You are here

Bridge IPSec-VPN-Tunnel

shroman's picture

How to connect two networks together with a secure tunnel? It’s simple, follow these steps.

Use OpenBSD distro to create encrypted L2 IPSec tunnel between machines.

Terminology: MACRO expr. in use:

<IP_NEAR> - current router ip, alias near_end
<IP_FAR> - far router ip, alias far_end
both – execute command on both routers
<NETMASK> - network mask

All examples are based on OpenBSD 3.7

Configuration tips:

  1. Configure 2 NICs with the following parameters
    /etc/hostname.if0 #NIC connected to public network
    near_end#> echo “inet <IP_NEAR> <NETMASK> NONE” > /etc/hostname.if0
    far_end#> echo “inet <IP_FAR> <NETMASK> NONE” > /etc/hostname.if0
    both#> echo “up” > /etc/hostname.if1</code>
    • Configure gateway
      /etc/mygate #system gateway configuration

Check for common connectivity problems

  1. Lets configure kernel options in /etc/sysctl.conf
    net.inet.etherip.allow=1 # Activate this to establish tunnel between 2 systems without IPSec encryption, this is NOT a MUST for IPSec
    net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
    net.inet.esp.enable=1 # ESP IPsec protocol
    net.inet.ah.enable=1 # AH IPsec protocol
  2. Configure tunnel between routers far_end <-> near_end
    /etc/hostname.gif0 #generic tunnel interface config.
    near_end#> echo “up giftunnel <IP_NEAR> <IP_FAR>” > /etc/hostname.gif0
    far_end#> echo “up giftunnel <IP_FAR> <IP_NEAR” > /etc/hostname.gif0
  3. IPSec configuration issues
    Flush current IPSec security tokens SAs
    both#>ipsecadm flush
    Setup new security SA these MUST be equil for both routers
    both#>ipsecadm new esp -spi 2000 -dst <IP_NEAR> -src <IP_FAR> -enc 3des \
    both#>-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
    both#>406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
    both#>ipsecadm new esp -spi 2001 -dst <IP_FAR> -src <IP_NEAR> -enc 3des \
    both#>-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
    both#>406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
    Setup keys for appropriate source and destination, swap IP values for NEAR_END and FAR_END
    change FAR <-> NEAR#>ipsecadm flow -dst <IP_FAR> -out -transport etherip -require -addr \
    change FAR <-> NEAR#><IP_NEAR> 255.255.255.255 <IP_FAR> 255.255.255.255
  4. Configure Ethernet bridging
    /etc/bridgename.bridge0 #bridge configuration
    Additional ipsec configuration is performed during bridge setup
    • near_end#>vi /etc/bridgename.bridge0
      add gif0
      add if1
      #ipsec config
      !ipsecadm flush
      !ipsecadm new esp -spi 2000 -dst <IP_NEAR> -src <IP_FAR> -enc 3des \
      -auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
      406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
      !ipsecadm new esp -spi 2001 -dst <IP_FAR> -src <IP_NEAR> -enc 3des \
      -auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
      406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
      !ipsecadm flow -dst <IP_FAR> -out -transport etherip -require -addr \
      <IP_NEAR> 255.255.255.255 <IP_FAR> 255.255.255.255
      up
    • far_end#>vi /etc/bridgename.bridge0
      add gif0
      add if1
      #ipsec config
      !ipsecadm flush
      !ipsecadm new esp -spi 2000 -dst <IP_NEAR> -src <IP_FAR> -enc 3des \
      -auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
      406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
      !ipsecadm new esp -spi 2001 -dst <IP_FAR> -src <IP_NEAR> -enc 3des \
      -auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
      406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
      !ipsecadm flow -dst <IP_NEAR> -out -transport etherip -require -addr \
      <IP_FAR> 255.255.255.255 <IP_NEAR> 255.255.255.255
      up
    • At this point bridging between pseudo tunnel interface and real if1 is created
      near_end->if1 <-> far_end->if1
      IPSec Ethernet bridging is activated
  5. We are ready to reboot our system!
  6. For key generation use the following command:
    This will generate a hexadecimal representation of a 24 bit key. If a different key size is desired, replace the occurrences of '24' with the new size in bits.
    hostx#> openssl rand 24 | hexdump -e '24/1 "%02x"' && echo ""
  7. Additional info: http://www.csh.rit.edu/~jon/text/papers/tunneling/

 

!!!!!!!!!!! PERFORMANCE NOTES !!!!!!!!!!!!!!!
Example configuration using 3des 24bit key
Hardware
CPU: P4 1.6GHz
RAM: 256MB
NIC: em + fxp
TCP throughput
Packet per second rating: ~3Kpps
MAX Bandwidth (CPU load 98%): 22Mb
Far better results using AMD Athlon64 3200 rating
CPU: Athlon64 3200
RAM: 256MB
NIC: em + fxp
TCP throughput
Packet per second rating: ~3Kpps
MAX Bandwidth (CPU load 36%): 22Mb