 255.255.255.252



no ip redirectsno ip unreachablesno ip proxy-arpip mtu 1480ip rip v2-broadcastip tcp adjust-mss 1400load-interval 30tunnel source 10.10.1.200tunnel destination 10.10.1.100tunnel mode ipiphold-queue 1024 inhold-queue 1024 out

Routing in Cisco:

router ripversion 2timers basic 30 60 90 90redistribute connected metric 1 route-map connected-to-rip

redistribute static metric 5 route-map static-to-ripnetwork 172.16.0.2network 192.168.2.0distribute-list prefix LAN outno auto-summary

Setup the prefix-list to match the Local subnet:

ip prefix-list LAN seq 10 permit 192.168.2.0/24

Setup route-maps to match interfaces to be advertised by RIP:

route-map connected-to-rip permit 10match interface FastEthernet0/0!route-map static-to-rip permit 10match ip address prefix-list LAN

IPSec and Crypto setup in Cisco, also here trasnport mode of IPSec should be setup:

!crypto isakmp policy 1encr 3deshash md5authentication pre-share

group 2!crypto isakmp key ipsec address 0.0.0.0 0.0.0.0!crypto ipsec security-association idle-time 600!crypto ipsec transform-set vpn esp-3des esp-md5-hmacmode transport

!crypto map vpn 1 ipsec-isakmp



description **To Mikrotik Peer**set peer 10.10.1.100set transform-set vpnset pfs group2match address mikrotik_peer

!

Setup access-list to match the IPSec peer:

ip access-list extended mikrotik_peerpermit ipinip host 10.10.1.200 host 10.10.1.100

Type this in "enable" mode to view your routing table (after succesfull RIP update):

sh ip route

or

sh ip rip database

This example can be implemented also with another routing protocol like OSPF, and also

very simply we can setup here a failover connection. Regarding the failover, the setup is

very easy, all that we need is to create another set of tunnels via another ISP or gateway,

but again the remote peer is the same router. Instead of the routing protocol for the second

set of tunnels, it needs static routes to be configured, only that the static routes should have

higher distance than the dynamic protocol. The idea is that, when the primary link will go

down (dynamic routing distance=120) than the backup link becomes active (static routes

distance=200), as soon as the primary link will come up, it will put the failover link in

inactive mode



Cisco IOS VPN ConfigurationScenario 1: Gateway-to-gateway with preshared secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.

10.5.6.0/24 172.23.9.0/24| |

--| |--| +-----------+ /-^-^-^-^--\ +-----------+ ||-----| Gateway A |=====| Internet |=====| Gateway B |-----|| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |

--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--| |

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A'sLAN interface has the address 10.5.6.1, and its WAN (Internet) interface hasthe address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. GatewayB's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LANinterface address, 172.23.9.1, can be used for testing IPsec but is notneeded for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

* Main mode

* TripleDES* SHA-1* MODP group 2 (1024 bits)* pre-shared secret of "hr5xb84l6aa9r6"* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used in Scenario 1 are:

* TripleDES* SHA-1* ESP tunnel mode* MODP group 2 (1024 bits)* Perfect forward secrecy for rekeying

* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying* Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets

To set up Gateway A for this scenario, use the following steps:

Cisco IOS includes IPSec support, beginning with early versions of IOS Version 12; however the commands have changed during the evolution of IOS Version 12 point releases. The following example uses the current releaseversion, Cisco IOS Version 12.2(8)T4.



This example uses a Cisco 1700 series router, which has one ethernet portand one serial port. The ethernet port, FastEthernet0, will be the outside,or Internet-facing interface. The serial port, Serial0, will be the insideinterface. (This is just an example. Your interfaces may be different.)

All configuration changes are volatile, and immediate, until the "write"command is executed, when the configuration is saved to flash and will bereloaded after a reboot. At any time, you may examine the runningconfiguration with the command "show running-configuration", or view thesaved configuration with the command "show config". Most commands can beabbreviated. Use a ? at the prompt or in a command to see options.

Configure IP on the interfaces:

Router# config term Enter configuration commands, one per line. End with CNTL/Z.Router(config)# int fa0Router(config-if)# ip address 14.15.16.17 255.255.255.0

Router(config-if)# speed autoRouter(config-if)# ^ZRouter# config term Enter configuration commands, one per line. End with CNTL/Z.Router(config)# int ser0Router(config-if)# ip address 10.5.6.1 255.255.255.0Router(config-if)# no shutdownRouter(config-if)# ^ZRouter#

Define the default route:

Router# config term Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1Router(config)# exit

Cisco supports only one IKE policy per router, so you must design one whichis acceptable to all systems you are going to interoperate with. Assign itan ordering number of 5. If you wanted to have more than one proposal inthe policy, the proposals would be given in order defined by this policyorder number. Configure the IKE Policy:

Router# config term Router(config)# crypto isakmp policy 5Router(config-isakmp)# encryption 3desRouter(config-isakmp)# group 2Router(config-isakmp)# hash sha

Router(config-isakmp)# lifetime 28800Router(config-isakmp)# authentication pre-shareRouter(config-isakmp)# exit

Since multiple peers will share the same IKE policy, you must match each peer with its pre-shared secret:

Router# config term Router(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25Router(config-isakmp)# exit



The IPSEC transform will be combined later with the rest of the IPSEC policyin a crypto map command. In this command, "STRONG" is just a label. Labelsare CASE-SENSITIVE. Define the IPSEC transform:

Router# config term Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmacRouter(config-isakmp)# exit

Cisco IOS uses access lists for SPD entries. Many features of access lists(.e.g. TCP flag checking) don't work in IPSEC. This kind of access list

MUST be labelled with a 3-digit number. The netmask in Cisco access listsare inverted. Nobody knows why, they just are. This list says "all trafficfrom 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols". Create theIPSEC access list:

Router# config term Enter configuration commands, one per line. End with CNTL/Z.Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.00.0.0.255

Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1Router(config)# exit

Because IOS is a router first and an IPSEC gateway second, we have to tellIOS which interface to send packets on if the default route is not enough.In this scenario we don't need it, but in other situations you might need todefine a route for the remote protected network:

Router# config term Enter configuration commands, one per line. End with CNTL/Z.Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17Router(config)# exit

A crypto map binds all the assorted crypto parameters with a specific remotegateway. Several crypto maps bound to different remote gateways can begrouped together in one crypto map SET which is then bound to an outgoinginterface. The number following the crypto map set name is the ordering ofthe map in the set. Bind the policy together with a crypto map, and give itthe label CISCO:

Router# config term Router(config)# crypto map CISCO 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.Router(config-crypto-map)# set security-association life seconds 3600Router(config-crypto-map)# set transform-set STRONGRouter(config-crypto-map)# set pfs group2

Router(config-crypto-map)# set peer 22.23.24.25Router(config-crypto-map)# match address 101Router(config-crypto-map)# exit

Because Ciscos could have many interfaces, you have to bind the SPD to theoutgoing interface:

Router# config term Router(config)# interface fa0Router(config-if)# crypto map CISCO



Router(config-if)# ^Z

If you had multiple tunnels to multiple gateways, you would need to create adifferent access list for each tunnel, add an isakmp key entry for eachgateway, and possibly create a different ipsec transform if your security

policy is different. For example, let's say you have another remote peer at23.23.24.25, for which you have created access-list 102. You could then add a crypto map to the set created above:

Router# config term Router(config)# crypto map CISCO 20 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.Router(config-crypto-map)# set security-association life seconds 3600Router(config-crypto-map)# set transform-set STRONGRouter(config-crypto-map)# set pfs group2Router(config-crypto-map)# set peer 23.23.24.25Router(config-crypto-map)# match address 102Router(config-crypto-map)# exit

Now the outgoing interface FastEthernet0 has both crypto maps, and it willcompare traffic to each map in order to determine if the traffic requiresencryption.

Save the configuration:

Router# writeBuilding configuration...[OK]

Here is the completed IPSEC part of the Cisco configuration:

Router# show config!crypto isakmp policy 5encr 3desauthentication pre-sharegroup 2lifetime 28800crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25!crypto ipsec transform-set strong esp-3des esp-sha-hmac!crypto map CISCO 101 ipsec-isakmpset peer 22.23.24.25set transform-set STRONGset pfs group2

match address 101!interface FastEthernet0ip address 14.15.16.17 255.255.255.0speed autocrypto map CISCO!interface Serial0ip address 10.5.6.1 255.255.255.0!



access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255!

Now, bring up a tunnel! The IOS ping command extensions will allow you toselect the source interface, and hence IP address, of the ping:

Router# pingProtocol [ip]:Target IP address: 172.23.9.10Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: serial0Type of service [0]:Set DF bit in IP header? [no]:

Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

Hmmmm ... what could be wrong? Let's check some basics:

Router# show ip int briefInterface IP-Address OK? Method StatusProtocolFastEthernet0 14.15.16.17 YES manual up up

Serial0 10.5.6.1 YES manual downdown

Ah, the serial interface is down. I have to actually connect it up tosomethingto bring the interface up. Now, the ping works and brings up the SAs.

Show the SAs with these commands:

Router# show crypto isakmp sadst src state conn-id slot14.15.16.17 22.23.24.25 QM_IDLE 1 0

Router# show crypto ipsec sa

interface: FastEthernet0Crypto map tag: CISCO, local addr. 14.15.16.17

local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0)current_peer: 22.23.24.25PERMIT, flags={origin_is_acl,}# pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12# pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23



# pkts compressed: 0, # pkts decompressed: 0# pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress

failed: 0# send errors 0, # recv errors 0

local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25path mtu 1500, media mtu 1500current outbound spi: 3C39A800

inbound esp sas:spi: 0xD7228E4B(3609366091)transform: esp-3des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2000, flow_id: 1, crypto map: CISCOsa timing: remaining key lifetime (k/sec): (4607999/3574)IV size: 8 bytesreplay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:spi: 0x3C39A800(1010411520)transform: esp-3des esp-sha-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2001, flow_id: 2, crypto map: CISCOsa timing: remaining key lifetime (k/sec): (4607999/3574)IV size: 8 bytesreplay detection support: Y

outbound ah sas:

outbound pcp sas:

The easiest way to clear SAs from a Cisco IOS system varies with version, butone of these two will generally work:

RouterRouter# clear crypto isakmpRouterRouter# clear crypto sa

To enable debugging in IOS, you must turn on the debug as well as turn on thedebug monitor, which is normally the terminal you are logged in on:

Router# debug crypto verboseRouter# debug crypto isakmp

Router# term monitor

To disable debugging:Router# nodebug allRouter# term no monitor

Om3ga Handbook of Ipsec VPN All OS

Documents

Transcript of Om3ga Handbook of Ipsec VPN All OS