documentation:examples:gre_ipsec_and_openvpn
Differences
This shows you the differences between two versions of the page.
Previous revision | |||
— | documentation:examples:gre_ipsec_and_openvpn [2023/07/10 12:40] (current) – [Router 4] olivier | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== VPN with GRE, GIF, IPSec, OpenVPN and Wireguard ====== | ||
+ | This lab shows some VPN examples with BSDRP 1.991. | ||
+ | |||
+ | ===== Presentation ===== | ||
+ | |||
+ | ==== Network diagram ==== | ||
+ | |||
+ | Lab build following [[documentation: | ||
+ | |||
+ | Here is the logical and physical view: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==== Download Lab scripts ===== | ||
+ | |||
+ | More information on these BSDRP lab scripts available on [[documentation: | ||
+ | |||
+ | Start the lab with full-meshed 5 routers. | ||
+ | An example with bhyve under FreeBSD: | ||
+ | |||
+ | < | ||
+ | root@host:~ # / | ||
+ | vmm module not loaded. Loading it... | ||
+ | nmdm module not loaded. Loading it... | ||
+ | if_tap module not loaded. Loading it... | ||
+ | BSD Router Project (http:// | ||
+ | Setting-up a virtual lab with 5 VM(s): | ||
+ | - Working directory: /tmp/BSDRP | ||
+ | - Each VM have 1 core(s) and 256M RAM | ||
+ | - Emulated NIC: virtio-net | ||
+ | - Switch mode: bridge + tap | ||
+ | - 0 LAN(s) between all VM | ||
+ | - Full mesh Ethernet links between each VM | ||
+ | VM 1 have the following NIC: | ||
+ | - vtnet0 connected to VM 2 | ||
+ | - vtnet1 connected to VM 3 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 2 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 3 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 3 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 4 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 4 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 3 | ||
+ | - vtnet3 connected to VM 5 | ||
+ | VM 5 have the following NIC: | ||
+ | - vtnet0 connected to VM 1 | ||
+ | - vtnet1 connected to VM 2 | ||
+ | - vtnet2 connected to VM 3 | ||
+ | - vtnet3 connected to VM 4 | ||
+ | For connecting to VM' | ||
+ | - VM 1 : cu -l /dev/nmdm1B | ||
+ | - VM 2 : cu -l /dev/nmdm2B | ||
+ | - VM 3 : cu -l /dev/nmdm3B | ||
+ | - VM 4 : cu -l /dev/nmdm4B | ||
+ | - VM 5 : cu -l /dev/nmdm5B | ||
+ | </ | ||
+ | ===== Base routers configuration ===== | ||
+ | |||
+ | Router 1 and Router 5 as a simple workstation, | ||
+ | |||
+ | All these routers can be pre-configured with labconfig tool (use it only on a lab, because it will replace your current running configuration): | ||
+ | < | ||
+ | labconfig vpn_vm[VM-NUMBER] | ||
+ | </ | ||
+ | |||
+ | ==== Router 1 ==== | ||
+ | |||
+ | Router 1 is configured as a simple workstation. | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM1 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname VM1 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Router 2 base configuration: | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM2 \ | ||
+ | ifconfig_em0=" | ||
+ | ifconfig_em0_ipv6=" | ||
+ | ifconfig_em1=" | ||
+ | ifconfig_em1_ipv6=" | ||
+ | defaultrouter=" | ||
+ | ipv6_defaultrouter=" | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname VM2 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 3 ==== | ||
+ | |||
+ | Router 3 is configured as simple connected-only-interface router. | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM3 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname VM3 | ||
+ | service netif restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Router 4 base configuration, | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM4 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname VM4 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 5 ==== | ||
+ | |||
+ | Router 5 has the same workstation mode configuration as VM1. | ||
+ | |||
+ | < | ||
+ | sysrc hostname=VM5 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ifconfig -l | grep -q vtnet && sed -i "" | ||
+ | hostname VM5 | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ===== GRE Tunnel ===== | ||
+ | |||
+ | First example with a simple GRE tunnel. | ||
+ | |||
+ | FreeBSD [[http:// | ||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Create 1 GRE tunnels with IPv4 end-points. | ||
+ | |||
+ | === Modify configuration === | ||
+ | |||
+ | Here is the parameters to add: | ||
+ | < | ||
+ | sysrc cloned_interfaces=gre0 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Configure the GRE tunnel using VM2 IPv4 as end-point. | ||
+ | |||
+ | === Modify configuration === | ||
+ | |||
+ | Here is the parameters to add: | ||
+ | < | ||
+ | sysrc cloned_interfaces=gre0 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Testing ==== | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.019 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.357 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | ===== GIF tunnels ===== | ||
+ | |||
+ | This example will be a little different as the gre example: Because gif support ipv6 end-point, we will set-up 2 gif tunnels: | ||
+ | * a first with IPv4 end-point that will tunnel IPv4 traffic; | ||
+ | * a second with IPv6 end-point that will tunnel IPv6 traffic. | ||
+ | |||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Create the gif tunnels. | ||
+ | |||
+ | If you have previous gre configuration from the gre example: remove them. | ||
+ | |||
+ | < | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_gif0=" | ||
+ | sysrc ifconfig_gif1_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | |||
+ | Take care of avoiding fragmentation, | ||
+ | < | ||
+ | set skip on lo0 | ||
+ | scrub on gif1 inet all max-mss 1200 | ||
+ | scrub on gif1 inet6 all max-mss 1180 | ||
+ | pass | ||
+ | </ | ||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Configure the 2 gif tunnel using VM2 addresses as end-point. | ||
+ | |||
+ | < | ||
+ | sysrc cloned_interfaces=" | ||
+ | sysrc ifconfig_gif0=" | ||
+ | sysrc ifconfig_gif1_ipv6=" | ||
+ | sysrc static_routes=" | ||
+ | sysrc route_tunnel4=" | ||
+ | sysrc ipv6_route_tunnel6=" | ||
+ | sysrc ipv6_static_routes=" | ||
+ | service netif restart | ||
+ | service routing restart | ||
+ | config save | ||
+ | </ | ||
+ | ==== Testing ==== | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.019 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.357 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | ===== IPSec ===== | ||
+ | |||
+ | If you have previous gre/gif configuration part from previous examples, remove them. | ||
+ | |||
+ | These two examples will use native IPSec tunnel mode: If you need to enable some routing protocol over the IPSec tunnels, you should use IPSec VTI interface. | ||
+ | |||
+ | ==== Tunnel without IKE ==== | ||
+ | |||
+ | A first simple example with manually configured Security Policy Database (SPD) and Security Association Database (SAD). | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | Create a file / | ||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 10.0.45.0/ | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -E aes-gcm-16 " | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | add 2001: | ||
+ | add 2001: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enable and reload IPsec SA/SP: | ||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | service ipsec restart | ||
+ | </ | ||
+ | |||
+ | And check it: | ||
+ | < | ||
+ | [root@VM2]~# | ||
+ | 10.0.45.0/ | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=2 seq=3 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | 2001: | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=4 seq=2 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | 10.0.12.0/ | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=1 seq=1 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | 2001: | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=3 seq=0 pid=66654 scope=global | ||
+ | refcnt=1 | ||
+ | [root@VM2]~# | ||
+ | 2001: | ||
+ | esp mode=any spi=4099(0x00001003) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=3 pid=67845 refcnt=1 | ||
+ | 2001: | ||
+ | esp mode=any spi=4098(0x00001002) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=2 pid=67845 refcnt=1 | ||
+ | 10.0.34.4 10.0.23.2 | ||
+ | esp mode=any spi=4097(0x00001001) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=1 pid=67845 refcnt=1 | ||
+ | 10.0.23.2 10.0.34.4 | ||
+ | esp mode=any spi=4096(0x00001000) reqid=0(0x00000000) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Oct 30 09:52:57 2017 | ||
+ | diff: 80(s) hard: 0(s) soft: 0(s) | ||
+ | last: hard: 0(s) soft: 0(s) | ||
+ | current: 0(bytes) | ||
+ | allocated: 0 hard: 0 soft: 0 | ||
+ | sadb_seq=0 pid=67845 refcnt=1 | ||
+ | </ | ||
+ | === Router 4 === | ||
+ | |||
+ | Same for the other side. | ||
+ | |||
+ | Only if BSDRP version older than 1.59, disable ip.fastforwarding by editing / | ||
+ | < | ||
+ | sed -i "" | ||
+ | sysctl net.inet.ip.fastforwarding=0 | ||
+ | </ | ||
+ | |||
+ | Create a file / | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 10.0.45.0/ | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -E aes-gcm-16 " | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | add 2001: | ||
+ | add 2001: | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enable and reload IPsec SA/SP: | ||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | service ipsec restart | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Start a tcpdump on VM3-em1 and from VM1 ping VM5: | ||
+ | |||
+ | < | ||
+ | [root@VM3]~# | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | 10: | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | [root@VM1]/ | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | </ | ||
+ | ==== Tunnel with IKE v1 (racoon) ==== | ||
+ | |||
+ | Using IKE, the SP will still be manually configured, but the SA will be negociated with racoon. | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | Configure the IPSec Security Policy (SP) rules: | ||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 10.0.45.0/ | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then define the password to use for the remote site and protect this password file (racoon will refuse to use it if the permission are not strict): | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | 10.0.34.4 verylongpassword | ||
+ | 2001: | ||
+ | ' | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | |||
+ | And define the racoon configuration file: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | path pre_shared_key | ||
+ | remote anonymous | ||
+ | { | ||
+ | exchange_mode | ||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo anonymous | ||
+ | { | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Enable the service ipsec and racoon: | ||
+ | |||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | sysrc ipsec_file="/ | ||
+ | sysrc racoon_enable=" | ||
+ | sysrc racoon_flags=" | ||
+ | service ipsec restart | ||
+ | service racoon restart | ||
+ | </ | ||
+ | |||
+ | === Router 4 === | ||
+ | |||
+ | Configure the IPSec Security Policy (SP) rules: | ||
+ | < | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | spdadd 10.0.45.0/ | ||
+ | spdadd 10.0.12.0/ | ||
+ | spdadd 2001: | ||
+ | spdadd 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then define the password to use for the remote site and protect this password file (racoon will refuse to use it if the permission are not strict): | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | 10.0.23.2 verylongpassword | ||
+ | 2001: | ||
+ | ' | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | |||
+ | And the racoon configuration file: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | path pre_shared_key | ||
+ | remote anonymous | ||
+ | { | ||
+ | exchange_mode | ||
+ | proposal { | ||
+ | encryption_algorithm | ||
+ | hash_algorithm | ||
+ | authentication_method | ||
+ | dh_group | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo anonymous | ||
+ | { | ||
+ | encryption_algorithm | ||
+ | authentication_algorithm | ||
+ | compression_algorithm | ||
+ | } | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Then enable and start the services: | ||
+ | < | ||
+ | sysrc ipsec_enable=YES | ||
+ | sysrc ipsec_file="/ | ||
+ | sysrc racoon_enable=YES | ||
+ | sysrc racoon_flags=" | ||
+ | service ipsec restart | ||
+ | service racoon restart | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2: | ||
+ | |||
+ | VM3 tcpdump paquets: | ||
+ | |||
+ | < | ||
+ | [root@VM3]~# | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 09: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | 11: | ||
+ | </ | ||
+ | |||
+ | Racoon log file on VM2: | ||
+ | < | ||
+ | [root@VM2]~# | ||
+ | 2013-10-26 09:28:01: INFO: 2001: | ||
+ | 2013-10-26 09:28:01: INFO: 2001: | ||
+ | 2013-10-26 09:28:01: INFO: ::1[500] used as isakmp port (fd=18) | ||
+ | 2013-10-26 09:28:01: INFO: ::1[4500] used as isakmp port (fd=19) | ||
+ | 2013-10-26 09:28:01: INFO: fe80: | ||
+ | 2013-10-26 09:28:01: INFO: fe80: | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[500] used for NAT-T | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[500] used as isakmp port (fd=22) | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[4500] used for NAT-T | ||
+ | 2013-10-26 09:28:01: INFO: 127.0.0.1[4500] used as isakmp port (fd=23) | ||
+ | 2013-10-26 09:28:57: INFO: IPsec-SA request for 10.0.34.4 queued due to no phase1 found. | ||
+ | 2013-10-26 09:28:57: INFO: initiate new phase 1 negotiation: | ||
+ | 2013-10-26 09:28:57: INFO: begin Identity Protection mode. | ||
+ | 2013-10-26 09:28:57: INFO: received Vendor ID: DPD | ||
+ | 2013-10-26 09:28:57: INFO: ISAKMP-SA established 10.0.23.2[500]-10.0.34.4[500] spi: | ||
+ | 2013-10-26 09:28:57: [10.0.34.4] INFO: received INITIAL-CONTACT | ||
+ | 2013-10-26 09:28:58: INFO: initiate new phase 2 negotiation: | ||
+ | 2013-10-26 09:28:58: INFO: IPsec-SA established: | ||
+ | 2013-10-26 09:28:58: INFO: IPsec-SA established: | ||
+ | 2013-10-26 11:06:59: INFO: initiate new phase 1 negotiation: | ||
+ | 2013-10-26 11:06:59: INFO: begin Identity Protection mode. | ||
+ | 2013-10-26 11:06:59: INFO: received Vendor ID: DPD | ||
+ | 2013-10-26 11:06:59: INFO: ISAKMP-SA established 2001: | ||
+ | 2013-10-26 11:06:59: [2001: | ||
+ | 2013-10-26 11:07:00: INFO: initiate new phase 2 negotiation: | ||
+ | 2013-10-26 11:07:00: INFO: IPsec-SA established: | ||
+ | 2013-10-26 11:07:00: INFO: IPsec-SA established: | ||
+ | </ | ||
+ | |||
+ | Ping result on VM1: | ||
+ | |||
+ | < | ||
+ | [root@VM1]# ping 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=3 ttl=62 time=6.612 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | </ | ||
+ | |||
+ | ==== Tunnel with IKEv2 (strongswan) ==== | ||
+ | |||
+ | Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | Configure strongswan on VM2 with: | ||
+ | * IKEv2 (version = 2) | ||
+ | * Preshared-key (psk) | ||
+ | * Disabling Mobile IP (mobike = no) | ||
+ | * forcing the tunnel going UP (start_action = trap) | ||
+ | * configuring Dead-Peer-Detection at 5 seconds | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | connections { | ||
+ | net-net { | ||
+ | local_addrs = 10.0.23.2 | ||
+ | remote_addrs = 10.0.34.4 | ||
+ | local { | ||
+ | auth = psk | ||
+ | id = vm2 | ||
+ | } | ||
+ | remote { | ||
+ | auth = psk | ||
+ | id = vm4 | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | local_ts | ||
+ | remote_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | dpd_delay = 5s | ||
+ | } | ||
+ | } | ||
+ | |||
+ | secrets { | ||
+ | ike-1 { | ||
+ | id-1 = vm4 | ||
+ | secret = "This is a strong password" | ||
+ | } | ||
+ | } | ||
+ | EOF | ||
+ | </ | ||
+ | |||
+ | Enable strongswan: | ||
+ | |||
+ | < | ||
+ | service strongswan enable | ||
+ | service strongswan restart | ||
+ | </ | ||
+ | |||
+ | And check if it correctly loaded its configuration: | ||
+ | < | ||
+ | root@VM2:~ # swanctl --list-conns | ||
+ | net-net: IKEv2, no reauthentication, | ||
+ | local: | ||
+ | remote: 10.0.34.4 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.45.0/ | ||
+ | </ | ||
+ | |||
+ | === Router 4 === | ||
+ | |||
+ | Configure strongswan on VM4 with: | ||
+ | * IKEv2 | ||
+ | * Preshared-key | ||
+ | * Disabling Mobile IP | ||
+ | * automatic traffic detection | ||
+ | * configuring Dead-Peer-Detection at 5 seconds | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | connections { | ||
+ | net-net { | ||
+ | remote_addrs = 10.0.23.2 | ||
+ | local_addrs = 10.0.34.4 | ||
+ | remote { | ||
+ | auth = psk | ||
+ | id = vm2 | ||
+ | } | ||
+ | local { | ||
+ | auth = psk | ||
+ | id = vm4 | ||
+ | } | ||
+ | children { | ||
+ | net-net { | ||
+ | remote_ts | ||
+ | local_ts = 10.0.45.0/ | ||
+ | start_action = trap | ||
+ | } | ||
+ | } | ||
+ | version = 2 | ||
+ | mobike = no | ||
+ | dpd_delay = 5s | ||
+ | } | ||
+ | } | ||
+ | |||
+ | secrets { | ||
+ | ike-1 { | ||
+ | id-1 = vm2 | ||
+ | secret = "This is a strong password" | ||
+ | } | ||
+ | } | ||
+ | EOF | ||
+ | |||
+ | </ | ||
+ | |||
+ | Enable strongswan: | ||
+ | |||
+ | < | ||
+ | service strongswan enable | ||
+ | service strongswan restart | ||
+ | </ | ||
+ | |||
+ | And check the status: | ||
+ | < | ||
+ | root@VM4: # swanctl --list-conns | ||
+ | net-net: IKEv2, no reauthentication, | ||
+ | local: | ||
+ | remote: 10.0.23.2 | ||
+ | local pre-shared key authentication: | ||
+ | id: vm4 | ||
+ | remote pre-shared key authentication: | ||
+ | id: vm2 | ||
+ | net-net: TUNNEL, rekeying every 3600s | ||
+ | local: | ||
+ | remote: 10.0.12.0/ | ||
+ | |||
+ | root@VM4: # grep charon / | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf | ||
+ | key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit | ||
+ | elist addrblock counters | ||
+ | Jul 8 12:39:44 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | Jul 8 12:39:45 router charon[79963]: | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2: | ||
+ | |||
+ | VM3 tcpdump paquets: | ||
+ | |||
+ | < | ||
+ | [root@VM3]~# | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | 00: | ||
+ | </ | ||
+ | |||
+ | Ping result on VM1: | ||
+ | |||
+ | < | ||
+ | [root@VM1]# ping 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=3 ttl=62 time=6.612 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | </ | ||
+ | |||
+ | ==== VTI Tunnel without IKE ==== | ||
+ | |||
+ | This method presents a routing interface (like creating a GRE tunnel over IPSec): Useful for running a routing protocol over IPSec tunnels. | ||
+ | |||
+ | === Router 2 === | ||
+ | |||
+ | < | ||
+ | sysrc cloned_interfaces=ipsec0 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -m tunnel -u 100 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -m tunnel -u 100 -E aes-gcm-16 " | ||
+ | EOF | ||
+ | service netif restart | ||
+ | service ipsec enable | ||
+ | service ipsec restart | ||
+ | service routing restart | ||
+ | </ | ||
+ | |||
+ | and check the status: | ||
+ | |||
+ | < | ||
+ | [root@VM2]~# | ||
+ | 0.0.0.0/ | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=1 seq=3 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | ::/0[any] ::/0[any] any | ||
+ | in ipsec | ||
+ | esp/ | ||
+ | spid=3 seq=2 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | 0.0.0.0/ | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=2 seq=1 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | ::/0[any] ::/0[any] any | ||
+ | out ipsec | ||
+ | esp/ | ||
+ | spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0 | ||
+ | refcnt=1 | ||
+ | [root@VM2]~# | ||
+ | 10.0.34.4 10.0.23.2 | ||
+ | esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000000 replay=0 flags=0x00000040 state=mature | ||
+ | created: Dec 1 23:48:30 2017 | ||
+ | diff: 105(s) | ||
+ | last: Dec 1 23:49:50 2017 hard: 0(s) soft: 0(s) | ||
+ | current: 168(bytes) | ||
+ | allocated: 2 hard: 0 soft: 0 | ||
+ | sadb_seq=1 pid=1649 refcnt=1 | ||
+ | 10.0.23.2 10.0.34.4 | ||
+ | esp mode=tunnel spi=4096(0x00001000) reqid=100(0x00000064) | ||
+ | E: aes-gcm-16 | ||
+ | seq=0x00000002 replay=0 flags=0x00000040 state=mature | ||
+ | created: Dec 1 23:48:30 2017 | ||
+ | diff: 105(s) | ||
+ | last: Dec 1 23:49:50 2017 hard: 0(s) soft: 0(s) | ||
+ | current: 280(bytes) | ||
+ | allocated: 2 hard: 0 soft: 0 | ||
+ | sadb_seq=0 pid=1649 refcnt=1 | ||
+ | [root@VM2]~# | ||
+ | ipsec0: flags=8051< | ||
+ | tunnel inet 10.0.23.2 --> 10.0.34.4 | ||
+ | inet6 fe80:: | ||
+ | inet6 2001: | ||
+ | inet 10.0.24.2 --> 10.0.24.4 | ||
+ | nd6 options=21< | ||
+ | reqid: 100 | ||
+ | groups: ipsec | ||
+ | </ | ||
+ | |||
+ | === Router 4 === | ||
+ | |||
+ | < | ||
+ | sysrc cloned_interfaces=ipsec0 \ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | cat > / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | add 10.0.23.2 10.0.34.4 esp 0x1000 -m tunnel -u 200 -E aes-gcm-16 " | ||
+ | add 10.0.34.4 10.0.23.2 esp 0x1001 -m tunnel -u 200 -E aes-gcm-16 " | ||
+ | EOF | ||
+ | service netif restart | ||
+ | service ipsec enable | ||
+ | service ipsec restart | ||
+ | service routing restart | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.440 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=0.382 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | ===== OpenVPN ===== | ||
+ | |||
+ | ==== CA and certificates generation ==== | ||
+ | |||
+ | All these step will be done on VM2 (OpenVPN server) | ||
+ | |||
+ | Start by copying easyrsa3 configuration folder and define new configuration file: | ||
+ | < | ||
+ | cp -r / | ||
+ | setenv EASYRSA / | ||
+ | setenv EASYRSA_PKI $EASYRSA/ | ||
+ | </ | ||
+ | |||
+ | Initialize PKI and generate a DH: | ||
+ | < | ||
+ | easyrsa init-pki | ||
+ | easyrsa gen-dh | ||
+ | </ | ||
+ | |||
+ | Build a root certificate: | ||
+ | < | ||
+ | [root@VM2]~# | ||
+ | |||
+ | Note: using Easy-RSA configuration from: / | ||
+ | Generating a 2048 bit RSA private key | ||
+ | ...............................................+++ | ||
+ | ..................................................................................+++ | ||
+ | writing new private key to '/ | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Common Name (eg: your user, host, or server name) [Easy-RSA CA]: | ||
+ | |||
+ | CA creation complete and you may now import and sign cert requests. | ||
+ | Your new CA certificate file for publishing is at: | ||
+ | / | ||
+ | |||
+ | |||
+ | </ | ||
+ | Make a server certificate called VM2, and client certificate called VM4 using a locally generated root certificate: | ||
+ | < | ||
+ | easyrsa build-server-full VM2 nopass | ||
+ | easyrsa build-client-full VM4 nopass | ||
+ | </ | ||
+ | |||
+ | ==== Standard userland mode (slow) ==== | ||
+ | |||
+ | === VM2: OpenVPN server === | ||
+ | |||
+ | Create the openvpn configuration file for server mode as / | ||
+ | < | ||
+ | mkdir / | ||
+ | cat > / | ||
+ | dev tun | ||
+ | tun-ipv6 | ||
+ | ca / | ||
+ | cert / | ||
+ | key / | ||
+ | dh / | ||
+ | server 10.0.24.0 255.255.255.0 | ||
+ | server-ipv6 2001: | ||
+ | ifconfig-pool-persist ipp.txt | ||
+ | client-config-dir ccd | ||
+ | push "route 10.0.12.0 255.255.255.0" | ||
+ | push " | ||
+ | route 10.0.45.0 255.255.255.0 | ||
+ | route-ipv6 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client VM4: | ||
+ | < | ||
+ | mkdir / | ||
+ | cat > / | ||
+ | iroute 10.0.45.0 255.255.255.0 | ||
+ | iroute-ipv6 2001: | ||
+ | ' | ||
+ | </ | ||
+ | |||
+ | Enable and start openvpn and sshd (we will get certificates files by SCP later): | ||
+ | < | ||
+ | service sshd enable | ||
+ | service openvpn enable | ||
+ | service openvpn start | ||
+ | service sshd start | ||
+ | </ | ||
+ | |||
+ | And set a password for root account (mandatory for next SCP file copy): | ||
+ | < | ||
+ | passwd | ||
+ | </ | ||
+ | |||
+ | Now Generate client configuration file with embedded certificates: | ||
+ | |||
+ | < | ||
+ | cat > / | ||
+ | client | ||
+ | dev tun | ||
+ | remote 10.0.23.2 | ||
+ | <ca> | ||
+ | EOF | ||
+ | cat / | ||
+ | echo '</ | ||
+ | echo '< | ||
+ | cat / | ||
+ | echo '</ | ||
+ | echo '< | ||
+ | cat / | ||
+ | echo '</ | ||
+ | </ | ||
+ | |||
+ | === VM4: OpenVPN client === | ||
+ | |||
+ | As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in / | ||
+ | |||
+ | On this lab, scp can be used for getting these files: | ||
+ | < | ||
+ | mkdir / | ||
+ | scp 10.0.23.2:/ | ||
+ | </ | ||
+ | |||
+ | Enable and start openvpn: | ||
+ | < | ||
+ | service openvpn enable | ||
+ | service openvpn start | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Pinging VM5 from VM1: | ||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | ^C | ||
+ | --- 2001: | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | |||
+ | [root@VM1]~# | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.312 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=3.111 ms | ||
+ | ^C | ||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 3 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM2: | ||
+ | < | ||
+ | Oct 26 16:58:32 VM2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 VM2 kernel: tun0: link state changed to UP | ||
+ | Oct 26 16:58:32 VM2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2769]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2789]: | ||
+ | Oct 26 16:58:32 VM2 openvpn[2789]: | ||
+ | Oct 26 16:58:33 VM2 openvpn[2789]: | ||
+ | Oct 26 16:58:33 VM2 openvpn[2789]: | ||
+ | Oct 26 16:58:35 VM2 openvpn[2789]: | ||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM4: | ||
+ | < | ||
+ | Oct 26 16:58:32 VM4 openvpn[2495]: | ||
+ | Oct 26 16:58:32 VM4 openvpn[2495]: | ||
+ | Oct 26 16:58:32 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:32 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:32 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 VM4 kernel: tun0: link state changed to UP | ||
+ | Oct 26 16:58:34 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 VM4 openvpn[2496]: | ||
+ | Oct 26 16:58:34 VM4 openvpn[2496]: | ||
+ | </ | ||
+ | |||
+ | Tcpdump on VM3: | ||
+ | |||
+ | < | ||
+ | [root@VM3]~# | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | 16: | ||
+ | </ | ||
+ | |||
+ | ==== Data Channel Offload (DCO), kernel mode (fast) ==== | ||
+ | |||
+ | Start with a working userland configuration, | ||
+ | * Need to load if_ovpn module on both side | ||
+ | * Need to enable subnet topology on the server side | ||
+ | |||
+ | === VM2: OpenVPN server === | ||
+ | |||
+ | < | ||
+ | service openvpn stop | ||
+ | sysrc kld_list=" | ||
+ | kldload if_ovpn | ||
+ | echo " | ||
+ | service openvpn start | ||
+ | </ | ||
+ | |||
+ | === VM4: OpenVPN client === | ||
+ | |||
+ | < | ||
+ | service openvpn stop | ||
+ | sysrc kld_list=" | ||
+ | kldload if_ovpn | ||
+ | service openvpn start | ||
+ | </ | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Pinging VM5 from VM1: | ||
+ | < | ||
+ | root@VM1:~ # ping -c 2 10.0.45.5 | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=1.700 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.629 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | root@VM1:~ # ping -c 2 2001: | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM2 (error installing route are due to DCO restriction): | ||
+ | < | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:40 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:29:41 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | Oct 4 18:30:11 VM2 openvpn[89399]: | ||
+ | </ | ||
+ | |||
+ | OpenVPN log file on VM4: | ||
+ | < | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:11 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | Oct 4 18:30:12 VM4 openvpn[86737]: | ||
+ | </ | ||
+ | |||
+ | ===== Wireguard ===== | ||
+ | |||
+ | On current (14.0) needs only wireguard-tools (kernel module included), on older (12 or 13) needs wireguard-kmod. | ||
+ | ==== Key pairs generation on VM2 and VM4 ==== | ||
+ | |||
+ | The first step is to generate a couple of private and public keys on each wireguard endpoint. | ||
+ | |||
+ | The standard way of generating keys is using this command: | ||
+ | |||
+ | < | ||
+ | cd / | ||
+ | wg genkey > private | ||
+ | chmod 600 private | ||
+ | wg pubkey < private > public | ||
+ | </ | ||
+ | |||
+ | But on this example, we will use static keys as example. | ||
+ | ==== Router 2 ==== | ||
+ | |||
+ | Write example-only static and public key, on real-life, used the one generated by wg. | ||
+ | |||
+ | < | ||
+ | echo " | ||
+ | echo " | ||
+ | cat > / | ||
+ | [Interface] | ||
+ | PrivateKey = oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38= | ||
+ | ListenPort = 51820 | ||
+ | |||
+ | [Peer] | ||
+ | PublicKey = o267Qf43WlVTawLq/ | ||
+ | AllowedIPs = 10.0.45.0/ | ||
+ | Endpoint = 10.0.34.4: | ||
+ | EOF | ||
+ | |||
+ | sysrc wireguard_interfaces=wg0 | ||
+ | service wireguard enable | ||
+ | service wireguard start | ||
+ | </ | ||
+ | |||
+ | ==== Router 4 ==== | ||
+ | |||
+ | Generate example-only router 4 wg keys, and declare 2 public key. | ||
+ | |||
+ | < | ||
+ | echo " | ||
+ | echo " | ||
+ | cat > / | ||
+ | [Interface] | ||
+ | PrivateKey = 4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE= | ||
+ | ListenPort = 51820 | ||
+ | |||
+ | [Peer] | ||
+ | PublicKey = z9wBhxr/ | ||
+ | AllowedIPs = 10.0.12.0/ | ||
+ | Endpoint = 10.0.23.2: | ||
+ | EOF | ||
+ | |||
+ | sysrc wireguard_interfaces=wg0 | ||
+ | service wireguard enable | ||
+ | service wireguard start | ||
+ | </ | ||
+ | |||
+ | ==== Testing ==== | ||
+ | |||
+ | Pinging VM5 from VM1: | ||
+ | |||
+ | < | ||
+ | [root@VM1]~# | ||
+ | PING 10.0.45.5 (10.0.45.5): | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms | ||
+ | 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms | ||
+ | |||
+ | --- 10.0.45.5 ping statistics --- | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | |||
+ | [root@VM1]~# | ||
+ | PING6(56=40+8+8 bytes) 2001: | ||
+ | 16 bytes from 2001: | ||
+ | 16 bytes from 2001: | ||
+ | |||
+ | --- 2001: | ||
+ | 2 packets transmitted, | ||
+ | round-trip min/ | ||
+ | </ | ||
+ | |||
+ | Are we using the kernel module? | ||
+ | < | ||
+ | root@VM2:~ # kldstat -v -n if_wg.ko | ||
+ | Id Refs Address | ||
+ | | ||
+ | Contains modules: | ||
+ | Id Name | ||
+ | 473 wg | ||
+ | </ | ||
+ | |||
+ | Displaying wg status on VM2: | ||
+ | < | ||
+ | root@VM2:~ # ifconfig wg0 | ||
+ | wg0: flags=80c1< | ||
+ | options=80000< | ||
+ | groups: wg | ||
+ | nd6 options=101< | ||
+ | root@VM2:~ # netstat -rn | grep " | ||
+ | Destination | ||
+ | 10.0.45.0/ | ||
+ | Destination | ||
+ | 2001: | ||
+ | root@VM2:~ # wg show | ||
+ | interface: wg0 | ||
+ | public key: z9wBhxr/ | ||
+ | private key: (hidden) | ||
+ | listening port: 51820 | ||
+ | |||
+ | peer: o267Qf43WlVTawLq/ | ||
+ | endpoint: 10.0.34.4: | ||
+ | allowed ips: 2001: | ||
+ | latest handshake: 32 seconds ago | ||
+ | transfer: 356 B received, 436 B sent | ||
+ | </ |