How to connect two networks together with a secure tunnel? It’s simple, follow these steps.
Use OpenBSD distro to create encrypted L2 IPSec tunnel between machines.
Terminology: MACRO expr. in use:
<IP_NEAR> - current router ip, alias near_end
<IP_FAR> - far router ip, alias far_end
both – execute command on both routers
<NETMASK> - network mask
All examples are based on OpenBSD 3.7
Configuration tips:
-
Configure 2 NICs with the following parameters
/etc/hostname.if0 #NIC connected to public network
near_end#> echo “inet <IP_NEAR> <NETMASK> NONE” > /etc/hostname.if0
far_end#> echo “inet <IP_FAR> <NETMASK> NONE” > /etc/hostname.if0
both#> echo “up” > /etc/hostname.if1</code>
-
Configure gateway
/etc/mygate #system gateway configuration
Check for common connectivity problems
-
Lets configure kernel options in /etc/sysctl.conf
net.inet.etherip.allow=1 # Activate this to establish tunnel between 2 systems without IPSec encryption, this is NOT a MUST for IPSec
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
net.inet.esp.enable=1 # ESP IPsec protocol
net.inet.ah.enable=1 # AH IPsec protocol
-
Configure tunnel between routers far_end <-> near_end
/etc/hostname.gif0 #generic tunnel interface config.
near_end#> echo “up giftunnel <IP_NEAR> <IP_FAR>” > /etc/hostname.gif0
far_end#> echo “up giftunnel <IP_FAR> <IP_NEAR” > /etc/hostname.gif0
-
IPSec configuration issues
Flush current IPSec security tokens SAs
both#>ipsecadm flush
Setup new security SA these MUST be equil for both routers
both#>ipsecadm new esp -spi 2000 -dst <IP_NEAR> -src <IP_FAR> -enc 3des \
both#>-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
both#>406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
both#>ipsecadm new esp -spi 2001 -dst <IP_FAR> -src <IP_NEAR> -enc 3des \
both#>-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
both#>406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
Setup keys for appropriate source and destination, swap IP values for NEAR_END and FAR_END
change FAR <-> NEAR#>ipsecadm flow -dst <IP_FAR> -out -transport etherip -require -addr \
change FAR <-> NEAR#><IP_NEAR> 255.255.255.255 <IP_FAR> 255.255.255.255
-
Configure Ethernet bridging
/etc/bridgename.bridge0 #bridge configuration
Additional ipsec configuration is performed during bridge setup
-
near_end#>vi /etc/bridgename.bridge0
add gif0
add if1
#ipsec config
!ipsecadm flush
!ipsecadm new esp -spi 2000 -dst <IP_NEAR> -src <IP_FAR> -enc 3des \
-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
!ipsecadm new esp -spi 2001 -dst <IP_FAR> -src <IP_NEAR> -enc 3des \
-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
!ipsecadm flow -dst <IP_FAR> -out -transport etherip -require -addr \
<IP_NEAR> 255.255.255.255 <IP_FAR> 255.255.255.255
up
-
far_end#>vi /etc/bridgename.bridge0
add gif0
add if1
#ipsec config
!ipsecadm flush
!ipsecadm new esp -spi 2000 -dst <IP_NEAR> -src <IP_FAR> -enc 3des \
-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
!ipsecadm new esp -spi 2001 -dst <IP_FAR> -src <IP_NEAR> -enc 3des \
-auth sha1 -key cddc2fd56cb2f328430d1ce264707cff1721df24dd229ed5 -authkey \
406ac58d1176608484cbaf8ce430773a1c0f2ab6f9cebc3b
!ipsecadm flow -dst <IP_NEAR> -out -transport etherip -require -addr \
<IP_FAR> 255.255.255.255 <IP_NEAR> 255.255.255.255
up
-
At this point bridging between pseudo tunnel interface and real if1 is created
near_end->if1 <-> far_end->if1
IPSec Ethernet bridging is activated
-
We are ready to reboot our system!
-
For key generation use the following command:
This will generate a hexadecimal representation of a 24 bit key. If a different key size is desired, replace the occurrences of '24' with the new size in bits.
hostx#> openssl rand 24 | hexdump -e '24/1 "%02x"' && echo ""
-
Additional info: http://www.csh.rit.edu/~jon/text/papers/tunneling/
!!!!!!!!!!! PERFORMANCE NOTES !!!!!!!!!!!!!!!
Example configuration using 3des 24bit key
Hardware
CPU: P4 1.6GHz
RAM: 256MB
NIC: em + fxp
TCP throughput
Packet per second rating: ~3Kpps
MAX Bandwidth (CPU load 98%): 22Mb
Far better results using AMD Athlon64 3200 rating
CPU: Athlon64 3200
RAM: 256MB
NIC: em + fxp
TCP throughput
Packet per second rating: ~3Kpps
MAX Bandwidth (CPU load 36%): 22Mb