Re: ipsec openbsd 3.4 <-> freebsd 4.9

From: Henrik Lund Kramshøj (none@hlk--kramse.dk.lh.bsd-dk.dk)
Date: Tue 23 Dec 2003 - 18:02:30 CET 

Date: Tue, 23 Dec 2003 18:02:30 +0100
Subject: Re: ipsec openbsd 3.4 <-> freebsd 4.9
From: Henrik Lund Kramshøj <none@hlk--kramse.dk.lh.bsd-dk.dk>
To: bsd-dk@bsd-dk.dk

On Tuesday, December 23, 2003, at 05:07 PM, jkv wrote:

> Hejsa...
>
> Jeg sidder og forsøger at sætte en "vpn" op mellem en openbsd og
> freebsd.
> Openbsd siden har jeg styr på, men er i tvivl når det gælder
> freebsd og setkey.
>
> Er det nok at køre de relevante 2 spdadd, 1 for out og en for in,
> eller skal det igennem et gif interface før det virker?
Nå, jeg forsøger ikke at være doven, men her er et eksempel med manuel
keying som jeg har brugt til kurser
NB: hemmeligheden bør idag blive i en fil og blot refereres fra
"kommandolinien"
således at andre ikke lave ps på den ...

Dette gøres med ipsecadm -keyfile:
  -keyfile
                  Read the key from a file. May be used instead of the
-key
                  flag, and has the same syntax considerations.

Håber det hjælper lidt, det er som sagt et eksempel brugt på kursus

rc.ipsec.client - kan bruges på "FreeBSD" - afprøvet på Mac OS X:
#
# Henrik Lund Kramsh<F8>j
# /etc/rc.ipsec - IPsec client configuration
# built from http://rt.fm/~jcs/ipsec_wep.phtml
# NetBSD syntaks! - used on Mac OS X

# IPv4
#SECSERVER=10.0.2.1
#SECCLIENT=10.0.2.53

# IPv6
SECSERVER=2001:bla:bla:101::1
SECCLIENT=2001:bla:bla:101::153

ESPKEY=`cat ipsec.esp.key`
AHKEY=`cat ipsec.ah.key`

# Flush IPsec SAs in case we get called more than once
setkey -F
setkey -F -P

#flush;

# Establish Security Associations
#
# 1000 is from the server ($SECSERVER) to the client ($SECCLIENT)
# 1001 is from the client ($SECCLIENT) to the server ($SECSERVER)
setkey -c <<EOF
add $SECSERVER $SECCLIENT esp 0x1000 \
-m tunnel -E blowfish-cbc 0x$ESPKEY -A hmac-sha1 0x$AHKEY;
add $SECCLIENT $SECSERVER esp 0x1001 \
-m tunnel -E blowfish-cbc 0x$ESPKEY -A hmac-sha1 0x$AHKEY;
spdadd $SECCLIENT $SECSERVER any -P out \
ipsec esp/tunnel/$SECCLIENT-$SECSERVER/default;
spdadd $SECSERVER $SECCLIENT any -P in \
ipsec esp/tunnel/$SECSERVER-$SECCLIENT/default;
EOF

rc.ipsec.server - kan bruges på OpenBSD - afprøvet på 3.3 eller noget:
#!/bin/sh
#
# Henrik Lund Kramsh<F8>j
# /etc/rc.ipsec - IPsec server configuration
# built from http://rt.fm/~jcs/ipsec_wep.phtml
# OpenBSD syntaks!

SECSERVER=10.0.2.1
SECCLIENT=10.0.2.53

ESPKEY=`cat ipsec.esp.key`
AHKEY=`cat ipsec.ah.key`

# Flush IPsec SAs in case we get called more than once
ipsecadm flush

# Establish Security Associations
#
# 1000 is from the server ($SECSERVER) to the client ($SECCLIENT)
ipsecadm new esp -spi 1000 -src $SECSERVER -dst $SECCLIENT \
-forcetunnel -enc blf -key $ESPKEY \
-auth sha1 -authkey $AHKEY

# 1001 is from the client ($SECCLIENT) to the server ($SECSERVER)
ipsecadm new esp -spi 1001 -src $SECCLIENT -dst $SECSERVER \
-forcetunnel -enc blf -key $ESPKEY \
-auth sha1 -authkey $AHKEY

# Create flows
#
# Data going from the outside to the client
ipsecadm flow -out -src $SECSERVER -dst $SECCLIENT -proto esp \
-addr 0.0.0.0 0.0.0.0 $SECCLIENT 255.255.255.255 -dontacq

# Data going from the client to the outside
ipsecadm flow -in -src $SECSERVER -dst $SECCLIENT -proto esp \
-addr $SECCLIENT 255.255.255.255 0.0.0.0 0.0.0.0 -dontacq

$ cat generate-keys.sh
#! /bin/sh

IPSEC_HOME=/etc/
# To generate a random 160-bit key, run the following command:
openssl rand 20 | hexdump -e '20/1 "%02x"' > $IPSEC_HOME/ipsec.esp.key
openssl rand 20 | hexdump -e '20/1 "%02x"' > $IPSEC_HOME/ipsec.ah.key

god jul :-)

Mvh 

--
Henrik Lund Kramshøj, cand.scient, CISSP
e-mail: hlk@security6.net, tlf: 2026 6000
www.security6.net - IPv6, sikkerhed, netværk og UNIX

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:34 CET