documentation:examples:gre_ipsec_and_openvpn
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
documentation:examples:gre_ipsec_and_openvpn [2020/01/12 17:56] – [Router 2] olivier | documentation:examples:gre_ipsec_and_openvpn [2023/07/10 12:40] (current) – [Router 4] olivier | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== VPN with GRE, GIF, IPSec and OpenVPN ====== | + | ====== VPN with GRE, GIF, IPSec, OpenVPN |
- | This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based). | + | This lab shows some VPN examples with BSDRP 1.991. |
===== Presentation ===== | ===== Presentation ===== | ||
Line 79: | Line 79: | ||
< | < | ||
- | sysrc hostname=R1 \ | + | sysrc hostname=VM1 \ |
| | ||
| | ||
Line 87: | Line 87: | ||
| | ||
ifconfig -l | grep -q vtnet && sed -i "" | ifconfig -l | grep -q vtnet && sed -i "" | ||
- | hostname | + | hostname |
service netif restart | service netif restart | ||
service routing restart | service routing restart | ||
Line 94: | Line 94: | ||
==== Router 2 ==== | ==== Router 2 ==== | ||
- | Router 2 base configuration: | + | Router 2 base configuration: |
< | < | ||
- | sysrc hostname=R2 \ | + | sysrc hostname=VM2 \ |
ifconfig_em0=" | ifconfig_em0=" | ||
ifconfig_em0_ipv6=" | ifconfig_em0_ipv6=" | ||
Line 105: | Line 105: | ||
ipv6_defaultrouter=" | ipv6_defaultrouter=" | ||
ifconfig -l | grep -q vtnet && sed -i "" | ifconfig -l | grep -q vtnet && sed -i "" | ||
- | hostname | + | hostname |
service netif restart | service netif restart | ||
service routing restart | service routing restart | ||
Line 115: | Line 115: | ||
< | < | ||
- | sysrc hostname=R3 | + | sysrc hostname=VM3 \ |
- | sysrc ifconfig_em1=" | + | |
- | sysrc ifconfig_em1_ipv6=" | + | |
- | sysrc ifconfig_em2=" | + | |
- | sysrc ifconfig_em2_ipv6=" | + | |
ifconfig -l | grep -q vtnet && sed -i "" | ifconfig -l | grep -q vtnet && sed -i "" | ||
- | hostname | + | hostname |
service netif restart | service netif restart | ||
config save | config save | ||
Line 127: | Line 127: | ||
==== Router 4 ==== | ==== Router 4 ==== | ||
- | Router 4 base configuration, | + | Router 4 base configuration, |
< | < | ||
- | sysrc hostname=R4 | + | sysrc hostname=VM4 \ |
- | sysrc ifconfig_em2=" | + | |
- | sysrc ifconfig_em2_ipv6=" | + | |
- | sysrc ifconfig_em3=" | + | |
- | sysrc ifconfig_em3_ipv6=" | + | |
- | sysrc defaultrouter=" | + | |
- | sysrc ipv6_defaultrouter=" | + | |
ifconfig -l | grep -q vtnet && sed -i "" | ifconfig -l | grep -q vtnet && sed -i "" | ||
- | hostname | + | hostname |
service netif restart | service netif restart | ||
service routing restart | service routing restart | ||
Line 145: | Line 145: | ||
==== Router 5 ==== | ==== Router 5 ==== | ||
- | Router 5 has the same workstation mode configuration as R1. | + | Router 5 has the same workstation mode configuration as VM1. |
< | < | ||
- | sysrc hostname=R5 | + | sysrc hostname=VM5 \ |
- | sysrc gateway_enable=NO | + | |
- | sysrc ipv6_gateway_enable=NO | + | |
- | sysrc ifconfig_em3=" | + | |
- | sysrc ifconfig_em3_ipv6=" | + | |
- | sysrc defaultrouter=" | + | |
- | sysrc ipv6_defaultrouter=" | + | |
ifconfig -l | grep -q vtnet && sed -i "" | ifconfig -l | grep -q vtnet && sed -i "" | ||
- | hostname | + | hostname |
service netif restart | service netif restart | ||
service routing restart | service routing restart | ||
Line 174: | Line 174: | ||
Here is the parameters to add: | Here is the parameters to add: | ||
< | < | ||
- | sysrc cloned_interfaces=gre0 | + | sysrc cloned_interfaces=gre0 |
- | sysrc ifconfig_gre0=" | + | |
- | sysrc ifconfig_gre0_ipv6=" | + | |
- | sysrc static_routes=" | + | |
- | sysrc route_tunnel4=" | + | |
- | sysrc ipv6_route_tunnel6=" | + | |
- | sysrc ipv6_static_routes=" | + | |
service netif restart | service netif restart | ||
service routing restart | service routing restart | ||
Line 187: | Line 187: | ||
==== Router 4 ==== | ==== Router 4 ==== | ||
- | Configure the GRE tunnel using R2 IPv4 as end-point. | + | Configure the GRE tunnel using VM2 IPv4 as end-point. |
=== Modify configuration === | === Modify configuration === | ||
Line 193: | Line 193: | ||
Here is the parameters to add: | Here is the parameters to add: | ||
< | < | ||
- | sysrc cloned_interfaces=gre0 | + | sysrc cloned_interfaces=gre0 |
- | sysrc ifconfig_gre0=" | + | |
- | sysrc ifconfig_gre0_ipv6=" | + | |
- | sysrc static_routes=" | + | |
- | sysrc route_tunnel4=" | + | |
- | sysrc ipv6_route_tunnel6=" | + | |
- | sysrc ipv6_static_routes=" | + | |
service netif restart | service netif restart | ||
service routing restart | service routing restart | ||
Line 207: | Line 207: | ||
< | < | ||
- | [root@R1]~# ping -c 3 10.0.45.5 | + | [root@VM1]~# ping -c 3 10.0.45.5 |
PING 10.0.45.5 (10.0.45.5): | PING 10.0.45.5 (10.0.45.5): | ||
64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | ||
Line 216: | Line 216: | ||
3 packets transmitted, | 3 packets transmitted, | ||
round-trip min/ | round-trip min/ | ||
- | [root@R1]~# ping6 -c3 2001: | + | [root@VM1]~# ping6 -c3 2001: |
PING6(56=40+8+8 bytes) 2001: | PING6(56=40+8+8 bytes) 2001: | ||
16 bytes from 2001: | 16 bytes from 2001: | ||
Line 238: | Line 238: | ||
If you have previous gre configuration from the gre example: remove them. | If you have previous gre configuration from the gre example: remove them. | ||
- | |||
- | Here is the line to ADD to / | ||
< | < | ||
Line 252: | Line 250: | ||
service routing restart | service routing restart | ||
config save | config save | ||
+ | </ | ||
+ | |||
+ | Take care of avoiding fragmentation, | ||
+ | < | ||
+ | set skip on lo0 | ||
+ | scrub on gif1 inet all max-mss 1200 | ||
+ | scrub on gif1 inet6 all max-mss 1180 | ||
+ | pass | ||
</ | </ | ||
==== Router 4 ==== | ==== Router 4 ==== | ||
- | Configure the 2 gif tunnel using R2 addresses as end-point. | + | Configure the 2 gif tunnel using VM2 addresses as end-point. |
- | Here are the changes to apply to rc file: | ||
< | < | ||
sysrc cloned_interfaces=" | sysrc cloned_interfaces=" | ||
Line 273: | Line 278: | ||
< | < | ||
- | [root@R1]~# ping -c 3 10.0.45.5 | + | [root@VM1]~# ping -c 3 10.0.45.5 |
PING 10.0.45.5 (10.0.45.5): | PING 10.0.45.5 (10.0.45.5): | ||
64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | ||
Line 282: | Line 287: | ||
3 packets transmitted, | 3 packets transmitted, | ||
round-trip min/ | round-trip min/ | ||
- | [root@R1]~# ping6 -c3 2001: | + | [root@VM1]~# ping6 -c3 2001: |
PING6(56=40+8+8 bytes) 2001: | PING6(56=40+8+8 bytes) 2001: | ||
16 bytes from 2001: | 16 bytes from 2001: | ||
Line 329: | Line 334: | ||
And check it: | And check it: | ||
< | < | ||
- | [root@R2]~# setkey -DP | + | [root@VM2]~# setkey -DP |
10.0.45.0/ | 10.0.45.0/ | ||
in ipsec | in ipsec | ||
Line 350: | Line 355: | ||
spid=3 seq=0 pid=66654 scope=global | spid=3 seq=0 pid=66654 scope=global | ||
refcnt=1 | refcnt=1 | ||
- | [root@R2]~# setkey -D | + | [root@VM2]~# setkey -D |
2001: | 2001: | ||
esp mode=any spi=4099(0x00001003) reqid=0(0x00000000) | esp mode=any spi=4099(0x00001003) reqid=0(0x00000000) | ||
Line 402: | Line 407: | ||
</ | </ | ||
- | Create a file / | + | Create a file / |
< | < | ||
Line 427: | Line 432: | ||
=== Testing === | === Testing === | ||
- | Start a tcpdump on R3-em1 and from R1 ping R5: | + | Start a tcpdump on VM3-em1 and from VM1 ping VM5: |
< | < | ||
- | [root@R3]~# tcpdump -pni em1 | + | [root@VM3]~# tcpdump -pni em1 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
Line 446: | Line 451: | ||
< | < | ||
- | [root@R1]/etc/rc.d# ping 10.0.45.5 | + | [root@VM1]/etc/rc.d# ping 10.0.45.5 |
PING 10.0.45.5 (10.0.45.5): | PING 10.0.45.5 (10.0.45.5): | ||
64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms | ||
64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms | ||
64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms | ||
- | [root@R1]~# ping6 2001: | + | [root@VM1]~# ping6 2001: |
PING6(56=40+8+8 bytes) 2001: | PING6(56=40+8+8 bytes) 2001: | ||
16 bytes from 2001: | 16 bytes from 2001: | ||
Line 583: | Line 588: | ||
=== Testing === | === Testing === | ||
- | Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2: | + | Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2: |
- | R3 tcpdump paquets: | + | VM3 tcpdump paquets: |
< | < | ||
- | [root@R3]~# tcpdump -pni em1 | + | [root@VM3]~# tcpdump -pni em1 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
Line 629: | Line 634: | ||
</ | </ | ||
- | Racoon log file on R2: | + | Racoon log file on VM2: |
< | < | ||
- | [root@R2]~# tail -f / | + | [root@VM2]~# tail -f / |
2013-10-26 09:28:01: INFO: 2001: | 2013-10-26 09:28:01: INFO: 2001: | ||
2013-10-26 09:28:01: INFO: 2001: | 2013-10-26 09:28:01: INFO: 2001: | ||
Line 661: | Line 666: | ||
</ | </ | ||
- | Ping result on R1: | + | Ping result on VM1: |
< | < | ||
- | [root@R1]# ping 10.0.45.5 | + | [root@VM1]# ping 10.0.45.5 |
PING 10.0.45.5 (10.0.45.5): | PING 10.0.45.5 (10.0.45.5): | ||
64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | ||
Line 670: | Line 675: | ||
64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | ||
64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | ||
- | [root@R1]~# ping6 2001: | + | [root@VM1]~# ping6 2001: |
PING6(56=40+8+8 bytes) 2001: | PING6(56=40+8+8 bytes) 2001: | ||
16 bytes from 2001: | 16 bytes from 2001: | ||
Line 679: | Line 684: | ||
Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | ||
- | |||
- | Strongswan use Left (for Local) and Right (for Remote). | ||
=== Router 2 === | === Router 2 === | ||
- | Configure strongswan on R2 with: | + | Configure strongswan on VM2 with: |
- | * IKEv2 | + | * IKEv2 (version = 2) |
- | * Preshared-key | + | * Preshared-key |
- | * Disabling Mobile IP | + | * Disabling Mobile IP (mobike = no) |
- | * forcing the tunnel going UP (auto=start) | + | * forcing the tunnel going UP (start_action |
* configuring Dead-Peer-Detection at 5 seconds | * configuring Dead-Peer-Detection at 5 seconds | ||
< | < | ||
- | cat > / | + | cat > / |
- | config setup | + | connections { |
+ | net-net { | ||
+ | local_addrs = 10.0.23.2 | ||
+ | remote_addrs = 10.0.34.4 | ||
+ | local { | ||
+ | auth = psk | ||
+ | id = vm2 | ||
+ | } | ||
+ | remote { | ||
+ | auth = psk | ||
+ | id = vm4 | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | local_ts | ||
+ | remote_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | dpd_delay = 5s | ||
+ | } | ||
+ | } | ||
- | conn %default | + | secrets { |
- | authby=secret | + | ike-1 { |
- | | + | |
- | | + | |
- | | + | } |
- | | + | } |
- | + | EOF | |
- | conn R4 | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | rightsubnet=10.0.45.0/ | + | |
- | rightid=R4 | + | |
- | auto=start | + | |
- | 'EOF' | + | |
</ | </ | ||
- | Then define the password to use for the remote site: | + | Enable strongswan: |
< | < | ||
- | cat > / | + | service strongswan enable |
- | R4 R2 : PSK "This is a strong password" | + | service strongswan restart |
- | ' | + | |
</ | </ | ||
- | Enable strongswan: | + | And check if it correctly loaded its configuration: |
< | < | ||
- | sysrc strongswan_enable=YES | + | root@VM2:~ # swanctl --list-conns |
- | service strongswan restart | + | net-net: IKEv2, no reauthentication, |
+ | local: | ||
+ | remote: 10.0.34.4 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.45.0/ | ||
</ | </ | ||
=== Router 4 === | === Router 4 === | ||
- | Configure strongswan on R4 with: | + | Configure strongswan on VM4 with: |
* IKEv2 | * IKEv2 | ||
* Preshared-key | * Preshared-key | ||
* Disabling Mobile IP | * Disabling Mobile IP | ||
- | * automatic traffic detection | + | * automatic traffic detection |
* configuring Dead-Peer-Detection at 5 seconds | * configuring Dead-Peer-Detection at 5 seconds | ||
< | < | ||
- | cat > / | + | cat > / |
- | config setup | + | connections { |
+ | net-net { | ||
+ | remote_addrs = 10.0.23.2 | ||
+ | local_addrs = 10.0.34.4 | ||
+ | remote { | ||
+ | auth = psk | ||
+ | id = vm2 | ||
+ | } | ||
+ | local { | ||
+ | auth = psk | ||
+ | id = vm4 | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | remote_ts | ||
+ | local_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | dpd_delay = 5s | ||
+ | } | ||
+ | } | ||
- | conn %default | + | secrets { |
- | | + | ike-1 { |
- | | + | |
- | | + | |
- | | + | } |
- | | + | } |
- | conn R2 | + | EOF |
- | left=10.0.34.4 | + | |
- | leftsubnet=10.0.45.0/ | + | |
- | leftid=R4 | + | |
- | right=10.0.23.2 | + | |
- | rightsubnet=10.0.12.0/ | + | |
- | rightid=R2 | + | |
- | auto=route | + | |
- | 'EOF' | + | |
- | </ | + | |
- | Then define the password to use for the remote site: | ||
- | |||
- | < | ||
- | cat > / | ||
- | R4 R2 : PSK "This is a strong password" | ||
- | ' | ||
</ | </ | ||
Line 769: | Line 801: | ||
< | < | ||
- | sysrc strongswan_enable=YES | + | service strongswan enable |
service strongswan restart | service strongswan restart | ||
+ | </ | ||
+ | |||
+ | And check the status: | ||
+ | < | ||
+ | root@VM4: # swanctl --list-conns | ||
+ | net-net: IKEv2, no reauthentication, | ||
+ | local: | ||
+ | remote: 10.0.23.2 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.12.0/ | ||
+ | |||
+ | root@VM4: # grep charon / | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf | ||
+ | key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit | ||
+ | elist addrblock counters | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
</ | </ | ||
=== Testing === | === Testing === | ||
- | Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2: | + | Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2: |
- | R3 tcpdump paquets: | + | VM3 tcpdump paquets: |
< | < | ||
- | [root@R3]~# tcpdump -pni em1 | + | [root@VM3]~# tcpdump -pni em1 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
Line 801: | Line 868: | ||
</ | </ | ||
- | Log file on R2: | + | Ping result on VM1: |
- | < | + | |
- | [root@R2]~# tail -f / | + | |
- | Jun 8 00:24:28 R2 ipsec_starter[981]: | + | |
- | Jun 8 00:24:28 R2 ipsec_starter[981]: | + | |
- | Jun 8 00:24:28 R2 ipsec_starter[981]: | + | |
- | Jun 8 00:24:28 R2 ipsec_starter[984]: | + | |
- | Jun 8 00:25:26 R2 login: login on ttyu0 as root | + | |
- | Jun 8 00:25:26 R2 login: ROOT LOGIN (root) ON ttyu0 | + | |
- | Jun 8 00:34:53 R2 charon: 12[IKE] initiating IKE_SA R4[1] to 10.0.34.4 | + | |
- | Jun 8 00:34:53 R2 charon: 12[IKE] establishing CHILD_SA R4 | + | |
- | Jun 8 00:34:53 R2 charon: 12[IKE] IKE_SA R4[1] established between 10.0.23.2[R2]...10.0.34.4[R4] | + | |
- | Jun 8 00:34:53 R2 charon: 12[IKE] CHILD_SA R4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/ | + | |
- | </ | + | |
- | + | ||
- | Ping result on R1: | + | |
< | < | ||
- | [root@R1]# ping 10.0.45.5 | + | [root@VM1]# ping 10.0.45.5 |
PING 10.0.45.5 (10.0.45.5): | PING 10.0.45.5 (10.0.45.5): | ||
64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | ||
Line 825: | Line 877: | ||
64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | ||
64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | ||
- | [root@R1]~# ping6 2001: | + | [root@VM1]~# ping6 2001: |
PING6(56=40+8+8 bytes) 2001: | PING6(56=40+8+8 bytes) 2001: | ||
16 bytes from 2001: | 16 bytes from 2001: | ||
Line 838: | Line 890: | ||
< | < | ||
- | sysrc cloned_interfaces=ipsec0 | + | sysrc cloned_interfaces=ipsec0 |
- | sysrc create_args_ipsec0=" | + | |
- | sysrc ifconfig_ipsec0=" | + | |
- | sysrc ifconfig_ipsec0_ipv6=" | + | |
- | sysrc static_routes=" | + | |
- | sysrc route_tunnel4=" | + | |
- | sysrc ipv6_route_tunnel6=" | + | |
- | sysrc ipv6_static_routes=" | + | |
cat > / | cat > / | ||
flush; | flush; | ||
Line 853: | Line 905: | ||
EOF | EOF | ||
service netif restart | service netif restart | ||
- | sysrc ipsec_enable=YES | + | service ipsec enable |
service ipsec restart | service ipsec restart | ||
service routing restart | service routing restart | ||
Line 861: | Line 913: | ||
< | < | ||
- | [root@R2]~# setkey -DP | + | [root@VM2]~# setkey -DP |
0.0.0.0/ | 0.0.0.0/ | ||
in ipsec | in ipsec | ||
Line 882: | Line 934: | ||
spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0 | spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0 | ||
refcnt=1 | refcnt=1 | ||
- | [root@R2]~# setkey -D | + | [root@VM2]~# setkey -D |
10.0.34.4 10.0.23.2 | 10.0.34.4 10.0.23.2 | ||
esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064) | esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064) | ||
Line 903: | Line 955: | ||
allocated: 2 hard: 0 soft: 0 | allocated: 2 hard: 0 soft: 0 | ||
sadb_seq=0 pid=1649 refcnt=1 | sadb_seq=0 pid=1649 refcnt=1 | ||
- | [root@R2]~# ifconfig ipsec0 | + | [root@VM2]~# ifconfig ipsec0 |
ipsec0: flags=8051< | ipsec0: flags=8051< | ||
tunnel inet 10.0.23.2 --> 10.0.34.4 | tunnel inet 10.0.23.2 --> 10.0.34.4 | ||
Line 917: | Line 969: | ||
< | < | ||
- | sysrc cloned_interfaces=ipsec0 | + | sysrc cloned_interfaces=ipsec0 |
- | sysrc create_args_ipsec0=" | + | |
- | sysrc ifconfig_ipsec0=" | + | |
- | sysrc ifconfig_ipsec0_ipv6=" | + | |
- | sysrc static_routes=" | + | |
- | sysrc route_tunnel4=" | + | |
- | sysrc ipv6_route_tunnel6=" | + | |
- | sysrc ipv6_static_routes=" | + | |
cat > / | cat > / | ||
flush; | flush; | ||
Line 932: | Line 984: | ||
EOF | EOF | ||
service netif restart | service netif restart | ||
- | sysrc ipsec_enable=YES | + | service ipsec enable |
service ipsec restart | service ipsec restart | ||
service routing restart | service routing restart | ||
Line 940: | Line 992: | ||
< | < | ||
- | [root@R1]~# ping -c 3 10.0.45.5 | + | [root@VM1]~# ping -c 3 10.0.45.5 |
PING 10.0.45.5 (10.0.45.5): | PING 10.0.45.5 (10.0.45.5): | ||
64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms | ||
Line 949: | Line 1001: | ||
3 packets transmitted, | 3 packets transmitted, | ||
round-trip min/ | round-trip min/ | ||
- | [root@R1]~# ping6 -c3 2001: | + | [root@VM1]~# ping6 -c3 2001: |
PING6(56=40+8+8 bytes) 2001: | PING6(56=40+8+8 bytes) 2001: | ||
16 bytes from 2001: | 16 bytes from 2001: | ||
Line 964: | Line 1016: | ||
==== CA and certificates generation ==== | ==== CA and certificates generation ==== | ||
- | All these step will be done on R2 (OpenVPN server) | + | All these step will be done on VM2 (OpenVPN server) |
Start by copying easyrsa3 configuration folder and define new configuration file: | Start by copying easyrsa3 configuration folder and define new configuration file: | ||
Line 970: | Line 1022: | ||
cp -r / | cp -r / | ||
setenv EASYRSA / | setenv EASYRSA / | ||
+ | setenv EASYRSA_PKI $EASYRSA/ | ||
</ | </ | ||
Line 980: | Line 1033: | ||
Build a root certificate: | Build a root certificate: | ||
< | < | ||
- | [root@R2]~# easyrsa build-ca nopass | + | [root@VM2]~# easyrsa build-ca nopass |
Note: using Easy-RSA configuration from: / | Note: using Easy-RSA configuration from: / | ||
Line 1003: | Line 1056: | ||
</ | </ | ||
- | Make a server certificate called | + | Make a server certificate called |
< | < | ||
- | easyrsa build-server-full | + | easyrsa build-server-full |
- | easyrsa build-client-full | + | easyrsa build-client-full |
</ | </ | ||
- | ==== R2: OpenVPN server | + | ==== Standard userland mode (slow) ==== |
+ | |||
+ | === VM2: OpenVPN server === | ||
Create the openvpn configuration file for server mode as / | Create the openvpn configuration file for server mode as / | ||
Line 1018: | Line 1073: | ||
tun-ipv6 | tun-ipv6 | ||
ca / | ca / | ||
- | cert / | + | cert / |
- | key / | + | key / |
dh / | dh / | ||
server 10.0.24.0 255.255.255.0 | server 10.0.24.0 255.255.255.0 | ||
Line 1032: | Line 1087: | ||
</ | </ | ||
- | Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client | + | Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client |
< | < | ||
mkdir / | mkdir / | ||
- | cat > / | + | cat > / |
iroute 10.0.45.0 255.255.255.0 | iroute 10.0.45.0 255.255.255.0 | ||
iroute-ipv6 2001: | iroute-ipv6 2001: | ||
Line 1043: | Line 1098: | ||
Enable and start openvpn and sshd (we will get certificates files by SCP later): | Enable and start openvpn and sshd (we will get certificates files by SCP later): | ||
< | < | ||
- | sysrc sshd_enable=YES | + | service sshd enable |
- | sysrc openvpn_enable=YES | + | service openvpn enable |
service openvpn start | service openvpn start | ||
service sshd start | service sshd start | ||
Line 1053: | Line 1108: | ||
passwd | passwd | ||
</ | </ | ||
- | ==== R4: OpenVPN client ==== | ||
- | As OpenVPN | + | Now Generate |
- | * ca.crt | + | |
- | * R4.crt | + | |
- | * R4.key | + | |
- | On this lab, scp can be used for getting these files: | ||
< | < | ||
- | mkdir / | + | cat > / |
- | scp 10.0.23.2:/ | + | client |
- | scp 10.0.23.2:/ | + | dev tun |
- | scp 10.0.23.2:/ | + | remote |
+ | < | ||
+ | EOF | ||
+ | cat / | ||
+ | echo '</ | ||
+ | echo '< | ||
+ | cat / | ||
+ | echo '</ | ||
+ | echo '< | ||
+ | cat / | ||
+ | echo '</ | ||
</ | </ | ||
- | Configure openvpn as a client: | + | === VM4: OpenVPN client === |
+ | As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in / | ||
+ | |||
+ | On this lab, scp can be used for getting these files: | ||
< | < | ||
- | cat > / | + | mkdir / |
- | client | + | scp 10.0.23.2:/ |
- | dev tun | + | |
- | remote | + | |
- | ca ca.crt | + | |
- | cert R4.crt | + | |
- | key R4.key | + | |
- | ' | + | |
</ | </ | ||
Enable and start openvpn: | Enable and start openvpn: | ||
< | < | ||
- | sysrc openvpn_enable=YES | + | service openvpn enable |
service openvpn start | service openvpn start | ||
</ | </ | ||
- | ==== Testing ==== | ||
- | Pinging | + | === Testing === |
+ | |||
+ | Pinging | ||
< | < | ||
- | [root@R1]~# ping6 2001: | + | [root@VM1]~# ping6 2001: |
PING6(56=40+8+8 bytes) 2001: | PING6(56=40+8+8 bytes) 2001: | ||
16 bytes from 2001: | 16 bytes from 2001: | ||
Line 1100: | Line 1158: | ||
round-trip min/ | round-trip min/ | ||
- | [root@R1]~# ping 10.0.45.5 | + | [root@VM1]~# ping 10.0.45.5 |
PING 10.0.45.5 (10.0.45.5): | PING 10.0.45.5 (10.0.45.5): | ||
64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms | ||
Line 1111: | Line 1169: | ||
</ | </ | ||
- | OpenVPN log file on R2: | + | OpenVPN log file on VM2: |
< | < | ||
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
</ | </ | ||
- | OpenVPN log file on R4: | + | OpenVPN log file on VM4: |
< | < | ||
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
- | Oct 26 16: | + | Oct 26 16: |
</ | </ | ||
- | Tcpdump on R3: | + | Tcpdump on VM3: |
< | < | ||
- | [root@R3]~# tcpdump -pni em1 | + | [root@VM3]~# tcpdump -pni em1 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
Line 1159: | Line 1217: | ||
16: | 16: | ||
16: | 16: | ||
+ | </ | ||
+ | |||
+ | ==== Data Channel Offload (DCO), kernel mode (fast) ==== | ||
+ | |||
+ | Start with a working userland configuration, | ||
+ | * Need to load if_ovpn module on both side | ||
+ | * Need to enable subnet topology on the server side | ||
+ | |||
+ | === VM2: OpenVPN server === | ||
+ | |||
+ | < | ||
+ | service openvpn stop | ||
+ | sysrc kld_list=" | ||
+ | kldload if_ovpn | ||
+ | echo " | ||
+ | service openvpn start | ||
+ | </ | ||
+ | |||
+ | === VM4: OpenVPN client === | ||
+ | |||
+ | < | ||
+ | service openvpn stop | ||
+ | sysrc kld_list=" | ||
+ | kldload if_ovpn | ||
+ | service openvpn start | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Pinging VM5 from VM1: | ||
+ | < | ||
+ | root@VM1:~ # ping -c 2 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=1.700 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.629 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | root@VM1:~ # ping -c 2 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM2 (error installing route are due to DCO restriction): | ||
+ | < | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM4: | ||
+ | < | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | </ | ||
+ | |||
+ | ===== Wireguard ===== | ||
+ | |||
+ | On current (14.0) needs only wireguard-tools (kernel module included), on older (12 or 13) needs wireguard-kmod. | ||
+ | ==== Key pairs generation on VM2 and VM4 ==== | ||
+ | |||
+ | The first step is to generate a couple of private and public keys on each wireguard endpoint. | ||
+ | |||
+ | The standard way of generating keys is using this command: | ||
+ | |||
+ | < | ||
+ | cd / | ||
+ | wg genkey > private | ||
+ | chmod 600 private | ||
+ | wg pubkey < private > public | ||
+ | </ | ||
+ | |||
+ | But on this example, we will use static keys as example. | ||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Write example-only static and public key, on real-life, used the one generated by wg. | ||
+ | |||
+ | < | ||
+ | echo " | ||
+ | echo " | ||
+ | cat > / | ||
+ | [Interface] | ||
+ | PrivateKey = oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38= | ||
+ | ListenPort = 51820 | ||
+ | |||
+ | [Peer] | ||
+ | PublicKey = o267Qf43WlVTawLq/ | ||
+ | AllowedIPs = 10.0.45.0/ | ||
+ | Endpoint = 10.0.34.4: | ||
+ | EOF | ||
+ | |||
+ | sysrc wireguard_interfaces=wg0 | ||
+ | service wireguard enable | ||
+ | service wireguard start | ||
+ | </ | ||
+ | |||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Generate example-only router 4 wg keys, and declare 2 public key. | ||
+ | |||
+ | < | ||
+ | echo " | ||
+ | echo " | ||
+ | cat > / | ||
+ | [Interface] | ||
+ | PrivateKey = 4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE= | ||
+ | ListenPort = 51820 | ||
+ | |||
+ | [Peer] | ||
+ | PublicKey = z9wBhxr/ | ||
+ | AllowedIPs = 10.0.12.0/ | ||
+ | Endpoint = 10.0.23.2: | ||
+ | EOF | ||
+ | |||
+ | sysrc wireguard_interfaces=wg0 | ||
+ | service wireguard enable | ||
+ | service wireguard start | ||
+ | </ | ||
+ | |||
+ | ==== Testing ==== | ||
+ | |||
+ | Pinging VM5 from VM1: | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | |||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | Are we using the kernel module? | ||
+ | < | ||
+ | root@VM2:~ # kldstat -v -n if_wg.ko | ||
+ | Id Refs Address | ||
+ | | ||
+ | Contains modules: | ||
+ | Id Name | ||
+ | 473 wg | ||
+ | </ | ||
+ | |||
+ | Displaying wg status on VM2: | ||
+ | < | ||
+ | root@VM2:~ # ifconfig wg0 | ||
+ | wg0: flags=80c1< | ||
+ | options=80000< | ||
+ | groups: wg | ||
+ | nd6 options=101< | ||
+ | root@VM2:~ # netstat -rn | grep " | ||
+ | Destination | ||
+ | 10.0.45.0/ | ||
+ | Destination | ||
+ | 2001: | ||
+ | root@VM2:~ # wg show | ||
+ | interface: wg0 | ||
+ | public key: z9wBhxr/ | ||
+ | private key: (hidden) | ||
+ | listening port: 51820 | ||
+ | |||
+ | peer: o267Qf43WlVTawLq/ | ||
+ | endpoint: 10.0.34.4: | ||
+ | allowed ips: 2001: | ||
+ | latest handshake: 32 seconds ago | ||
+ | transfer: 356 B received, 436 B sent | ||
</ | </ |
documentation/examples/gre_ipsec_and_openvpn.txt · Last modified: 2023/07/10 12:40 by olivier