documentation:examples:gre_ipsec_and_openvpn
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | documentation:examples:gre_ipsec_and_openvpn [2018/07/01 11:01] – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== VPN with GRE, GIF, IPSec and OpenVPN ====== | ||
+ | This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based). | ||
+ | |||
+ | ===== Presentation ===== | ||
+ | |||
+ | ==== Network diagram ==== | ||
+ | |||
+ | Lab build following [[documentation: | ||
+ | |||
+ | Here is the logical and physical view: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==== Download Lab scripts ===== | ||
+ | |||
+ | More information on these BSDRP lab scripts available on [[documentation: | ||
+ | |||
+ | Start the lab with full-meshed 5 routers. | ||
+ | An example with bhyve under FreeBSD: | ||
+ | |||
+ | < | ||
+ | root@host:~ # / | ||
+ | vmm module not loaded. Loading it... | ||
+ | nmdm module not loaded. Loading it... | ||
+ | if_tap module not loaded. Loading it... | ||
+ | BSD Router Project (http:// | ||
+ | Setting-up a virtual lab with 5 VM(s): | ||
+ | - Working directory: /tmp/BSDRP | ||
+ | - Each VM have 1 core(s) and 256M RAM | ||
+ | - Emulated NIC: virtio-net | ||
+ | - Switch mode: bridge + tap | ||
+ | - 0 LAN(s) between all VM | ||
+ | - Full mesh Ethernet links between each VM | ||
+ | VM 1 have the following NIC: | ||
+ | - vtnet0 connected to VM 2 | ||
+ | - vtnet1 connected to VM 3 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 2 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 3 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 3 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 4 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 3 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 5 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 3 | ||
+ | - vtnet3 connected to VM 4 | ||
+ | For connecting to VM' | ||
+ | - VM 1 : cu -l /dev/nmdm1B | ||
+ | - VM 2 : cu -l /dev/nmdm2B | ||
+ | - VM 3 : cu -l /dev/nmdm3B | ||
+ | - VM 4 : cu -l /dev/nmdm4B | ||
+ | - VM 5 : cu -l /dev/nmdm5B | ||
+ | </ | ||
+ | ===== Base routers configuration ===== | ||
+ | |||
+ | Router 1 and Router 5 as a simple workstation, | ||
+ | |||
+ | All these routers can be pre-configured with labconfig tool (use it only on a lab, because it will replace your current running configuration): | ||
+ | < | ||
+ | labconfig vpn_vm[VM-NUMBER] | ||
+ | </ | ||
+ | |||
+ | ==== Router 1 ==== | ||
+ | |||
+ | Router 1 is configured as a simple workstation. | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R1 | ||
+ | sysrc gateway_enable=NO | ||
+ | sysrc ipv6_gateway_enable=NO | ||
+ | sysrc ifconfig_em0=" | ||
+ | sysrc ifconfig_em0_ipv6=" | ||
+ | sysrc defaultrouter=10.0.12.2 | ||
+ | sysrc ipv6_defaultrouter=2001: | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname R1 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Router 2 base configuration: | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R2 | ||
+ | sysrc ifconfig_em0=" | ||
+ | sysrc ifconfig_em0_ipv6=" | ||
+ | sysrc ifconfig_em1=" | ||
+ | sysrc ifconfig_em1_ipv6=" | ||
+ | sysrc defaultrouter=" | ||
+ | sysrc ipv6_defaultrouter=" | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname R2 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 3 ==== | ||
+ | |||
+ | Router 3 is configured as simple connected-only-interface router. | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R3 | ||
+ | sysrc ifconfig_em1=" | ||
+ | sysrc ifconfig_em1_ipv6=" | ||
+ | sysrc ifconfig_em2=" | ||
+ | sysrc ifconfig_em2_ipv6=" | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname R3 | ||
+ | service netif restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Router 4 base configuration, | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R4 | ||
+ | sysrc ifconfig_em2=" | ||
+ | sysrc ifconfig_em2_ipv6=" | ||
+ | sysrc ifconfig_em3=" | ||
+ | sysrc ifconfig_em3_ipv6=" | ||
+ | sysrc defaultrouter=" | ||
+ | sysrc ipv6_defaultrouter=" | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname R4 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 5 ==== | ||
+ | |||
+ | Router 5 has the same workstation mode configuration as R1. | ||
+ | |||
+ | < | ||
+ | sysrc hostname=R5 | ||
+ | sysrc gateway_enable=NO | ||
+ | sysrc ipv6_gateway_enable=NO | ||
+ | sysrc ifconfig_em3=" | ||
+ | sysrc ifconfig_em3_ipv6=" | ||
+ | sysrc defaultrouter=" | ||
+ | sysrc ipv6_defaultrouter=" | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname R5 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ===== GRE Tunnel ===== | ||
+ | |||
+ | First example with a simple GRE tunnel. | ||
+ | |||
+ | FreeBSD [[http:// | ||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Create 1 GRE tunnels with IPv4 end-points. | ||
+ | |||
+ | === Modify configuration === | ||
+ | |||
+ | Here is the parameters to add: | ||
+ | < | ||
+ | sysrc cloned_interfaces=gre0 | ||
+ | sysrc ifconfig_gre0=" | ||
+ | sysrc ifconfig_gre0_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Configure the GRE tunnel using R2 IPv4 as end-point. | ||
+ | |||
+ | === Modify configuration === | ||
+ | |||
+ | Here is the parameters to add: | ||
+ | < | ||
+ | sysrc cloned_interfaces=gre0 | ||
+ | sysrc ifconfig_gre0=" | ||
+ | sysrc ifconfig_gre0_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Testing ==== | ||
+ | |||
+ | < | ||
+ | [root@R1]~# ping -c 3 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.019 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.357 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | [root@R1]~# ping6 -c3 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | ===== GIF tunnels ===== | ||
+ | |||
+ | This example will be a little different as the gre example: Because gif support ipv6 end-point, we will set-up 2 gif tunnels: | ||
+ | * a first with IPv4 end-point that will tunnel IPv4 traffic; | ||
+ | * a second with IPv6 end-point that will tunnel IPv6 traffic. | ||
+ | |||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Create the gif tunnels. | ||
+ | |||
+ | If you have previous gre configuration from the gre example: remove them. | ||
+ | |||
+ | Here is the line to ADD to / | ||
+ | |||
+ | < | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_gif0=" | ||
+ | sysrc ifconfig_gif1_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Configure the 2 gif tunnel using R2 addresses as end-point. | ||
+ | |||
+ | Here are the changes to apply to rc file: | ||
+ | < | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_gif0=" | ||
+ | sysrc ifconfig_gif1_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Testing ==== | ||
+ | |||
+ | < | ||
+ | [root@R1]~# ping -c 3 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.019 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.357 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | [root@R1]~# ping6 -c3 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | ===== IPSec ===== | ||
+ | |||
+ | If you have previous gre/gif configuration part from previous examples, remove them. | ||
+ | |||
+ | These two examples will use native IPSec tunnel mode: If you need to enable some routing protocol over the IPSec tunnels, you should use IPSec VTI interface. | ||
+ | |||
+ | ==== Tunnel without IKE ==== | ||
+ | |||
+ | A first simple example with manually configured Security Policy Database (SPD) and Security Association Database (SAD). | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | Create a file / | ||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 10.0.45.0/ | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -E aes-gcm-16 " | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | add 2001: | ||
+ | add 2001: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enable and reload IPsec SA/SP: | ||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | service ipsec restart | ||
+ | </ | ||
+ | |||
+ | And check it: | ||
+ | < | ||
+ | [root@R2]~# setkey -DP | ||
+ | 10.0.45.0/ | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=2 seq=3 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | 2001: | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=4 seq=2 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | 10.0.12.0/ | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=1 seq=1 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | 2001: | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=3 seq=0 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | [root@R2]~# setkey -D | ||
+ | 2001: | ||
+ | esp mode=any spi=4099(0x00001003) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=3 pid=67845 refcnt=1 | ||
+ | 2001: | ||
+ | esp mode=any spi=4098(0x00001002) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=2 pid=67845 refcnt=1 | ||
+ | 10.0.34.4 10.0.23.2 | ||
+ | esp mode=any spi=4097(0x00001001) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=1 pid=67845 refcnt=1 | ||
+ | 10.0.23.2 10.0.34.4 | ||
+ | esp mode=any spi=4096(0x00001000) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=0 pid=67845 refcnt=1 | ||
+ | </ | ||
+ | === Router 4 === | ||
+ | |||
+ | Same for the other side. | ||
+ | |||
+ | Only if BSDRP version older than 1.59, disable ip.fastforwarding by editing / | ||
+ | < | ||
+ | sed -i "" | ||
+ | sysctl net.inet.ip.fastforwarding=0 | ||
+ | </ | ||
+ | |||
+ | Create a file / | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 10.0.45.0/ | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -E aes-gcm-16 " | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | add 2001: | ||
+ | add 2001: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enable and reload IPsec SA/SP: | ||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | service ipsec restart | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Start a tcpdump on R3-em1 and from R1 ping R5: | ||
+ | |||
+ | < | ||
+ | [root@R3]~# tcpdump -pni em1 | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | [root@R1]/ | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms | ||
+ | [root@R1]~# ping6 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | </ | ||
+ | ==== Tunnel with IKE v1 (racoon) ==== | ||
+ | |||
+ | Using IKE, the SP will still be manually configured, but the SA will be negociated with racoon. | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | Configure the IPSec Security Policy (SP) rules: | ||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 10.0.45.0/ | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then define the password to use for the remote site and protect this password file (racoon will refuse to use it if the permission are not strict): | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | 10.0.34.4 verylongpassword | ||
+ | 2001: | ||
+ | ' | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | |||
+ | And define the racoon configuration file: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | path pre_shared_key | ||
+ | remote anonymous | ||
+ | { | ||
+ | exchange_mode | ||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo anonymous | ||
+ | { | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Enable the service ipsec and racoon: | ||
+ | |||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | sysrc ipsec_file="/ | ||
+ | sysrc racoon_enable=" | ||
+ | sysrc racoon_flags=" | ||
+ | service ipsec restart | ||
+ | service racoon restart | ||
+ | </ | ||
+ | |||
+ | === Router 4 === | ||
+ | |||
+ | Configure the IPSec Security Policy (SP) rules: | ||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.45.0/ | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then define the password to use for the remote site and protect this password file (racoon will refuse to use it if the permission are not strict): | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | 10.0.23.2 verylongpassword | ||
+ | 2001: | ||
+ | ' | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | |||
+ | And the racoon configuration file: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | path pre_shared_key | ||
+ | remote anonymous | ||
+ | { | ||
+ | exchange_mode | ||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo anonymous | ||
+ | { | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then enable and start the services: | ||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | sysrc ipsec_file="/ | ||
+ | sysrc racoon_enable=YES | ||
+ | sysrc racoon_flags=" | ||
+ | service ipsec restart | ||
+ | service racoon restart | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2: | ||
+ | |||
+ | R3 tcpdump paquets: | ||
+ | |||
+ | < | ||
+ | [root@R3]~# tcpdump -pni em1 | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | </ | ||
+ | |||
+ | Racoon log file on R2: | ||
+ | < | ||
+ | [root@R2]~# tail -f / | ||
+ | 2013-10-26 09:28:01: INFO: 2001: | ||
+ | 2013-10-26 09:28:01: INFO: 2001: | ||
+ | 2013-10-26 09:28:01: INFO: ::1[500] used as isakmp port (fd=18) | ||
+ | 2013-10-26 09:28:01: INFO: ::1[4500] used as isakmp port (fd=19) | ||
+ | 2013-10-26 09:28:01: INFO: fe80: | ||
+ | 2013-10-26 09:28:01: INFO: fe80: | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[500] used for NAT-T | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[500] used as isakmp port (fd=22) | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[4500] used for NAT-T | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[4500] used as isakmp port (fd=23) | ||
+ | 2013-10-26 09:28:57: INFO: IPsec-SA request for 10.0.34.4 queued due to no phase1 found. | ||
+ | 2013-10-26 09:28:57: INFO: initiate new phase 1 negotiation: | ||
+ | 2013-10-26 09:28:57: INFO: begin Identity Protection mode. | ||
+ | 2013-10-26 09:28:57: INFO: received Vendor ID: DPD | ||
+ | 2013-10-26 09:28:57: INFO: ISAKMP-SA established 10.0.23.2[500]-10.0.34.4[500] spi: | ||
+ | 2013-10-26 09:28:57: [10.0.34.4] INFO: received INITIAL-CONTACT | ||
+ | 2013-10-26 09:28:58: INFO: initiate new phase 2 negotiation: | ||
+ | 2013-10-26 09:28:58: INFO: IPsec-SA established: | ||
+ | 2013-10-26 09:28:58: INFO: IPsec-SA established: | ||
+ | 2013-10-26 11:06:59: INFO: initiate new phase 1 negotiation: | ||
+ | 2013-10-26 11:06:59: INFO: begin Identity Protection mode. | ||
+ | 2013-10-26 11:06:59: INFO: received Vendor ID: DPD | ||
+ | 2013-10-26 11:06:59: INFO: ISAKMP-SA established 2001: | ||
+ | 2013-10-26 11:06:59: [2001: | ||
+ | 2013-10-26 11:07:00: INFO: initiate new phase 2 negotiation: | ||
+ | 2013-10-26 11:07:00: INFO: IPsec-SA established: | ||
+ | 2013-10-26 11:07:00: INFO: IPsec-SA established: | ||
+ | </ | ||
+ | |||
+ | Ping result on R1: | ||
+ | |||
+ | < | ||
+ | [root@R1]# ping 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=3 ttl=62 time=6.612 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | ||
+ | [root@R1]~# ping6 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | </ | ||
+ | |||
+ | ==== Tunnel with IKEv2 (strongswan) ==== | ||
+ | |||
+ | Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | ||
+ | |||
+ | Strongswan use Left (for Local) and Right (for Remote). | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | Configure strongswan on R2 with: | ||
+ | * IKEv2 | ||
+ | * Preshared-key | ||
+ | * Disabling Mobile IP | ||
+ | * forcing the tunnel going UP (auto=start) | ||
+ | * configuring Dead-Peer-Detection at 5 seconds | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | config setup | ||
+ | |||
+ | conn %default | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | conn R4 | ||
+ | left=10.0.23.2 | ||
+ | leftsubnet=10.0.12.0/ | ||
+ | leftid=R2 | ||
+ | right=10.0.34.4 | ||
+ | rightsubnet=10.0.45.0/ | ||
+ | rightid=R4 | ||
+ | auto=start | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then define the password to use for the remote site: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | R4 R2 : PSK "This is a strong password" | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Enable strongswan: | ||
+ | |||
+ | < | ||
+ | sysrc strongswan_enable=YES | ||
+ | service strongswan restart | ||
+ | </ | ||
+ | |||
+ | === Router 4 === | ||
+ | |||
+ | Configure strongswan on R4 with: | ||
+ | * IKEv2 | ||
+ | * Preshared-key | ||
+ | * Disabling Mobile IP | ||
+ | * automatic traffic detection (auto=route) | ||
+ | * configuring Dead-Peer-Detection at 5 seconds | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | config setup | ||
+ | |||
+ | conn %default | ||
+ | authby=secret | ||
+ | keyexchange=ikev2 | ||
+ | mobike=no | ||
+ | dpdaction=restart | ||
+ | dpddelay=5 | ||
+ | conn R2 | ||
+ | left=10.0.34.4 | ||
+ | leftsubnet=10.0.45.0/ | ||
+ | leftid=R4 | ||
+ | right=10.0.23.2 | ||
+ | rightsubnet=10.0.12.0/ | ||
+ | rightid=R2 | ||
+ | auto=route | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then define the password to use for the remote site: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | R4 R2 : PSK "This is a strong password" | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Enable strongswan: | ||
+ | |||
+ | < | ||
+ | sysrc strongswan_enable=YES | ||
+ | service strongswan restart | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2: | ||
+ | |||
+ | R3 tcpdump paquets: | ||
+ | |||
+ | < | ||
+ | [root@R3]~# tcpdump -pni em1 | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | </ | ||
+ | |||
+ | Log file on R2: | ||
+ | < | ||
+ | [root@R2]~# tail -f / | ||
+ | Jun 8 00:24:28 R2 ipsec_starter[981]: | ||
+ | Jun 8 00:24:28 R2 ipsec_starter[981]: | ||
+ | Jun 8 00:24:28 R2 ipsec_starter[981]: | ||
+ | Jun 8 00:24:28 R2 ipsec_starter[984]: | ||
+ | Jun 8 00:25:26 R2 login: login on ttyu0 as root | ||
+ | Jun 8 00:25:26 R2 login: ROOT LOGIN (root) ON ttyu0 | ||
+ | Jun 8 00:34:53 R2 charon: 12[IKE] initiating IKE_SA R4[1] to 10.0.34.4 | ||
+ | Jun 8 00:34:53 R2 charon: 12[IKE] establishing CHILD_SA R4 | ||
+ | Jun 8 00:34:53 R2 charon: 12[IKE] IKE_SA R4[1] established between 10.0.23.2[R2]...10.0.34.4[R4] | ||
+ | Jun 8 00:34:53 R2 charon: 12[IKE] CHILD_SA R4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/ | ||
+ | </ | ||
+ | |||
+ | Ping result on R1: | ||
+ | |||
+ | < | ||
+ | [root@R1]# ping 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=3 ttl=62 time=6.612 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | ||
+ | [root@R1]~# ping6 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | </ | ||
+ | |||
+ | ==== VTI Tunnel without IKE ==== | ||
+ | |||
+ | This method allow to present a routing interface (like creating a GRE tunnel over IPSec): Useful for running a routing protocol over IPSec tunnels. | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | < | ||
+ | sysrc cloned_interfaces=ipsec0 | ||
+ | sysrc create_args_ipsec0=" | ||
+ | sysrc ifconfig_ipsec0=" | ||
+ | sysrc ifconfig_ipsec0_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -m tunnel -u 100 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -m tunnel -u 100 -E aes-gcm-16 " | ||
+ | EOF | ||
+ | service netif restart | ||
+ | sysrc ipsec_enable=YES | ||
+ | service ipsec restart | ||
+ | service routing restart | ||
+ | </ | ||
+ | |||
+ | and check the status: | ||
+ | |||
+ | < | ||
+ | [root@R2]~# setkey -DP | ||
+ | 0.0.0.0/ | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=1 seq=3 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | ::/0[any] ::/0[any] any | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=3 seq=2 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | 0.0.0.0/ | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=2 seq=1 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | ::/0[any] ::/0[any] any | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | [root@R2]~# setkey -D | ||
+ | 10.0.34.4 10.0.23.2 | ||
+ | esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Dec 1 23:48:30 2017 | ||
+ | diff: 105(s) | ||
+ | last: Dec 1 23:49:50 2017 hard: 0(s) soft: 0(s) | ||
+ | current: 168(bytes) | ||
+ | allocated: 2 hard: 0 soft: 0 | ||
+ | sadb_seq=1 pid=1649 refcnt=1 | ||
+ | 10.0.23.2 10.0.34.4 | ||
+ | esp mode=tunnel spi=4096(0x00001000) reqid=100(0x00000064) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000002 replay=0 flags=0x00000040 state=mature | ||
+ | created: Dec 1 23:48:30 2017 | ||
+ | diff: 105(s) | ||
+ | last: Dec 1 23:49:50 2017 hard: 0(s) soft: 0(s) | ||
+ | current: 280(bytes) | ||
+ | allocated: 2 hard: 0 soft: 0 | ||
+ | sadb_seq=0 pid=1649 refcnt=1 | ||
+ | [root@R2]~# ifconfig ipsec0 | ||
+ | ipsec0: flags=8051< | ||
+ | tunnel inet 10.0.23.2 --> 10.0.34.4 | ||
+ | inet6 fe80:: | ||
+ | inet6 2001: | ||
+ | inet 10.0.24.2 --> 10.0.24.4 | ||
+ | nd6 options=21< | ||
+ | reqid: 100 | ||
+ | groups: ipsec | ||
+ | </ | ||
+ | |||
+ | === Router 4 === | ||
+ | |||
+ | < | ||
+ | sysrc cloned_interfaces=ipsec0 | ||
+ | sysrc create_args_ipsec0=" | ||
+ | sysrc ifconfig_ipsec0=" | ||
+ | sysrc ifconfig_ipsec0_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -m tunnel -u 200 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -m tunnel -u 200 -E aes-gcm-16 " | ||
+ | EOF | ||
+ | service netif restart | ||
+ | sysrc ipsec_enable=YES | ||
+ | service ipsec restart | ||
+ | service routing restart | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | < | ||
+ | [root@R1]~# ping -c 3 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.440 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=0.382 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | [root@R1]~# ping6 -c3 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | ===== OpenVPN ===== | ||
+ | |||
+ | ==== CA and certificates generation ==== | ||
+ | |||
+ | All these step will be done on R2 (OpenVPN server) | ||
+ | |||
+ | Start by copying easyrsa3 configuration folder and define new configuration file: | ||
+ | < | ||
+ | cp -r / | ||
+ | setenv EASYRSA / | ||
+ | </ | ||
+ | |||
+ | Initialize PKI and generate a DH: | ||
+ | < | ||
+ | easyrsa init-pki | ||
+ | easyrsa gen-dh | ||
+ | </ | ||
+ | |||
+ | Build a root certificate: | ||
+ | < | ||
+ | [root@R2]~# easyrsa build-ca nopass | ||
+ | |||
+ | Note: using Easy-RSA configuration from: / | ||
+ | Generating a 2048 bit RSA private key | ||
+ | ...............................................+++ | ||
+ | ..................................................................................+++ | ||
+ | writing new private key to '/ | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Common Name (eg: your user, host, or server name) [Easy-RSA CA]: | ||
+ | |||
+ | CA creation complete and you may now import and sign cert requests. | ||
+ | Your new CA certificate file for publishing is at: | ||
+ | / | ||
+ | |||
+ | |||
+ | </ | ||
+ | Make a server certificate called R2, and client certificate called R4 using a locally generated root certificate: | ||
+ | < | ||
+ | easyrsa build-server-full R2 nopass | ||
+ | easyrsa build-client-full R4 nopass | ||
+ | </ | ||
+ | |||
+ | ==== R2: OpenVPN server ==== | ||
+ | |||
+ | Create the openvpn configuration file for server mode as / | ||
+ | < | ||
+ | mkdir / | ||
+ | cat > / | ||
+ | dev tun | ||
+ | tun-ipv6 | ||
+ | ca / | ||
+ | cert / | ||
+ | key / | ||
+ | dh / | ||
+ | server 10.0.24.0 255.255.255.0 | ||
+ | server-ipv6 2001: | ||
+ | ifconfig-pool-persist ipp.txt | ||
+ | client-config-dir ccd | ||
+ | push "route 10.0.12.0 255.255.255.0" | ||
+ | push " | ||
+ | route 10.0.45.0 255.255.255.0 | ||
+ | route-ipv6 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client R4: | ||
+ | < | ||
+ | mkdir / | ||
+ | cat > / | ||
+ | iroute 10.0.45.0 255.255.255.0 | ||
+ | iroute-ipv6 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Enable and start openvpn and sshd (we will get certificates files by SCP later): | ||
+ | < | ||
+ | sysrc sshd_enable=YES | ||
+ | sysrc openvpn_enable=YES | ||
+ | service openvpn start | ||
+ | service sshd start | ||
+ | </ | ||
+ | |||
+ | And set a password for root account (mandatory for next SCP file copy): | ||
+ | < | ||
+ | passwd | ||
+ | </ | ||
+ | ==== R4: OpenVPN client ==== | ||
+ | |||
+ | As OpenVPN client, R4 should get these files from R2 and put them in / | ||
+ | * ca.crt | ||
+ | * R4.crt | ||
+ | * R4.key | ||
+ | |||
+ | On this lab, scp can be used for getting these files: | ||
+ | < | ||
+ | mkdir / | ||
+ | scp 10.0.23.2:/ | ||
+ | scp 10.0.23.2:/ | ||
+ | scp 10.0.23.2:/ | ||
+ | </ | ||
+ | |||
+ | Configure openvpn as a client: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | client | ||
+ | dev tun | ||
+ | remote 10.0.23.2 | ||
+ | ca ca.crt | ||
+ | cert R4.crt | ||
+ | key R4.key | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Enable and start openvpn: | ||
+ | < | ||
+ | sysrc openvpn_enable=YES | ||
+ | service openvpn start | ||
+ | </ | ||
+ | ==== Testing ==== | ||
+ | |||
+ | Pinging R5 from R1: | ||
+ | < | ||
+ | [root@R1]~# ping6 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | ^C | ||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | |||
+ | [root@R1]~# ping 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.312 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=3.111 ms | ||
+ | ^C | ||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | OpenVPN log file on R2: | ||
+ | < | ||
+ | Oct 26 16:58:32 R2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 R2 kernel: tun0: link state changed to UP | ||
+ | Oct 26 16:58:32 R2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 R2 openvpn[2789]: | ||
+ | Oct 26 16:58:33 R2 openvpn[2789]: | ||
+ | Oct 26 16:58:33 R2 openvpn[2789]: | ||
+ | Oct 26 16:58:35 R2 openvpn[2789]: | ||
+ | </ | ||
+ | |||
+ | OpenVPN log file on R4: | ||
+ | < | ||
+ | Oct 26 16:58:32 R4 openvpn[2495]: | ||
+ | Oct 26 16:58:32 R4 openvpn[2495]: | ||
+ | Oct 26 16:58:32 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:32 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:32 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 R4 kernel: tun0: link state changed to UP | ||
+ | Oct 26 16:58:34 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 R4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 R4 openvpn[2496]: | ||
+ | </ | ||
+ | |||
+ | Tcpdump on R3: | ||
+ | |||
+ | < | ||
+ | [root@R3]~# tcpdump -pni em1 | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | </ |
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier