no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== VPN with GRE, GIF, IPSec and OpenVPN ======
+This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based).
+===== Presentation =====
+==== Network diagram ====
+Lab build following [[documentation:examples:How to build a BSDRP router lab]]: 5 routers with full-meshed link.
+Here is the logical and physical view:
+{{:documentation:examples:labs.vpn.tunnels.png}}
+==== Download Lab scripts =====
+More information on these BSDRP lab scripts available on [[documentation:examples:How to build a BSDRP router lab]].
+Start the lab with full-meshed 5 routers.
+An example with bhyve under FreeBSD:
+<code>
+root@host:~ # /tools/BSDRP-lab-bhyve.sh -i BSDRP-1.8-full-amd64-serial.img.xz -n 5
+vmm module not loaded. Loading it...
+nmdm module not loaded. Loading it...
+if_tap module not loaded. Loading it...
+BSD Router Project (http://bsdrp.net) - bhyve full-meshed lab script
+Setting-up a virtual lab with 5 VM(s):
+- Working directory: /tmp/BSDRP
+- Each VM have 1 core(s) and 256M RAM
+- Emulated NIC: virtio-net
+- Switch mode: bridge + tap
+- 0 LAN(s) between all VM
+- Full mesh Ethernet links between each VM
+VM 1 have the following NIC:
+- vtnet0 connected to VM 2
+- vtnet1 connected to VM 3
+- vtnet2 connected to VM 4
+- vtnet3 connected to VM 5
+VM 2 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 3
+- vtnet2 connected to VM 4
+- vtnet3 connected to VM 5
+VM 3 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 2
+- vtnet2 connected to VM 4
+- vtnet3 connected to VM 5
+VM 4 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 2
+- vtnet2 connected to VM 3
+- vtnet3 connected to VM 5
+VM 5 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 2
+- vtnet2 connected to VM 3
+- vtnet3 connected to VM 4
+For connecting to VM'serial console, you can use:
+- VM 1 : cu -l /dev/nmdm1B
+- VM 2 : cu -l /dev/nmdm2B
+- VM 3 : cu -l /dev/nmdm3B
+- VM 4 : cu -l /dev/nmdm4B
+- VM 5 : cu -l /dev/nmdm5B
+</code>
+===== Base routers configuration =====
+Router 1 and Router 5 as a simple workstation, Router 3 as a simple router.
+All these routers can be pre-configured with labconfig tool (use it only on a lab, because it will replace your current running configuration):
+<code>
+labconfig vpn_vm[VM-NUMBER]
+</code>
+==== Router 1 ====
+Router 1 is configured as a simple workstation.
+<code>
+sysrc hostname=R1
+sysrc gateway_enable=NO
+sysrc ipv6_gateway_enable=NO
+sysrc ifconfig_em0="inet 10.0.12.1/24"
+sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::1 prefixlen 64"
+sysrc defaultrouter=10.0.12.2
+sysrc ipv6_defaultrouter=2001:db8:12::2
+ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
+hostname R1
+service netif restart
+service routing restart
+config save
+</code>
+==== Router 2 ====
+Router 2 base configuration: A simple connected-network router with a default route pointing to R3.
+<code>
+sysrc hostname=R2
+sysrc ifconfig_em0="inet 10.0.12.2/24"
+sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
+sysrc ifconfig_em1="inet 10.0.23.2/24"
+sysrc ifconfig_em1_ipv6="inet6 2001:db8:23::2 prefixlen 64"
+sysrc defaultrouter="10.0.23.3"
+sysrc ipv6_defaultrouter="2001:db8:23::3"
+ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
+hostname R2
+service netif restart
+service routing restart
+config save
+</code>
+==== Router 3 ====
+Router 3 is configured as simple connected-only-interface router.
+<code>
+sysrc hostname=R3
+sysrc ifconfig_em1="inet 10.0.23.3/24"
+sysrc ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64"
+sysrc ifconfig_em2="inet 10.0.34.3/24"
+sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
+ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
+hostname R3
+service netif restart
+config save
+</code>
+==== Router 4 ====
+Router 4 base configuration, like R2: A simple connected-network router with a default route pointing to R3.
+<code>
+sysrc hostname=R4
+sysrc ifconfig_em2="inet 10.0.34.4/24"
+sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64"
+sysrc ifconfig_em3="inet 10.0.45.4/24"
+sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64"
+sysrc defaultrouter="10.0.34.3"
+sysrc ipv6_defaultrouter="2001:db8:34::3"
+ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
+hostname R4
+service netif restart
+service routing restart
+config save
+</code>
+==== Router 5 ====
+Router 5 has the same workstation mode configuration as R1.
+<code>
+sysrc hostname=R5
+sysrc gateway_enable=NO
+sysrc ipv6_gateway_enable=NO
+sysrc ifconfig_em3="inet 10.0.45.5/24"
+sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64"
+sysrc defaultrouter="10.0.45.4"
+sysrc ipv6_defaultrouter="2001:db8:45::4"
+ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
+hostname R5
+service netif restart
+service routing restart
+config save
+</code>
+===== GRE Tunnel =====
+First example with a simple GRE tunnel.
+FreeBSD [[http://www.freebsd.org/cgi/man.cgi?query=gre|GRE]] support have a limitation: We can't use IPv6 as end-point (this limitation is removed by the use of [[http://www.freebsd.org/cgi/man.cgi?query=gif|gif]] tunnel).
+==== Router 2 ====
+Create 1 GRE tunnels with IPv4 end-points.
+=== Modify configuration ===
+Here is the parameters to add:
+<code>
+sysrc cloned_interfaces=gre0
+sysrc ifconfig_gre0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up"
+sysrc ifconfig_gre0_ipv6="inet6 2001:db8:24::2 prefixlen 64"
+sysrc static_routes="tunnel4"
+sysrc route_tunnel4="10.0.45.0/24 10.0.24.4"
+sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4"
+sysrc ipv6_static_routes="tunnel6"
+service netif restart
+service routing restart
+config save
+</code>
+==== Router 4 ====
+Configure the GRE tunnel using R2 IPv4 as end-point.
+=== Modify configuration ===
+Here is the parameters to add:
+<code>
+sysrc cloned_interfaces=gre0
+sysrc ifconfig_gre0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up"
+sysrc ifconfig_gre0_ipv6="inet6 2001:db8:24::4 prefixlen 64"
+sysrc static_routes="tunnel4"
+sysrc route_tunnel4="10.0.12.0/24 10.0.24.2"
+sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2"
+sysrc ipv6_static_routes="tunnel6"
+service netif restart
+service routing restart
+config save
+</code>
+==== Testing ====
+<code>
+[root@R1]~# ping -c 3 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.019 ms
+bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.357 ms
+--- 10.0.45.5 ping statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
+[root@R1]~# ping6 -c3 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=2.761 ms
+bytes from 2001:db8:45::5, icmp_seq=2 hlim=62 time=2.290 ms
+--- 2001:db8:45::5 ping6 statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/std-dev = 1.142/2.064/2.761/0.680 ms
+</code>
+===== GIF tunnels =====
+This example will be a little different as the gre example: Because gif support ipv6 end-point, we will set-up 2 gif tunnels:
+  * a first with IPv4 end-point that will tunnel IPv4 traffic;
+  * a second with IPv6 end-point that will tunnel IPv6 traffic.
+==== Router 2 ====
+Create the gif tunnels.
+If you have previous gre configuration from the gre example: remove them.
+Here is the line to ADD to /etc/rc.conf file:
+<code>
+sysrc cloned_interfaces="gif0 gif1"
+sysrc ifconfig_gif0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up"
+sysrc ifconfig_gif1_ipv6="inet6 2001:db8:24::2 prefixlen 64 tunnel 2001:db8:23::2 2001:db8:34::4 up"
+sysrc static_routes="tunnel4"
+sysrc route_tunnel4="10.0.45.0/24 10.0.24.4"
+sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4"
+sysrc ipv6_static_routes="tunnel6"
+service netif restart
+service routing restart
+config save
+</code>
+==== Router 4 ====
+Configure the 2 gif tunnel using R2 addresses as end-point.
+Here are the changes to apply to rc file:
+<code>
+sysrc cloned_interfaces="gif0 gif1"
+sysrc ifconfig_gif0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up"
+sysrc ifconfig_gif1_ipv6="inet6 2001:db8:24::4 prefixlen 64 tunnel 2001:db8:34::4 2001:db8:23::2 up"
+sysrc static_routes="tunnel4"
+sysrc route_tunnel4="10.0.12.0/24 10.0.24.2"
+sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2"
+sysrc ipv6_static_routes="tunnel6"
+service netif restart
+service routing restart
+config save
+</code>
+==== Testing ====
+<code>
+[root@R1]~# ping -c 3 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.019 ms
+bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.357 ms
+--- 10.0.45.5 ping statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
+[root@R1]~# ping6 -c3 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=2.761 ms
+bytes from 2001:db8:45::5, icmp_seq=2 hlim=62 time=2.290 ms
+--- 2001:db8:45::5 ping6 statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/std-dev = 1.142/2.064/2.761/0.680 ms
+</code>
+===== IPSec =====
+If you have previous gre/gif configuration part from previous examples, remove them.
+These two examples will use native IPSec tunnel mode: If you need to enable some routing protocol over the IPSec tunnels, you should use IPSec VTI interface.
+==== Tunnel without IKE ====
+A first simple example with manually configured Security Policy Database (SPD) and Security Association Database (SAD).
+=== Router 2 ===
+Create a file /etc/ipsec.conf with these lines:
+<code>
+cat > /etc/ipsec.conf <<EOF
+flush;
+spdflush;
+spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec esp/tunnel/10.0.23.2-10.0.34.4/require;
+spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec esp/tunnel/10.0.34.4-10.0.23.2/require;
+add 10.0.23.2 10.0.34.4 esp 0x1000 -E aes-gcm-16 "12345678901234567890";
+add 10.0.34.4 10.0.23.2 esp 0x1001 -E aes-gcm-16 "12345678901234567890";
+spdadd 2001:db8:12::/64 2001:db8:45::/64 any -P out ipsec esp/tunnel/2001:db8:23::2-2001:db8:34::4/require;
+spdadd 2001:db8:45::/64 2001:db8:12::/64 any -P in ipsec esp/tunnel/2001:db8:34::4-2001:db8:23::2/require;
+add 2001:db8:23::2 2001:db8:34::4 esp 0x1002 -E aes-gcm-16 "12345678901234567890";
+add 2001:db8:34::4 2001:db8:23::2 esp 0x1003 -E aes-gcm-16 "12345678901234567890";
+EOF
+</code>
+Enable and reload IPsec SA/SP:
+<code>
+sysrc ipsec_enable=YES
+service ipsec restart
+</code>
+And check it:
+<code>
+[root@R2]~# setkey -DP
+.0.45.0/24[any] 10.0.12.0/24[any] any
+        in ipsec
+        esp/tunnel/10.0.34.4-10.0.23.2/require
+        spid=2 seq=3 pid=66654 scope=global
+        refcnt=1
+:db8:45::/64[any] 2001:db8:12::/64[any] any
+        in ipsec
+        esp/tunnel/2001:db8:34::4-2001:db8:23::2/require
+        spid=4 seq=2 pid=66654 scope=global
+        refcnt=1
+.0.12.0/24[any] 10.0.45.0/24[any] any
+        out ipsec
+        esp/tunnel/10.0.23.2-10.0.34.4/require
+        spid=1 seq=1 pid=66654 scope=global
+        refcnt=1
+:db8:12::/64[any] 2001:db8:45::/64[any] any
+        out ipsec
+        esp/tunnel/2001:db8:23::2-2001:db8:34::4/require
+        spid=3 seq=0 pid=66654 scope=global
+        refcnt=1
+[root@R2]~# setkey -D
+:db8:34::4 2001:db8:23::2
+        esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)
+        E: aes-gcm-16  31323334 35363738 39303132 33343536 37383930
+        seq=0x00000000 replay=0 flags=0x00000040 state=mature
+        created: Oct 30 09:52:57 2017   current: Oct 30 09:54:17 2017
+        diff: 80(s)     hard: 0(s)      soft: 0(s)
+        last:                           hard: 0(s)      soft: 0(s)
+        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
+        allocated: 0    hard: 0 soft: 0
+        sadb_seq=3 pid=67845 refcnt=1
+:db8:23::2 2001:db8:34::4
+        esp mode=any spi=4098(0x00001002) reqid=0(0x00000000)
+        E: aes-gcm-16  31323334 35363738 39303132 33343536 37383930
+        seq=0x00000000 replay=0 flags=0x00000040 state=mature
+        created: Oct 30 09:52:57 2017   current: Oct 30 09:54:17 2017
+        diff: 80(s)     hard: 0(s)      soft: 0(s)
+        last:                           hard: 0(s)      soft: 0(s)
+        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
+        allocated: 0    hard: 0 soft: 0
+        sadb_seq=2 pid=67845 refcnt=1
+.0.34.4 10.0.23.2
+        esp mode=any spi=4097(0x00001001) reqid=0(0x00000000)
+        E: aes-gcm-16  31323334 35363738 39303132 33343536 37383930
+        seq=0x00000000 replay=0 flags=0x00000040 state=mature
+        created: Oct 30 09:52:57 2017   current: Oct 30 09:54:17 2017
+        diff: 80(s)     hard: 0(s)      soft: 0(s)
+        last:                           hard: 0(s)      soft: 0(s)
+        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
+        allocated: 0    hard: 0 soft: 0
+        sadb_seq=1 pid=67845 refcnt=1
+.0.23.2 10.0.34.4
+        esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
+        E: aes-gcm-16  31323334 35363738 39303132 33343536 37383930
+        seq=0x00000000 replay=0 flags=0x00000040 state=mature
+        created: Oct 30 09:52:57 2017   current: Oct 30 09:54:17 2017
+        diff: 80(s)     hard: 0(s)      soft: 0(s)
+        last:                           hard: 0(s)      soft: 0(s)
+        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
+        allocated: 0    hard: 0 soft: 0
+        sadb_seq=0 pid=67845 refcnt=1
+</code>
+=== Router 4 ===
+Same for the other side.
+Only if BSDRP version older than 1.59, disable ip.fastforwarding by editing /etc/sysctl.conf and comment this line:
+<code>
+sed -i "" "s/net.inet.ip.fastforwarding=1/net.inet.ip.fastforwarding=0/g"  /etc/sysctl.conf
+sysctl net.inet.ip.fastforwarding=0
+</code>
+Create a file /etc/ipsec.conf with these lines (same as R2: only to have to invert the in/out keyword):
+<code>
+cat > /etc/ipsec.conf <<EOF
+flush;
+spdflush;
+spdadd 10.0.12.0/24 10.0.45.0/24 any -P in ipsec esp/tunnel/10.0.23.2-10.0.34.4/require;
+spdadd 10.0.45.0/24 10.0.12.0/24 any -P out ipsec esp/tunnel/10.0.34.4-10.0.23.2/require;
+add 10.0.23.2 10.0.34.4 esp 0x1000 -E aes-gcm-16 "12345678901234567890";
+add 10.0.34.4 10.0.23.2 esp 0x1001 -E aes-gcm-16 "12345678901234567890";
+spdadd 2001:db8:12::/64 2001:db8:45::/64 any -P in ipsec esp/tunnel/2001:db8:23::2-2001:db8:34::4/require;
+spdadd 2001:db8:45::/64 2001:db8:12::/64 any -P out ipsec esp/tunnel/2001:db8:34::4-2001:db8:23::2/require;
+add 2001:db8:23::2 2001:db8:34::4 esp 0x1002 -E aes-gcm-16 "12345678901234567890";
+add 2001:db8:34::4 2001:db8:23::2 esp 0x1003 -E aes-gcm-16 "12345678901234567890";
+EOF
+</code>
+Enable and reload IPsec SA/SP:
+<code>
+sysrc ipsec_enable=YES
+service ipsec restart
+</code>
+=== Testing ===
+Start a tcpdump on R3-em1 and from R1 ping R5:
+<code>
+[root@R3]~# tcpdump -pni em1
+tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
+:26:41.073155 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0x00001000,seq=0x1e), length 104
+:26:41.074541 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0x00001001,seq=0x2), length 104
+:26:42.082287 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0x00001000,seq=0x1f), length 104
+:26:42.083353 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0x00001001,seq=0x3), length 104
+:03:29.934151 IP6 2001:db8:34::4 > 2001:db8:23::2: ESP(spi=0x00001003,seq=0x1), length 80
+:03:30.873515 IP6 2001:db8:23::2 > 2001:db8:34::4: ESP(spi=0x00001002,seq=0x2), length 80
+:03:30.875200 IP6 2001:db8:34::4 > 2001:db8:23::2: ESP(spi=0x00001003,seq=0x2), length 80
+:03:31.862233 IP6 2001:db8:23::2 > 2001:db8:34::4: ESP(spi=0x00001002,seq=0x3), length 80
+:03:31.862996 IP6 2001:db8:34::4 > 2001:db8:23::2: ESP(spi=0x00001003,seq=0x3), length 80
+:03:32.873263 IP6 2001:db8:23::2 > 2001:db8:34::4: ESP(spi=0x00001002,seq=0x4), length 80
+</code>
+<code>
+[root@R1]/etc/rc.d# ping 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms
+bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms
+[root@R1]~# ping6 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=70.074 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=3.086 ms
+bytes from 2001:db8:45::5, icmp_seq=2 hlim=62 time=1.602 ms
+bytes from 2001:db8:45::5, icmp_seq=3 hlim=62 time=3.240 ms
+</code>
+==== Tunnel with IKE v1 (racoon) ====
+Using IKE, the SP will still be manually configured, but the SA will be negociated with racoon.
+=== Router 2 ===
+Configure the IPSec Security Policy (SP) rules:
+<code>
+cat > /usr/local/etc/racoon/setkey.conf <<'EOF'
+flush;
+spdflush;
+spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec esp/tunnel/10.0.23.2-10.0.34.4/require;
+spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec esp/tunnel/10.0.34.4-10.0.23.2/require;
+spdadd 2001:db8:12::/64 2001:db8:45::/64 any -P out ipsec esp/tunnel/2001:db8:23::2-2001:db8:34::4/require;
+spdadd 2001:db8:45::/64 2001:db8:12::/64 any -P in ipsec esp/tunnel/2001:db8:34::4-2001:db8:23::2/require;
+'EOF'
+</code>
+Then define the password to use for the remote site and protect this password file (racoon will refuse to use it if the permission are not strict):
+<code>
+cat > /usr/local/etc/racoon/psk.txt <<'EOF'
+.0.34.4 verylongpassword
+:db8:34::4 ipv6password
+'EOF'
+chmod 600 /usr/local/etc/racoon/psk.txt
+</code>
+And define the racoon configuration file:
+<code>
+cat > /usr/local/etc/racoon/racoon.conf <<'EOF'
+path    pre_shared_key  "/usr/local/etc/racoon/psk.txt";
+remote anonymous
+{
+  exchange_mode   main;
+    proposal {
+      encryption_algorithm    aes;
+      hash_algorithm          sha256;
+      authentication_method   pre_shared_key;
+      dh_group                2;
+    }
+}
+sainfo anonymous
+{
+  encryption_algorithm    aes;
+  authentication_algorithm        hmac_sha1;
+  compression_algorithm   deflate;
+}
+'EOF'
+</code>
+Enable the service ipsec and racoon:
+<code>
+sysrc ipsec_enable=YES
+sysrc ipsec_file="/usr/local/etc/racoon/setkey.conf"
+sysrc racoon_enable="yes"
+sysrc racoon_flags="-l /var/log/racoon.log"
+service ipsec restart
+service racoon restart
+</code>
+=== Router 4 ===
+Configure the IPSec Security Policy (SP) rules:
+<code>
+cat > /usr/local/etc/racoon/setkey.conf <<'EOF'
+flush;
+spdflush;
+spdadd 10.0.45.0/24 10.0.12.0/24 any -P out ipsec esp/tunnel/10.0.34.4-10.0.23.2/require;
+spdadd 10.0.12.0/24 10.0.45.0/24 any -P in ipsec esp/tunnel/10.0.23.2-10.0.34.4/require;
+spdadd 2001:db8:45::/64 2001:db8:12::/64 any -P out ipsec esp/tunnel/2001:db8:34::4-2001:db8:23::2/require;
+spdadd 2001:db8:12::/64 2001:db8:45::/64 any -P in ipsec esp/tunnel/2001:db8:23::2-2001:db8:34::4/require;
+'EOF'
+</code>
+Then define the password to use for the remote site and protect this password file (racoon will refuse to use it if the permission are not strict):
+<code>
+cat > /usr/local/etc/racoon/psk.txt <<'EOF'
+.0.23.2 verylongpassword
+:db8:23::2 ipv6password
+'EOF'
+chmod 600 /usr/local/etc/racoon/psk.txt
+</code>
+And the racoon configuration file:
+<code>
+cat > /usr/local/etc/racoon/racoon.conf <<'EOF'
+path pre_shared_key  "/usr/local/etc/racoon/psk.txt";
+remote anonymous
+{
+  exchange_mode   main;
+    proposal {
+      encryption_algorithm    aes;
+      hash_algorithm          sha256;
+      authentication_method   pre_shared_key;
+      dh_group                2;
+    }
+}
+sainfo anonymous
+{
+  encryption_algorithm    aes;
+  authentication_algorithm        hmac_sha1;
+  compression_algorithm   deflate;
+}
+'EOF'
+</code>
+Then enable and start the services:
+<code>
+sysrc ipsec_enable=YES
+sysrc ipsec_file="/usr/local/etc/racoon/setkey.conf"
+sysrc racoon_enable=YES
+sysrc racoon_flags="-l /var/log/racoon.log"
+service ipsec restart
+service racoon restart
+</code>
+=== Testing ===
+Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:
+R3 tcpdump paquets:
+<code>
+[root@R3]~# tcpdump -pni em1
+tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
+:27:56.842775 ARP, Request who-has 10.0.23.2 tell 10.0.23.3, length 28
+:27:56.843381 ARP, Reply 10.0.23.2 is-at aa:aa:00:02:02:03, length 46
+:28:57.530790 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: phase 1 I ident
+:28:57.538255 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: phase 1 R ident
+:28:57.544442 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: phase 1 I ident
+:28:57.549382 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: phase 1 R ident
+:28:57.565609 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: phase 1 I ident[E]
+:28:57.566324 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: phase 1 R ident[E]
+:28:57.566346 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: phase 2/others R inf[E]
+:28:57.567003 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: phase 2/others I inf[E]
+:28:58.543435 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: phase 2/others I oakley-quick[E]
+:28:58.545394 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: phase 2/others R oakley-quick[E]
+:28:58.546192 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: phase 2/others I oakley-quick[E]
+:28:59.541899 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0x04c741a8,seq=0x1), length 132
+:28:59.542527 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0x070a02f0,seq=0x1), length 132
+:29:00.552791 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0x04c741a8,seq=0x2), length 132
+:29:00.553733 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0x070a02f0,seq=0x2), length 132
+:29:01.562456 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0x04c741a8,seq=0x3), length 132
+:29:01.564044 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0x070a02f0,seq=0x3), length 132
+:06:59.868049 IP6 2001:db8:23::2.500 > 2001:db8:34::4.500: isakmp: phase 1 I ident
+:06:59.872133 IP6 2001:db8:34::4.500 > 2001:db8:23::2.500: isakmp: phase 1 R ident
+:06:59.880584 IP6 2001:db8:23::2.500 > 2001:db8:34::4.500: isakmp: phase 1 I ident
+:06:59.895633 IP6 2001:db8:34::4.500 > 2001:db8:23::2.500: isakmp: phase 1 R ident
+:06:59.900949 IP6 2001:db8:23::2.500 > 2001:db8:34::4.500: isakmp: phase 1 I ident[E]
+:06:59.902179 IP6 2001:db8:34::4.500 > 2001:db8:23::2.500: isakmp: phase 1 R ident[E]
+:06:59.902731 IP6 2001:db8:34::4.500 > 2001:db8:23::2.500: isakmp: phase 2/others R inf[E]
+:06:59.903567 IP6 2001:db8:23::2.500 > 2001:db8:34::4.500: isakmp: phase 2/others I inf[E]
+:07:00.883527 IP6 2001:db8:23::2.500 > 2001:db8:34::4.500: isakmp: phase 2/others I oakley-quick[E]
+:07:00.885056 IP6 2001:db8:34::4.500 > 2001:db8:23::2.500: isakmp: phase 2/others R oakley-quick[E]
+:07:00.887556 IP6 2001:db8:23::2.500 > 2001:db8:34::4.500: isakmp: phase 2/others I oakley-quick[E]
+:07:01.873778 IP6 2001:db8:23::2 > 2001:db8:34::4: ESP(spi=0x0a9f9b7b,seq=0x1), length 100
+:07:01.875570 IP6 2001:db8:34::4 > 2001:db8:23::2: ESP(spi=0x036839b1,seq=0x1), length 100
+:07:02.863099 IP6 2001:db8:23::2 > 2001:db8:34::4: ESP(spi=0x0a9f9b7b,seq=0x2), length 100
+:07:02.865280 IP6 2001:db8:34::4 > 2001:db8:23::2: ESP(spi=0x036839b1,seq=0x2), length 100
+:07:03.872677 IP6 2001:db8:23::2 > 2001:db8:34::4: ESP(spi=0x0a9f9b7b,seq=0x3), length 100
+:07:03.874510 IP6 2001:db8:34::4 > 2001:db8:23::2: ESP(spi=0x036839b1,seq=0x3), length 100
+</code>
+Racoon log file on R2:
+<code>
+[root@R2]~# tail -f /var/log/racoon.log
+-10-26 09:28:01: INFO: 2001:db8:23::2[500] used as isakmp port (fd=16)
+-10-26 09:28:01: INFO: 2001:db8:23::2[4500] used as isakmp port (fd=17)
+-10-26 09:28:01: INFO: ::1[500] used as isakmp port (fd=18)
+-10-26 09:28:01: INFO: ::1[4500] used as isakmp port (fd=19)
+-10-26 09:28:01: INFO: fe80:5::1[500] used as isakmp port (fd=20)
+-10-26 09:28:01: INFO: fe80:5::1[4500] used as isakmp port (fd=21)
+-10-26 09:28:01: INFO: 127.0.0.1[500] used for NAT-T
+-10-26 09:28:01: INFO: 127.0.0.1[500] used as isakmp port (fd=22)
+-10-26 09:28:01: INFO: 127.0.0.1[4500] used for NAT-T
+-10-26 09:28:01: INFO: 127.0.0.1[4500] used as isakmp port (fd=23)
+-10-26 09:28:57: INFO: IPsec-SA request for 10.0.34.4 queued due to no phase1 found.
+-10-26 09:28:57: INFO: initiate new phase 1 negotiation: 10.0.23.2[500]<=>10.0.34.4[500]
+-10-26 09:28:57: INFO: begin Identity Protection mode.
+-10-26 09:28:57: INFO: received Vendor ID: DPD
+-10-26 09:28:57: INFO: ISAKMP-SA established 10.0.23.2[500]-10.0.34.4[500] spi:1e76c8f10e489050:63b4e9b6e6ab63ab
+-10-26 09:28:57: [10.0.34.4] INFO: received INITIAL-CONTACT
+-10-26 09:28:58: INFO: initiate new phase 2 negotiation: 10.0.23.2[500]<=>10.0.34.4[500]
+-10-26 09:28:58: INFO: IPsec-SA established: ESP/Tunnel 10.0.23.2[500]->10.0.34.4[500] spi=118096624(0x70a02f0)
+-10-26 09:28:58: INFO: IPsec-SA established: ESP/Tunnel 10.0.23.2[500]->10.0.34.4[500] spi=80167336(0x4c741a8)
+-10-26 11:06:59: INFO: initiate new phase 1 negotiation: 2001:db8:23::2[500]<=>2001:db8:34::4[500]
+-10-26 11:06:59: INFO: begin Identity Protection mode.
+-10-26 11:06:59: INFO: received Vendor ID: DPD
+-10-26 11:06:59: INFO: ISAKMP-SA established 2001:db8:23::2[500]-2001:db8:34::4[500] spi:bd1997007b9e647a:5ed7fac9dd4f03f4
+-10-26 11:06:59: [2001:db8:34::4] INFO: received INITIAL-CONTACT
+-10-26 11:07:00: INFO: initiate new phase 2 negotiation: 2001:db8:23::2[500]<=>2001:db8:34::4[500]
+-10-26 11:07:00: INFO: IPsec-SA established: ESP/Tunnel 2001:db8:23::2[500]->2001:db8:34::4[500] spi=57162161(0x36839b1)
+-10-26 11:07:00: INFO: IPsec-SA established: ESP/Tunnel 2001:db8:23::2[500]->2001:db8:34::4[500] spi=178232187(0xa9f9b7b)
+</code>
+Ping result on R1:
+<code>
+[root@R1]# ping 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
+bytes from 10.0.45.5: icmp_seq=3 ttl=62 time=6.612 ms
+bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
+bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
+[root@R1]~# ping6 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=3.744 ms
+</code>
+==== Tunnel with IKEv2 (strongswan) ====
+Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
+Strongswan use Left (for Local) and Right (for Remote).
+=== Router 2 ===
+Configure strongswan on R2 with:
+  * IKEv2
+  * Preshared-key
+  * Disabling Mobile IP
+  * forcing the tunnel going UP (auto=start)
+  * configuring Dead-Peer-Detection at 5 seconds
+<code>
+cat > /usr/local/etc/ipsec.conf <<'EOF'
+config setup
+conn %default
+     authby=secret
+     keyexchange=ikev2
+     mobike=no
+     dpdaction=restart
+     dpddelay=5
+conn R4
+    left=10.0.23.2
+    leftsubnet=10.0.12.0/24
+    leftid=R2
+    right=10.0.34.4
+    rightsubnet=10.0.45.0/24
+    rightid=R4
+    auto=start
+'EOF'
+</code>
+Then define the password to use for the remote site:
+<code>
+cat > /usr/local/etc/ipsec.secrets <<'EOF'
+R4 R2 : PSK "This is a strong password"
+'EOF'
+</code>
+Enable strongswan:
+<code>
+sysrc strongswan_enable=YES
+service strongswan restart
+</code>
+=== Router 4 ===
+Configure strongswan on R4 with:
+  * IKEv2
+  * Preshared-key
+  * Disabling Mobile IP
+  * automatic traffic detection (auto=route)
+  * configuring Dead-Peer-Detection at 5 seconds
+<code>
+cat > /usr/local/etc/ipsec.conf <<'EOF'
+config setup
+conn %default
+    authby=secret
+    keyexchange=ikev2
+    mobike=no
+    dpdaction=restart
+    dpddelay=5
+conn R2
+    left=10.0.34.4
+    leftsubnet=10.0.45.0/24
+    leftid=R4
+    right=10.0.23.2
+    rightsubnet=10.0.12.0/24
+    rightid=R2
+    auto=route
+'EOF'
+</code>
+Then define the password to use for the remote site:
+<code>
+cat > /usr/local/etc/ipsec.secrets <<'EOF'
+R4 R2 : PSK "This is a strong password"
+'EOF'
+</code>
+Enable strongswan:
+<code>
+sysrc strongswan_enable=YES
+service strongswan restart
+</code>
+=== Testing ===
+Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:
+R3 tcpdump paquets:
+<code>
+[root@R3]~# tcpdump -pni em1
+tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
+:46:39.781091 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: parent_sa ikev2_init[I]
+:46:39.813159 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: parent_sa ikev2_init[R]
+:46:39.833297 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: child_sa  ikev2_auth[I]
+:46:39.836053 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: child_sa  ikev2_auth[R]
+:46:44.837323 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: parent_sa inf2
+:46:44.838157 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: parent_sa inf2[IR]
+:46:49.846951 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: child_sa  inf2
+:46:49.847896 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: child_sa  inf2[IR]
+:46:50.045601 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0xcbf8bc5e,seq=0x1), length 132
+:46:50.046687 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0xcf880196,seq=0x1), length 132
+:46:51.082868 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0xcbf8bc5e,seq=0x2), length 132
+:46:51.083610 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0xcf880196,seq=0x2), length 132
+:46:52.086036 IP 10.0.23.2 > 10.0.34.4: ESP(spi=0xcbf8bc5e,seq=0x3), length 132
+:46:52.086961 IP 10.0.34.4 > 10.0.23.2: ESP(spi=0xcf880196,seq=0x3), length 132
+:46:56.918092 IP 10.0.23.2.500 > 10.0.34.4.500: isakmp: child_sa  inf2[I]
+:46:56.919263 IP 10.0.34.4.500 > 10.0.23.2.500: isakmp: child_sa  inf2[R]
+</code>
+Log file on R2:
+<code>
+[root@R2]~# tail -f /var/log/auth.log
+Jun  8 00:24:28 R2 ipsec_starter[981]: no netkey IPsec stack detected
+Jun  8 00:24:28 R2 ipsec_starter[981]: no KLIPS IPsec stack detected
+Jun  8 00:24:28 R2 ipsec_starter[981]: no known IPsec stack detected, ignoring!
+Jun  8 00:24:28 R2 ipsec_starter[984]: charon (986) started after 20 ms
+Jun  8 00:25:26 R2 login: login on ttyu0 as root
+Jun  8 00:25:26 R2 login: ROOT LOGIN (root) ON ttyu0
+Jun  8 00:34:53 R2 charon: 12[IKE] initiating IKE_SA R4[1] to 10.0.34.4
+Jun  8 00:34:53 R2 charon: 12[IKE] establishing CHILD_SA R4
+Jun  8 00:34:53 R2 charon: 12[IKE] IKE_SA R4[1] established between 10.0.23.2[R2]...10.0.34.4[R4]
+Jun  8 00:34:53 R2 charon: 12[IKE] CHILD_SA R4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24
+</code>
+Ping result on R1:
+<code>
+[root@R1]# ping 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
+bytes from 10.0.45.5: icmp_seq=3 ttl=62 time=6.612 ms
+bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
+bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
+[root@R1]~# ping6 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=3.744 ms
+</code>
+==== VTI Tunnel without IKE ====
+This method allow to present a routing interface (like creating a GRE tunnel over IPSec): Useful for running a routing protocol over IPSec tunnels.
+=== Router 2 ===
+<code>
+sysrc cloned_interfaces=ipsec0
+sysrc create_args_ipsec0="reqid 100"
+sysrc ifconfig_ipsec0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up"
+sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::2 prefixlen 64"
+sysrc static_routes="tunnel4"
+sysrc route_tunnel4="10.0.45.0/24 10.0.24.4"
+sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4"
+sysrc ipv6_static_routes="tunnel6"
+cat > /etc/ipsec.conf <<EOF
+flush;
+spdflush;
+add 10.0.23.2 10.0.34.4 esp 0x1000 -m tunnel -u 100 -E aes-gcm-16 "12345678901234567890";
+add 10.0.34.4 10.0.23.2 esp 0x1001 -m tunnel -u 100 -E aes-gcm-16 "12345678901234567890";
+EOF
+service netif restart
+sysrc ipsec_enable=YES
+service ipsec restart
+service routing restart
+</code>
+and check the status:
+<code>
+[root@R2]~# setkey -DP
+.0.0.0/0[any] 0.0.0.0/0[any] any
+        in ipsec
+        esp/tunnel/10.0.34.4-10.0.23.2/unique:100
+        spid=1 seq=3 pid=778 scope=ifnet ifname=ipsec0
+        refcnt=1
+::/0[any] ::/0[any] any
+        in ipsec
+        esp/tunnel/10.0.34.4-10.0.23.2/unique:100
+        spid=3 seq=2 pid=778 scope=ifnet ifname=ipsec0
+        refcnt=1
+.0.0.0/0[any] 0.0.0.0/0[any] any
+        out ipsec
+        esp/tunnel/10.0.23.2-10.0.34.4/unique:100
+        spid=2 seq=1 pid=778 scope=ifnet ifname=ipsec0
+        refcnt=1
+::/0[any] ::/0[any] any
+        out ipsec
+        esp/tunnel/10.0.23.2-10.0.34.4/unique:100
+        spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0
+        refcnt=1
+[root@R2]~# setkey -D
+.0.34.4 10.0.23.2
+        esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)
+        E: aes-gcm-16  31323334 35363738 39303132 33343536 37383930
+        seq=0x00000000 replay=0 flags=0x00000040 state=mature
+        created: Dec  1 23:48:30 2017   current: Dec  1 23:50:15 2017
+        diff: 105(s)    hard: 0(s)      soft: 0(s)
+        last: Dec  1 23:49:50 2017      hard: 0(s)      soft: 0(s)
+        current: 168(bytes)     hard: 0(bytes)  soft: 0(bytes)
+        allocated: 2    hard: 0 soft: 0
+        sadb_seq=1 pid=1649 refcnt=1
+.0.23.2 10.0.34.4
+        esp mode=tunnel spi=4096(0x00001000) reqid=100(0x00000064)
+        E: aes-gcm-16  31323334 35363738 39303132 33343536 37383930
+        seq=0x00000002 replay=0 flags=0x00000040 state=mature
+        created: Dec  1 23:48:30 2017   current: Dec  1 23:50:15 2017
+        diff: 105(s)    hard: 0(s)      soft: 0(s)
+        last: Dec  1 23:49:50 2017      hard: 0(s)      soft: 0(s)
+        current: 280(bytes)     hard: 0(bytes)  soft: 0(bytes)
+        allocated: 2    hard: 0 soft: 0
+        sadb_seq=0 pid=1649 refcnt=1
+[root@R2]~# ifconfig ipsec0
+ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
+        tunnel inet 10.0.23.2 --> 10.0.34.4
+        inet6 fe80::5a9c:fcff:fe01:202%ipsec0 prefixlen 64 scopeid 0x7
+        inet6 2001:db8:24::2 prefixlen 64
+        inet 10.0.24.2 --> 10.0.24.4  netmask 0xffffff00
+        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
+        reqid: 100
+        groups: ipsec
+</code>
+=== Router 4 ===
+<code>
+sysrc cloned_interfaces=ipsec0
+sysrc create_args_ipsec0="reqid 200"
+sysrc ifconfig_ipsec0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up"
+sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::4 prefixlen 64"
+sysrc static_routes="tunnel4"
+sysrc route_tunnel4="10.0.12.0/24 10.0.24.2"
+sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2"
+sysrc ipv6_static_routes="tunnel6"
+cat > /etc/ipsec.conf <<EOF
+flush;
+spdflush;
+add 10.0.23.2 10.0.34.4 esp 0x1000 -m tunnel -u 200 -E aes-gcm-16 "12345678901234567890";
+add 10.0.34.4 10.0.23.2 esp 0x1001 -m tunnel -u 200 -E aes-gcm-16 "12345678901234567890";
+EOF
+service netif restart
+sysrc ipsec_enable=YES
+service ipsec restart
+service routing restart
+</code>
+=== Testing ===
+<code>
+[root@R1]~# ping -c 3 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.440 ms
+bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=0.382 ms
+--- 10.0.45.5 ping statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 0.382/0.589/0.944/0.252 ms
+[root@R1]~# ping6 -c3 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=0.617 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=0.394 ms
+bytes from 2001:db8:45::5, icmp_seq=2 hlim=62 time=0.362 ms
+--- 2001:db8:45::5 ping6 statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/std-dev = 0.362/0.458/0.617/0.113 ms
+</code>
+===== OpenVPN =====
+==== CA and certificates generation ====
+All these step will be done on R2 (OpenVPN server)
+Start by copying easyrsa3 configuration folder and define new configuration file:
+<code>
+cp -r /usr/local/share/easy-rsa /usr/local/etc/
+setenv EASYRSA /usr/local/etc/easy-rsa
+</code>
+Initialize PKI and generate a DH:
+<code>
+easyrsa init-pki
+easyrsa gen-dh
+</code>
+Build a root certificate:
+<code>
+[root@R2]~# easyrsa build-ca nopass
+Note: using Easy-RSA configuration from: /usr/local/etc/easy-rsa/vars
+Generating a 2048 bit RSA private key
+...............................................+++
+..................................................................................+++
+writing new private key to '/usr/local/etc/easy-rsa/pki/private/ca.key.EvwYAl9tEs'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
+CA creation complete and you may now import and sign cert requests.
+Your new CA certificate file for publishing is at:
+/usr/local/etc/easy-rsa/pki/ca.crt
+</code>
+Make a server certificate called R2, and client certificate called R4 using a locally generated root certificate:
+<code>
+easyrsa build-server-full R2 nopass
+easyrsa build-client-full R4 nopass
+</code>
+==== R2: OpenVPN server ====
+Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf:
+<code>
+mkdir /usr/local/etc/openvpn
+cat > /usr/local/etc/openvpn/openvpn.conf <<'EOF'
+dev tun
+tun-ipv6
+ca /usr/local/etc/easy-rsa/pki/ca.crt
+cert /usr/local/etc/easy-rsa/pki/issued/R2.crt
+key /usr/local/etc/easy-rsa/pki/private/R2.key
+dh /usr/local/etc/easy-rsa/pki/dh.pem
+server 10.0.24.0 255.255.255.0
+server-ipv6 2001:db8:24::/64
+ifconfig-pool-persist ipp.txt
+client-config-dir ccd
+push "route 10.0.12.0 255.255.255.0"
+push "route-ipv6 2001:db8:12::/64"
+route 10.0.45.0 255.255.255.0
+route-ipv6 2001:db8:45::/64
+'EOF'
+</code>
+Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client R4:
+<code>
+mkdir /usr/local/etc/openvpn/ccd
+cat > /usr/local/etc/openvpn/ccd/R4 <<'EOF'
+iroute 10.0.45.0 255.255.255.0
+iroute-ipv6 2001:db8:45::/64
+'EOF'
+</code>
+Enable and start openvpn and sshd (we will get certificates files by SCP later):
+<code>
+sysrc sshd_enable=YES
+sysrc openvpn_enable=YES
+service openvpn start
+service sshd start
+</code>
+And set a password for root account (mandatory for next SCP file copy):
+<code>
+passwd
+</code>
+==== R4: OpenVPN client ====
+As OpenVPN client, R4 should get these files from R2 and put them in /usr/local/etc/openvpn:
+  * ca.crt
+  * R4.crt
+  * R4.key
+On this lab, scp can be used for getting these files:
+<code>
+mkdir /usr/local/etc/openvpn
+scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn
+scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/R4.crt /usr/local/etc/openvpn
+scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/R4.key /usr/local/etc/openvpn
+</code>
+Configure openvpn as a client:
+<code>
+cat > /usr/local/etc/openvpn/openvpn.conf <<'EOF'
+client
+dev tun
+remote 10.0.23.2
+ca ca.crt
+cert R4.crt
+key R4.key
+'EOF'
+</code>
+Enable and start openvpn:
+<code>
+sysrc openvpn_enable=YES
+service openvpn start
+</code>
+==== Testing ====
+Pinging R5 from R1:
+<code>
+[root@R1]~# ping6 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.453 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=4.222 ms
+bytes from 2001:db8:45::5, icmp_seq=2 hlim=62 time=3.652 ms
+^C
+--- 2001:db8:45::5 ping6 statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/std-dev = 3.652/4.442/5.453/0.752 ms
+[root@R1]~# ping 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.312 ms
+bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=3.111 ms
+^C
+--- 10.0.45.5 ping statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 2.312/2.872/3.192/0.397 ms
+</code>
+OpenVPN log file on R2:
+<code>
+Oct 26 16:58:32 R2 openvpn[2769]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013
+Oct 26 16:58:32 R2 openvpn[2769]: WARNING: --keepalive option is missing from server config
+Oct 26 16:58:32 R2 openvpn[2769]: TUN/TAP device /dev/tun0 opened
+Oct 26 16:58:32 R2 kernel: tun0: link state changed to UP
+Oct 26 16:58:32 R2 openvpn[2769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
+Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up
+Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64
+Oct 26 16:58:32 R2 openvpn[2769]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric -1) dev tun0
+Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link local (bound): [undef]
+Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link remote: [undef]
+Oct 26 16:58:32 R2 openvpn[2789]: ifconfig_pool_read(), in='R4,10.0.24.4,2001:db8:24::1000', TODO: IPv6
+Oct 26 16:58:32 R2 openvpn[2789]: succeeded -> ifconfig_pool_set()
+Oct 26 16:58:32 R2 openvpn[2789]: Initialization Sequence Completed
+Oct 26 16:58:33 R2 openvpn[2789]: 10.0.34.4:1194 [R4] Peer Connection Initiated with [AF_INET]10.0.34.4:1194
+Oct 26 16:58:33 R2 openvpn[2789]: R4/10.0.34.4:1194 MULTI_sva: pool returned IPv4=10.0.24.6, IPv6=2001:db8:24::1000
+Oct 26 16:58:35 R2 openvpn[2789]: R4/10.0.34.4:1194 send_push_reply(): safe_cap=940
+</code>
+OpenVPN log file on R4:
+<code>
+Oct 26 16:58:32 R4 openvpn[2495]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013
+Oct 26 16:58:32 R4 openvpn[2495]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
+Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link local (bound): [undef]
+Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link remote: [AF_INET]10.0.23.2:1194
+Oct 26 16:58:32 R4 openvpn[2496]: [R2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194
+Oct 26 16:58:34 R4 openvpn[2496]: TUN/TAP device /dev/tun0 opened
+Oct 26 16:58:34 R4 kernel: tun0: link state changed to UP
+Oct 26 16:58:34 R4 openvpn[2496]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
+Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up
+Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 inet6 2001:db8:24::1000/64
+Oct 26 16:58:34 R4 openvpn[2496]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric -1) dev tun0
+Oct 26 16:58:34 R4 openvpn[2496]: Initialization Sequence Completed
+</code>
+Tcpdump on R3:
+<code>
+[root@R3]~# tcpdump -pni em1
+tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
+:52:39.466155 IP 10.0.23.2.1194 > 10.0.34.4.1194: UDP, length 53
+:52:40.743892 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 14
+:52:40.744319 IP 10.0.23.2.1194 > 10.0.34.4.1194: UDP, length 26
+:52:40.744659 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
+:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114
+:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
+</code>