IPSec kasutamine FreeBSD'ga
Kõige esimesena on vaja konfigureerida FreeBSD kernelisse ipseci tugi
options IPSEC #IP security options IPSEC_NAT_T device crypto
Mõlemal tulemüüril on välised ipv4 aadressid, millede vahel moodustatakse ühendus (gif0 seade). Selle ühenduse sisse moodustatakse omakorda tunnel, kus antakse selle sisemistele otspunkidele sisevõrgu aadressid, et nende vahel moodustuks tilluke LAN. Need peaksid olema suvalised aadressid, mis vaja omavahel kokkuleppida Nt 192.168.1.1 ja 192.168.2.1.
gif_interfaces="gif0" gifconfig_gif0="<esimese masina aadress> <teise aadress>" ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 255.255.255.0"
Hiljem tuleb seadistada paika ka võrguruutingud aga selleni veel jõuame.
Lugedes dokumentatsioon tundub, et teise otsa sisemist ip-d vajab ta tegevuseks, mida ta nimetab Encapsulation (ehk siis tekitab sisuliselt nende kahe sisemise aadressi vahele point-to-point ühenduse. Pakette suunatase sinna ühendusse aga ruuting tabeli abil.
Seejärel on vaja paika seadistada policyd
ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf"
setkey.conf ise
flush; spdflush; spdadd 192.168.0.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/192.168.0.1-192.168.2.1/use; spdadd 192.168.2.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/192.168.2.1-192.168.0.1/use;
Kontrollida saame laetud seadistust setkey käsuga
# setkey -DP
Seejärel on vaja keyring daemonit (racoon paketist ipsec-tools). Tegemist on KAME nimelise projektiga - algselt IPv6 protokolli jaoks tehtud ja IPv4 jaoks backporditud lahendus.
# cp /usr/local/share/examples/ipsec-tools/racoon.conf.sample /usr/local/etc/racoon/racoon.conf # touch /usr/local/etc/racoon/psk.txt # chown root:wheel /usr/local/etc/racoon/psk.txt # chmod 600 /usr/local/etc/racoon/psk.txt
racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path include "/usr/local/etc/racoon";
# "log" specifies logging level. It is followed by either "notify", "debug"
#log debug;
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
listen
{
isakmp <meie ruuteri väline IP> [500];
}
remote <teise ruuteri väline IP>
{
exchange_mode main,aggressive;
my_identifier address "meie väline IP";
peers_identifier address "teise ruuteri väline ip";
doi ipsec_doi;
passive off;
generate_policy off;
lifetime time 24 hour ; # sec,min,hour
verify_identifier off;
generate_policy on;
initial_contact on;
proposal_check obey;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
lifetime time 30 sec;
dh_group 5 ;
}
}
# phase 2 proposal (for IPsec SA).
sainfo (address 192.168.2.0/24 any address 192.168.1.0/24 any)
{
lifetime time 36000 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
rc.conf seadistada
racoon_enable=”yes” racoon_flags=”-l /var/log/racoon.log”
paroolifail /usr/local/etc/racoon/psk.txt
192.168.2.1 mingiparool
Käivitada käsuga
# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
Ja teeme ruutingu kas siis käsuga
# route add 192.168.0.0/24 -iface gif0
static_routes="vpn" route_vpn="192.168.0.0/24 -iface gif0"
Packet filter tulemüür
The FreeBSD's ipf(5) configuration should be quite similar. All there's to do is pass 500/UDP, ESP and -- additionally -- IPENCAP traffic.
pass in quick on $if proto esp from any to $my_server pass in quick on $if proto ipencap from any to $my_server pass in quick on $if proto udp from any to $my_server port isakmp pass in quick on $if proto udp from any to $my_server port 500
