Differences

This shows you the differences between two versions of the page.

--- documentation:examples:gre_ipsec_and_openvpn [2018/07/01 11:01] – external edit 127.0.0.1
+++ documentation:examples:gre_ipsec_and_openvpn [2020/01/13 14:19] – [Testing] olivier
@@ Line 1: / Line 1: @@
-====== VPN with GRE, GIF, IPSec and OpenVPN ======
+====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ======
-This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based).
+This lab shows some VPN examples with BSDRP 1.97.
 ===== Presentation =====
@@ Line 79: / Line 79: @@
 <code>
-sysrc hostname=R1
+sysrc hostname=VM1 \
-sysrc gateway_enable=NO
+ gateway_enable=NO \
-sysrc ipv6_gateway_enable=NO
+ ipv6_gateway_enable=NO \
-sysrc ifconfig_em0="inet 10.0.12.1/24"
+ ifconfig_em0="inet 10.0.12.1/24" \
-sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::1 prefixlen 64"
+ ifconfig_em0_ipv6="inet6 2001:db8:12::1 prefixlen 64" \
-sysrc defaultrouter=10.0.12.2
+ defaultrouter=10.0.12.2 \
-sysrc ipv6_defaultrouter=2001:db8:12::2
+ ipv6_defaultrouter=2001:db8:12::2
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R1
+hostname VM1
 service netif restart
 service routing restart
@@ Line 94: / Line 94: @@
 ==== Router 2 ====
-Router 2 base configuration: A simple connected-network router with a default route pointing to R3.
+Router 2 base configuration: A simple connected-network router with a default route pointing to VM3.
 <code>
-sysrc hostname=R2
+sysrc hostname=VM2 \
-sysrc ifconfig_em0="inet 10.0.12.2/24"
+  ifconfig_em0="inet 10.0.12.2/24" \
-sysrc ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64"
+  ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64" \
-sysrc ifconfig_em1="inet 10.0.23.2/24"
+  ifconfig_em1="inet 10.0.23.2/24" \
-sysrc ifconfig_em1_ipv6="inet6 2001:db8:23::2 prefixlen 64"
+  ifconfig_em1_ipv6="inet6 2001:db8:23::2 prefixlen 64" \
-sysrc defaultrouter="10.0.23.3"
+  defaultrouter="10.0.23.3" \
-sysrc ipv6_defaultrouter="2001:db8:23::3"
+  ipv6_defaultrouter="2001:db8:23::3"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R2
+hostname VM2
 service netif restart
 service routing restart
@@ Line 115: / Line 115: @@
 <code>
-sysrc hostname=R3
+sysrc hostname=VM3 \
-sysrc ifconfig_em1="inet 10.0.23.3/24"
+ ifconfig_em1="inet 10.0.23.3/24" \
-sysrc ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64"
+ ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64" \
-sysrc ifconfig_em2="inet 10.0.34.3/24"
+ ifconfig_em2="inet 10.0.34.3/24" \
-sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
+ ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R3
+hostname VM3
 service netif restart
 config save
@@ Line 127: / Line 127: @@
 ==== Router 4 ====
-Router 4 base configuration, like R2: A simple connected-network router with a default route pointing to R3.
+Router 4 base configuration, like VM2: A simple connected-network router with a default route pointing to VM3.
 <code>
-sysrc hostname=R4
+sysrc hostname=VM4 \
-sysrc ifconfig_em2="inet 10.0.34.4/24"
+ ifconfig_em2="inet 10.0.34.4/24" \
-sysrc ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64"
+ ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64" \
-sysrc ifconfig_em3="inet 10.0.45.4/24"
+ ifconfig_em3="inet 10.0.45.4/24" \
-sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64"
+ ifconfig_em3_ipv6="inet6 2001:db8:45::4 prefixlen 64" \
-sysrc defaultrouter="10.0.34.3"
+ defaultrouter="10.0.34.3" \
-sysrc ipv6_defaultrouter="2001:db8:34::3"
+ ipv6_defaultrouter="2001:db8:34::3"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R4
+hostname VM4
 service netif restart
 service routing restart
@@ Line 145: / Line 145: @@
 ==== Router 5 ====
-Router 5 has the same workstation mode configuration as R1.
+Router 5 has the same workstation mode configuration as VM1.
 <code>
-sysrc hostname=R5
+sysrc hostname=VM5 \
-sysrc gateway_enable=NO
+ gateway_enable=NO \
-sysrc ipv6_gateway_enable=NO
+ ipv6_gateway_enable=NO \
-sysrc ifconfig_em3="inet 10.0.45.5/24"
+ ifconfig_em3="inet 10.0.45.5/24" \
-sysrc ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64"
+ ifconfig_em3_ipv6="inet6 2001:db8:45::5 prefixlen 64" \
-sysrc defaultrouter="10.0.45.4"
+ defaultrouter="10.0.45.4" \
-sysrc ipv6_defaultrouter="2001:db8:45::4"
+ ipv6_defaultrouter="2001:db8:45::4"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R5
+hostname VM5
 service netif restart
 service routing restart
@@ Line 174: / Line 174: @@
 Here is the parameters to add:
 <code>
-sysrc cloned_interfaces=gre0
+sysrc cloned_interfaces=gre0 \
-sysrc ifconfig_gre0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up"
+ ifconfig_gre0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" \
-sysrc ifconfig_gre0_ipv6="inet6 2001:db8:24::2 prefixlen 64"
+ ifconfig_gre0_ipv6="inet6 2001:db8:24::2 prefixlen 64" \
-sysrc static_routes="tunnel4"
+ static_routes="tunnel4" \
-sysrc route_tunnel4="10.0.45.0/24 10.0.24.4"
+ route_tunnel4="10.0.45.0/24 10.0.24.4" \
-sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4"
+ ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" \
-sysrc ipv6_static_routes="tunnel6"
+ ipv6_static_routes="tunnel6"
 service netif restart
 service routing restart
@@ Line 187: / Line 187: @@
 ==== Router 4 ====
-Configure the GRE tunnel using R2 IPv4 as end-point.
+Configure the GRE tunnel using VM2 IPv4 as end-point.
 === Modify configuration ===
@@ Line 193: / Line 193: @@
 Here is the parameters to add:
 <code>
-sysrc cloned_interfaces=gre0
+sysrc cloned_interfaces=gre0 \
-sysrc ifconfig_gre0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up"
+ ifconfig_gre0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" \
-sysrc ifconfig_gre0_ipv6="inet6 2001:db8:24::4 prefixlen 64"
+ ifconfig_gre0_ipv6="inet6 2001:db8:24::4 prefixlen 64" \
-sysrc static_routes="tunnel4"
+ static_routes="tunnel4" \
-sysrc route_tunnel4="10.0.12.0/24 10.0.24.2"
+ route_tunnel4="10.0.12.0/24 10.0.24.2" \
-sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2"
+ ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" \
-sysrc ipv6_static_routes="tunnel6"
+ ipv6_static_routes="tunnel6"
 service netif restart
 service routing restart
@@ Line 207: / Line 207: @@
 <code>
-[root@R1]~# ping -c 3 10.0.45.5
+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes
 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
@@ Line 216: / Line 216: @@
 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5
+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
@@ Line 255: / Line 255: @@
 ==== Router 4 ====
-Configure the 2 gif tunnel using R2 addresses as end-point.
+Configure the 2 gif tunnel using VM2 addresses as end-point.
 Here are the changes to apply to rc file:
@@ Line 273: / Line 273: @@
 <code>
-[root@R1]~# ping -c 3 10.0.45.5
+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes
 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
@@ Line 282: / Line 282: @@
 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5
+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
@@ Line 329: / Line 329: @@
 And check it:
 <code>
-[root@R2]~# setkey -DP
+[root@VM2]~# setkey -DP
 .0.45.0/24[any] 10.0.12.0/24[any] any
         in ipsec
@@ Line 350: / Line 350: @@
         spid=3 seq=0 pid=66654 scope=global
         refcnt=1
-[root@R2]~# setkey -D
+[root@VM2]~# setkey -D
 :db8:34::4 2001:db8:23::2
         esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)
@@ Line 402: / Line 402: @@
 </code>
-Create a file /etc/ipsec.conf with these lines (same as R2: only to have to invert the in/out keyword):
+Create a file /etc/ipsec.conf with these lines (same as VM2: only to have to invert the in/out keyword):
 <code>
@@ Line 427: / Line 427: @@
 === Testing ===
-Start a tcpdump on R3-em1 and from R1 ping R5:
+Start a tcpdump on VM3-em1 and from VM1 ping VM5:
 <code>
-[root@R3]~# tcpdump -pni em1
+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
@@ Line 446: / Line 446: @@
 <code>
-[root@R1]/etc/rc.d# ping 10.0.45.5
+[root@VM1]/etc/rc.d# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes
 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms
 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms
 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms
-[root@R1]~# ping6 2001:db8:45::5
+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=70.074 ms
@@ Line 583: / Line 583: @@
 === Testing ===
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:
+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
-R3 tcpdump paquets:
+VM3 tcpdump paquets:
 <code>
-[root@R3]~# tcpdump -pni em1
+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
@@ Line 629: / Line 629: @@
 </code>
-Racoon log file on R2:
+Racoon log file on VM2:
 <code>
-[root@R2]~# tail -f /var/log/racoon.log
+[root@VM2]~# tail -f /var/log/racoon.log
 -10-26 09:28:01: INFO: 2001:db8:23::2[500] used as isakmp port (fd=16)
 -10-26 09:28:01: INFO: 2001:db8:23::2[4500] used as isakmp port (fd=17)
@@ Line 661: / Line 661: @@
 </code>
-Ping result on R1:
+Ping result on VM1:
 <code>
-[root@R1]# ping 10.0.45.5
+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes
 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
@@ Line 670: / Line 670: @@
 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:db8:45::5
+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
@@ Line 684: / Line 684: @@
 === Router 2 ===
-Configure strongswan on R2 with:
+Configure strongswan on VM2 with:
   * IKEv2
   * Preshared-key
@@ Line 702: / Line 702: @@
      dpddelay=5
-conn R4
+conn VM4
     left=10.0.23.2
     leftsubnet=10.0.12.0/24
-    leftid=R2
+    leftid=VM2
     right=10.0.34.4
     rightsubnet=10.0.45.0/24
-    rightid=R4
+    rightid=VM4
     auto=start
 'EOF'
@@ Line 717: / Line 717: @@
 <code>
 cat > /usr/local/etc/ipsec.secrets <<'EOF'
-R4 R2 : PSK "This is a strong password"
+VM4 VM2 : PSK "This is a strong password"
 'EOF'
 </code>
@@ Line 730: / Line 730: @@
 === Router 4 ===
-Configure strongswan on R4 with:
+Configure strongswan on VM4 with:
   * IKEv2
   * Preshared-key
@@ Line 747: / Line 747: @@
     dpdaction=restart
     dpddelay=5
-conn R2
+conn VM2
     left=10.0.34.4
     leftsubnet=10.0.45.0/24
-    leftid=R4
+    leftid=VM4
     right=10.0.23.2
     rightsubnet=10.0.12.0/24
-    rightid=R2
+    rightid=VM2
     auto=route
 'EOF'
@@ Line 762: / Line 762: @@
 <code>
 cat > /usr/local/etc/ipsec.secrets <<'EOF'
-R4 R2 : PSK "This is a strong password"
+VM4 VM2 : PSK "This is a strong password"
 'EOF'
 </code>
@@ Line 775: / Line 775: @@
 === Testing ===
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:
+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
-R3 tcpdump paquets:
+VM3 tcpdump paquets:
 <code>
-[root@R3]~# tcpdump -pni em1
+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
@@ Line 801: / Line 801: @@
 </code>
-Log file on R2:
+Log file on VM2:
 <code>
-[root@R2]~# tail -f /var/log/auth.log
+[root@VM2]~# tail -f /var/log/auth.log
-Jun  8 00:24:28 R2 ipsec_starter[981]: no netkey IPsec stack detected
+Jun  8 00:24:28 VM2 ipsec_starter[981]: no netkey IPsec stack detected
-Jun  8 00:24:28 R2 ipsec_starter[981]: no KLIPS IPsec stack detected
+Jun  8 00:24:28 VM2 ipsec_starter[981]: no KLIPS IPsec stack detected
-Jun  8 00:24:28 R2 ipsec_starter[981]: no known IPsec stack detected, ignoring!
+Jun  8 00:24:28 VM2 ipsec_starter[981]: no known IPsec stack detected, ignoring!
-Jun  8 00:24:28 R2 ipsec_starter[984]: charon (986) started after 20 ms
+Jun  8 00:24:28 VM2 ipsec_starter[984]: charon (986) started after 20 ms
-Jun  8 00:25:26 R2 login: login on ttyu0 as root
+Jun  8 00:25:26 VM2 login: login on ttyu0 as root
-Jun  8 00:25:26 R2 login: ROOT LOGIN (root) ON ttyu0
+Jun  8 00:25:26 VM2 login: ROOT LOGIN (root) ON ttyu0
-Jun  8 00:34:53 R2 charon: 12[IKE] initiating IKE_SA R4[1] to 10.0.34.4
+Jun  8 00:34:53 VM2 charon: 12[IKE] initiating IKE_SA VM4[1] to 10.0.34.4
-Jun  8 00:34:53 R2 charon: 12[IKE] establishing CHILD_SA R4
+Jun  8 00:34:53 VM2 charon: 12[IKE] establishing CHILD_SA VM4
-Jun  8 00:34:53 R2 charon: 12[IKE] IKE_SA R4[1] established between 10.0.23.2[R2]...10.0.34.4[R4]
+Jun  8 00:34:53 VM2 charon: 12[IKE] IKE_SA VM4[1] established between 10.0.23.2[VM2]...10.0.34.4[VM4]
-Jun  8 00:34:53 R2 charon: 12[IKE] CHILD_SA R4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24
+Jun  8 00:34:53 VM2 charon: 12[IKE] CHILD_SA VM4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24
 </code>
-Ping result on R1:
+Ping result on VM1:
 <code>
-[root@R1]# ping 10.0.45.5
+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes
 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
@@ Line 825: / Line 825: @@
 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:db8:45::5
+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
@@ Line 833: / Line 833: @@
 ==== VTI Tunnel without IKE ====
-This method allow to present a routing interface (like creating a GRE tunnel over IPSec): Useful for running a routing protocol over IPSec tunnels.
+This method presents a routing interface (like creating a GRE tunnel over IPSec): Useful for running a routing protocol over IPSec tunnels.
 === Router 2 ===
 <code>
-sysrc cloned_interfaces=ipsec0
+sysrc cloned_interfaces=ipsec0 \
-sysrc create_args_ipsec0="reqid 100"
+ create_args_ipsec0="reqid 100" \
-sysrc ifconfig_ipsec0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up"
+ ifconfig_ipsec0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" \
-sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::2 prefixlen 64"
+ ifconfig_ipsec0_ipv6="inet6 2001:db8:24::2 prefixlen 64" \
-sysrc static_routes="tunnel4"
+ static_routes="tunnel4" \
-sysrc route_tunnel4="10.0.45.0/24 10.0.24.4"
+ route_tunnel4="10.0.45.0/24 10.0.24.4" \
-sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4"
+ ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" \
-sysrc ipv6_static_routes="tunnel6"
+ ipv6_static_routes="tunnel6"
 cat > /etc/ipsec.conf <<EOF
 flush;
@@ Line 853: / Line 853: @@
 EOF
 service netif restart
-sysrc ipsec_enable=YES
+service ipsec enable
 service ipsec restart
 service routing restart
@@ Line 861: / Line 861: @@
 <code>
-[root@R2]~# setkey -DP
+[root@VM2]~# setkey -DP
 .0.0.0/0[any] 0.0.0.0/0[any] any
         in ipsec
@@ Line 882: / Line 882: @@
         spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0
         refcnt=1
-[root@R2]~# setkey -D
+[root@VM2]~# setkey -D
 .0.34.4 10.0.23.2
         esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)
@@ Line 903: / Line 903: @@
         allocated: 2    hard: 0 soft: 0
         sadb_seq=0 pid=1649 refcnt=1
-[root@R2]~# ifconfig ipsec0
+[root@VM2]~# ifconfig ipsec0
 ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
         tunnel inet 10.0.23.2 --> 10.0.34.4
@@ Line 917: / Line 917: @@
 <code>
-sysrc cloned_interfaces=ipsec0
+sysrc cloned_interfaces=ipsec0 \
-sysrc create_args_ipsec0="reqid 200"
+ create_args_ipsec0="reqid 200" \
-sysrc ifconfig_ipsec0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up"
+ ifconfig_ipsec0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" \
-sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::4 prefixlen 64"
+ ifconfig_ipsec0_ipv6="inet6 2001:db8:24::4 prefixlen 64" \
-sysrc static_routes="tunnel4"
+ static_routes="tunnel4" \
-sysrc route_tunnel4="10.0.12.0/24 10.0.24.2"
+ route_tunnel4="10.0.12.0/24 10.0.24.2" \
-sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2"
+ ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" \
-sysrc ipv6_static_routes="tunnel6"
+ ipv6_static_routes="tunnel6"
 cat > /etc/ipsec.conf <<EOF
 flush;
@@ Line 932: / Line 932: @@
 EOF
 service netif restart
-sysrc ipsec_enable=YES
+service ipsec enable
 service ipsec restart
 service routing restart
@@ Line 940: / Line 940: @@
 <code>
-[root@R1]~# ping -c 3 10.0.45.5
+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes
 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms
@@ Line 949: / Line 949: @@
 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 0.382/0.589/0.944/0.252 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5
+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=0.617 ms
@@ Line 964: / Line 964: @@
 ==== CA and certificates generation ====
-All these step will be done on R2 (OpenVPN server)
+All these step will be done on VM2 (OpenVPN server)
 Start by copying easyrsa3 configuration folder and define new configuration file:
@@ Line 970: / Line 970: @@
 cp -r /usr/local/share/easy-rsa /usr/local/etc/
 setenv EASYRSA /usr/local/etc/easy-rsa
+setenv EASYRSA_PKI $EASYRSA/pki
 </code>
@@ Line 980: / Line 981: @@
 Build a root certificate:
 <code>
-[root@R2]~# easyrsa build-ca nopass
+[root@VM2]~# easyrsa build-ca nopass
 Note: using Easy-RSA configuration from: /usr/local/etc/easy-rsa/vars
@@ Line 1003: / Line 1004: @@
 </code>
-Make a server certificate called R2, and client certificate called R4 using a locally generated root certificate:
+Make a server certificate called VM2, and client certificate called VM4 using a locally generated root certificate:
 <code>
-easyrsa build-server-full R2 nopass
+easyrsa build-server-full VM2 nopass
-easyrsa build-client-full R4 nopass
+easyrsa build-client-full VM4 nopass
 </code>
-==== R2: OpenVPN server ====
+==== VM2: OpenVPN server ====
 Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf:
@@ Line 1018: / Line 1019: @@
 tun-ipv6
 ca /usr/local/etc/easy-rsa/pki/ca.crt
-cert /usr/local/etc/easy-rsa/pki/issued/R2.crt
+cert /usr/local/etc/easy-rsa/pki/issued/VM2.crt
-key /usr/local/etc/easy-rsa/pki/private/R2.key
+key /usr/local/etc/easy-rsa/pki/private/VM2.key
 dh /usr/local/etc/easy-rsa/pki/dh.pem
 server 10.0.24.0 255.255.255.0
@@ Line 1032: / Line 1033: @@
 </code>
-Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client R4:
+Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client VM4:
 <code>
 mkdir /usr/local/etc/openvpn/ccd
-cat > /usr/local/etc/openvpn/ccd/R4 <<'EOF'
+cat > /usr/local/etc/openvpn/ccd/VM4 <<'EOF'
 iroute 10.0.45.0 255.255.255.0
 iroute-ipv6 2001:db8:45::/64
@@ Line 1043: / Line 1044: @@
 Enable and start openvpn and sshd (we will get certificates files by SCP later):
 <code>
-sysrc sshd_enable=YES
+service sshd enable
-sysrc openvpn_enable=YES
+service openvpn enable
 service openvpn start
 service sshd start
@@ Line 1053: / Line 1054: @@
 passwd
 </code>
-==== R4: OpenVPN client ====
+==== VM4: OpenVPN client ====
-As OpenVPN client, R4 should get these files from R2 and put them in /usr/local/etc/openvpn:
+As OpenVPN client, VM4 should get these files from VM2 and put them in /usr/local/etc/openvpn:
   * ca.crt
-  * R4.crt
+  * VM4.crt
-  * R4.key
+  * VM4.key
 On this lab, scp can be used for getting these files:
@@ Line 1064: / Line 1065: @@
 mkdir /usr/local/etc/openvpn
 scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/R4.crt /usr/local/etc/openvpn
+scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/VM4.crt /usr/local/etc/openvpn
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/R4.key /usr/local/etc/openvpn
+scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/VM4.key /usr/local/etc/openvpn
 </code>
@@ Line 1076: / Line 1077: @@
 remote 10.0.23.2
 ca ca.crt
-cert R4.crt
+cert VM4.crt
-key R4.key
+key VM4.key
 'EOF'
 </code>
@@ Line 1083: / Line 1084: @@
 Enable and start openvpn:
 <code>
-sysrc openvpn_enable=YES
+service openvpn enable
 service openvpn start
 </code>
 ==== Testing ====
-Pinging R5 from R1:
+Pinging VM5 from VM1:
 <code>
-[root@R1]~# ping6 2001:db8:45::5
+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.453 ms
@@ Line 1100: / Line 1101: @@
 round-trip min/avg/max/std-dev = 3.652/4.442/5.453/0.752 ms
-[root@R1]~# ping 10.0.45.5
+[root@VM1]~# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes
 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms
@@ Line 1111: / Line 1112: @@
 </code>
-OpenVPN log file on R2:
+OpenVPN log file on VM2:
 <code>
-Oct 26 16:58:32 R2 openvpn[2769]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013
+Oct 26 16:58:32 VM2 openvpn[2769]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013
-Oct 26 16:58:32 R2 openvpn[2769]: WARNING: --keepalive option is missing from server config
+Oct 26 16:58:32 VM2 openvpn[2769]: WARNING: --keepalive option is missing from server config
-Oct 26 16:58:32 R2 openvpn[2769]: TUN/TAP device /dev/tun0 opened
+Oct 26 16:58:32 VM2 openvpn[2769]: TUN/TAP device /dev/tun0 opened
-Oct 26 16:58:32 R2 kernel: tun0: link state changed to UP
+Oct 26 16:58:32 VM2 kernel: tun0: link state changed to UP
-Oct 26 16:58:32 R2 openvpn[2769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
+Oct 26 16:58:32 VM2 openvpn[2769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
-Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up
+Oct 26 16:58:32 VM2 openvpn[2769]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up
-Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64
+Oct 26 16:58:32 VM2 openvpn[2769]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64
-Oct 26 16:58:32 R2 openvpn[2769]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric -1) dev tun0
+Oct 26 16:58:32 VM2 openvpn[2769]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric -1) dev tun0
-Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link local (bound): [undef]
+Oct 26 16:58:32 VM2 openvpn[2789]: UDPv4 link local (bound): [undef]
-Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link remote: [undef]
+Oct 26 16:58:32 VM2 openvpn[2789]: UDPv4 link remote: [undef]
-Oct 26 16:58:32 R2 openvpn[2789]: ifconfig_pool_read(), in='R4,10.0.24.4,2001:db8:24::1000', TODO: IPv6
+Oct 26 16:58:32 VM2 openvpn[2789]: ifconfig_pool_read(), in='VM4,10.0.24.4,2001:db8:24::1000', TODO: IPv6
-Oct 26 16:58:32 R2 openvpn[2789]: succeeded -> ifconfig_pool_set()
+Oct 26 16:58:32 VM2 openvpn[2789]: succeeded -> ifconfig_pool_set()
-Oct 26 16:58:32 R2 openvpn[2789]: Initialization Sequence Completed
+Oct 26 16:58:32 VM2 openvpn[2789]: Initialization Sequence Completed
-Oct 26 16:58:33 R2 openvpn[2789]: 10.0.34.4:1194 [R4] Peer Connection Initiated with [AF_INET]10.0.34.4:1194
+Oct 26 16:58:33 VM2 openvpn[2789]: 10.0.34.4:1194 [VM4] Peer Connection Initiated with [AF_INET]10.0.34.4:1194
-Oct 26 16:58:33 R2 openvpn[2789]: R4/10.0.34.4:1194 MULTI_sva: pool returned IPv4=10.0.24.6, IPv6=2001:db8:24::1000
+Oct 26 16:58:33 VM2 openvpn[2789]: VM4/10.0.34.4:1194 MULTI_sva: pool returned IPv4=10.0.24.6, IPv6=2001:db8:24::1000
-Oct 26 16:58:35 R2 openvpn[2789]: R4/10.0.34.4:1194 send_push_reply(): safe_cap=940
+Oct 26 16:58:35 VM2 openvpn[2789]: VM4/10.0.34.4:1194 send_push_reply(): safe_cap=940
 </code>
-OpenVPN log file on R4:
+OpenVPN log file on VM4:
 <code>
-Oct 26 16:58:32 R4 openvpn[2495]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013
+Oct 26 16:58:32 VM4 openvpn[2495]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013
-Oct 26 16:58:32 R4 openvpn[2495]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
+Oct 26 16:58:32 VM4 openvpn[2495]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
-Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link local (bound): [undef]
+Oct 26 16:58:32 VM4 openvpn[2496]: UDPv4 link local (bound): [undef]
-Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link remote: [AF_INET]10.0.23.2:1194
+Oct 26 16:58:32 VM4 openvpn[2496]: UDPv4 link remote: [AF_INET]10.0.23.2:1194
-Oct 26 16:58:32 R4 openvpn[2496]: [R2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194
+Oct 26 16:58:32 VM4 openvpn[2496]: [VM2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194
-Oct 26 16:58:34 R4 openvpn[2496]: TUN/TAP device /dev/tun0 opened
+Oct 26 16:58:34 VM4 openvpn[2496]: TUN/TAP device /dev/tun0 opened
-Oct 26 16:58:34 R4 kernel: tun0: link state changed to UP
+Oct 26 16:58:34 VM4 kernel: tun0: link state changed to UP
-Oct 26 16:58:34 R4 openvpn[2496]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
+Oct 26 16:58:34 VM4 openvpn[2496]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
-Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up
+Oct 26 16:58:34 VM4 openvpn[2496]: /sbin/ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up
-Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 inet6 2001:db8:24::1000/64
+Oct 26 16:58:34 VM4 openvpn[2496]: /sbin/ifconfig tun0 inet6 2001:db8:24::1000/64
-Oct 26 16:58:34 R4 openvpn[2496]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric -1) dev tun0
+Oct 26 16:58:34 VM4 openvpn[2496]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric -1) dev tun0
-Oct 26 16:58:34 R4 openvpn[2496]: Initialization Sequence Completed
+Oct 26 16:58:34 VM4 openvpn[2496]: Initialization Sequence Completed
 </code>
-Tcpdump on R3:
+Tcpdump on VM3:
 <code>
-[root@R3]~# tcpdump -pni em1
+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
@@ Line 1159: / Line 1160: @@
 :52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114
 :52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
+</code>
+===== Wireguard =====
+==== Key pairs generation ====
+The first step is to generate a couple of private and public keys on each wireguard endpoint.
+On VM2 and on VM4, generate the keys:
+<code>
+cd /usr/local/etc/wireguard
+wg genkey > private
+chmod 600 private
+wg pubkey < private > public
+</code>
+==== Router 2 ====
+Display router 2 private key, and router 4 public key.
+<code>
+cat > /usr/local/etc/wireguard/wg0.conf <<EOF
+[Interface]
+PrivateKey = 8Og1cCmvirK+zcGus/EyaA8aiFdzjjtS9GbuBa/bqFQ=
+ListenPort = 51820
+[Peer]
+PublicKey = FSvVqj2s1FZqsSIvPLrE1RRTgbaPLbfG87P36F21M1g=
+AllowedIPs = 10.0.45.0/24,2001:db8:45::2/64
+Endpoint = 10.0.34.4:51820
+EOF
+sysrc wireguard_interfaces=wg0
+service wireguard enable
+service wireguard start
+</code>
+==== Router 4 ====
+Display router 4 private key, and router 2 public key.
+<code>
+cat > /usr/local/etc/wireguard/wg0.conf <<EOF
+[Interface]
+PrivateKey = ADfm6+sXZnoyDAkG/MXXy062pjSgh2GgfAIKwX+ewGg=
+ListenPort = 51820
+[Peer]
+PublicKey = gaQij176wrz3g+2RTJ/S1oEnc7rx2reU1Z0Thrv4oXc=
+AllowedIPs = 10.0.12.0/24,2001:db8:12::2/64
+Endpoint = 10.0.23.2:51820
+EOF
+sysrc wireguard_interfaces=wg0
+service wireguard enable
+service wireguard start
+</code>
+==== Testing ====
+Pinging VM5 from VM1:
+<code>
+[root@VM1]~# ping -c2 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms
+--- 10.0.45.5 ping statistics ---
+packets transmitted, 2 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 0.783/1.459/2.135/0.676 ms
+[root@VM1]~# ping6 -c2 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.779 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=0.764 ms
+--- 2001:db8:45::5 ping6 statistics ---
+packets transmitted, 2 packets received, 0.0% packet loss
+round-trip min/avg/max/std-dev = 0.764/1.272/1.779/0.507 ms
 </code>