User Tools

Site Tools


documentation:examples:gre_ipsec_and_openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:examples:gre_ipsec_and_openvpn [2018/07/01 11:01]
127.0.0.1 external edit
documentation:examples:gre_ipsec_and_openvpn [2020/01/13 14:19] (current)
olivier [Testing]
Line 1: Line 1:
-====== VPN with GRE, GIF, IPSec and OpenVPN ======+====== VPN with GRE, GIF, IPSecOpenVPN ​and Wireguard ​======
  
-This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based).+This lab shows some VPN examples with BSDRP 1.97.
  
 ===== Presentation ===== ===== Presentation =====
Line 79: Line 79:
  
 <​code>​ <​code>​
-sysrc hostname=R1 +sysrc hostname=VM1 \ 
-sysrc gateway_enable=NO + ​gateway_enable=NO ​\ 
-sysrc ipv6_gateway_enable=NO + ​ipv6_gateway_enable=NO ​\ 
-sysrc ifconfig_em0="​inet 10.0.12.1/​24"​ + ​ifconfig_em0="​inet 10.0.12.1/​24" ​\ 
-sysrc ifconfig_em0_ipv6="​inet6 2001:​db8:​12::​1 prefixlen 64" + ​ifconfig_em0_ipv6="​inet6 2001:​db8:​12::​1 prefixlen 64" ​\ 
-sysrc defaultrouter=10.0.12.2 + ​defaultrouter=10.0.12.2 ​\ 
-sysrc ipv6_defaultrouter=2001:​db8:​12::​2+ ​ipv6_defaultrouter=2001:​db8:​12::​2
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
-hostname ​R1+hostname ​VM1
 service netif restart service netif restart
 service routing restart service routing restart
Line 94: Line 94:
 ==== Router 2 ==== ==== Router 2 ====
  
-Router 2 base configuration:​ A simple connected-network router with a default route pointing to R3.+Router 2 base configuration:​ A simple connected-network router with a default route pointing to VM3.
  
 <​code>​ <​code>​
-sysrc hostname=R2 +sysrc hostname=VM2 \ 
-sysrc ifconfig_em0="​inet 10.0.12.2/​24"​ +  ifconfig_em0="​inet 10.0.12.2/​24" ​\ 
-sysrc ifconfig_em0_ipv6="​inet6 2001:​db8:​12::​2 prefixlen 64" +  ifconfig_em0_ipv6="​inet6 2001:​db8:​12::​2 prefixlen 64" ​\ 
-sysrc ifconfig_em1="​inet 10.0.23.2/​24"​ +  ifconfig_em1="​inet 10.0.23.2/​24" ​\ 
-sysrc ifconfig_em1_ipv6="​inet6 2001:​db8:​23::​2 prefixlen 64" +  ifconfig_em1_ipv6="​inet6 2001:​db8:​23::​2 prefixlen 64" ​\ 
-sysrc defaultrouter="​10.0.23.3"​ +  defaultrouter="​10.0.23.3" ​\ 
-sysrc ipv6_defaultrouter="​2001:​db8:​23::​3"​+  ipv6_defaultrouter="​2001:​db8:​23::​3"​
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
-hostname ​R2+hostname ​VM2
 service netif restart service netif restart
 service routing restart service routing restart
Line 115: Line 115:
  
 <​code>​ <​code>​
-sysrc hostname=R3 +sysrc hostname=VM3 \ 
-sysrc ifconfig_em1="​inet 10.0.23.3/​24"​ + ​ifconfig_em1="​inet 10.0.23.3/​24" ​\ 
-sysrc ifconfig_em1_ipv6="​inet6 2001:​db8:​23::​3 prefixlen 64" + ​ifconfig_em1_ipv6="​inet6 2001:​db8:​23::​3 prefixlen 64" ​\ 
-sysrc ifconfig_em2="​inet 10.0.34.3/​24"​ + ​ifconfig_em2="​inet 10.0.34.3/​24" ​\ 
-sysrc ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​3 prefixlen 64"+ ​ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​3 prefixlen 64"
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
-hostname ​R3+hostname ​VM3
 service netif restart service netif restart
 config save config save
Line 127: Line 127:
 ==== Router 4 ==== ==== Router 4 ====
  
-Router 4 base configuration,​ like R2: A simple connected-network router with a default route pointing to R3.+Router 4 base configuration,​ like VM2: A simple connected-network router with a default route pointing to VM3.
  
 <​code>​ <​code>​
-sysrc hostname=R4 +sysrc hostname=VM4 \ 
-sysrc ifconfig_em2="​inet 10.0.34.4/​24"​ + ​ifconfig_em2="​inet 10.0.34.4/​24" ​\ 
-sysrc ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​4 prefixlen 64" + ​ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​4 prefixlen 64" ​\ 
-sysrc ifconfig_em3="​inet 10.0.45.4/​24"​ + ​ifconfig_em3="​inet 10.0.45.4/​24" ​\ 
-sysrc ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​4 prefixlen 64" + ​ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​4 prefixlen 64" ​\ 
-sysrc defaultrouter="​10.0.34.3"​ + ​defaultrouter="​10.0.34.3" ​\ 
-sysrc ipv6_defaultrouter="​2001:​db8:​34::​3"​+ ​ipv6_defaultrouter="​2001:​db8:​34::​3"​
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
-hostname ​R4+hostname ​VM4
 service netif restart service netif restart
 service routing restart service routing restart
Line 145: Line 145:
 ==== Router 5 ==== ==== Router 5 ====
  
-Router 5 has the same workstation mode configuration as R1.+Router 5 has the same workstation mode configuration as VM1.
  
 <​code>​ <​code>​
-sysrc hostname=R5 +sysrc hostname=VM5 \ 
-sysrc gateway_enable=NO + ​gateway_enable=NO ​\ 
-sysrc ipv6_gateway_enable=NO + ​ipv6_gateway_enable=NO ​\ 
-sysrc ifconfig_em3="​inet 10.0.45.5/​24"​ + ​ifconfig_em3="​inet 10.0.45.5/​24" ​\ 
-sysrc ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​5 prefixlen 64" + ​ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​5 prefixlen 64" ​\ 
-sysrc defaultrouter="​10.0.45.4"​ + ​defaultrouter="​10.0.45.4" ​\ 
-sysrc ipv6_defaultrouter="​2001:​db8:​45::​4"​+ ​ipv6_defaultrouter="​2001:​db8:​45::​4"​
 ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
-hostname ​R5+hostname ​VM5
 service netif restart service netif restart
 service routing restart service routing restart
Line 174: Line 174:
 Here is the parameters to add: Here is the parameters to add:
 <​code>​ <​code>​
-sysrc cloned_interfaces=gre0 +sysrc cloned_interfaces=gre0 ​\ 
-sysrc ifconfig_gre0="​inet 10.0.24.2/​24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" + ​ifconfig_gre0="​inet 10.0.24.2/​24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" ​\ 
-sysrc ifconfig_gre0_ipv6="​inet6 2001:​db8:​24::​2 prefixlen 64" + ​ifconfig_gre0_ipv6="​inet6 2001:​db8:​24::​2 prefixlen 64" ​\ 
-sysrc static_routes="​tunnel4"​ + ​static_routes="​tunnel4" ​\ 
-sysrc route_tunnel4="​10.0.45.0/​24 10.0.24.4"​ + ​route_tunnel4="​10.0.45.0/​24 10.0.24.4" ​\ 
-sysrc ipv6_route_tunnel6="​2001:​db8:​45::​ -prefixlen 64 2001:​db8:​24::​4"​ + ​ipv6_route_tunnel6="​2001:​db8:​45::​ -prefixlen 64 2001:​db8:​24::​4" ​\ 
-sysrc ipv6_static_routes="​tunnel6"​+ ​ipv6_static_routes="​tunnel6"​
 service netif restart service netif restart
 service routing restart service routing restart
Line 187: Line 187:
 ==== Router 4 ==== ==== Router 4 ====
  
-Configure the GRE tunnel using R2 IPv4 as end-point.+Configure the GRE tunnel using VM2 IPv4 as end-point.
  
 === Modify configuration === === Modify configuration ===
Line 193: Line 193:
 Here is the parameters to add: Here is the parameters to add:
 <​code>​ <​code>​
-sysrc cloned_interfaces=gre0 +sysrc cloned_interfaces=gre0 ​\ 
-sysrc ifconfig_gre0="​inet 10.0.24.4/​24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" + ​ifconfig_gre0="​inet 10.0.24.4/​24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" ​\ 
-sysrc ifconfig_gre0_ipv6="​inet6 2001:​db8:​24::​4 prefixlen 64" + ​ifconfig_gre0_ipv6="​inet6 2001:​db8:​24::​4 prefixlen 64" ​\ 
-sysrc static_routes="​tunnel4"​ + ​static_routes="​tunnel4" ​\ 
-sysrc route_tunnel4="​10.0.12.0/​24 10.0.24.2"​ + ​route_tunnel4="​10.0.12.0/​24 10.0.24.2" ​\ 
-sysrc ipv6_route_tunnel6="​2001:​db8:​12::​ -prefixlen 64 2001:​db8:​24::​2"​ + ​ipv6_route_tunnel6="​2001:​db8:​12::​ -prefixlen 64 2001:​db8:​24::​2" ​\ 
-sysrc ipv6_static_routes="​tunnel6"​+ ​ipv6_static_routes="​tunnel6"​
 service netif restart service netif restart
 service routing restart service routing restart
Line 207: Line 207:
  
 <​code>​ <​code>​
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5):​ 56 data bytes PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
Line 216: Line 216:
 3 packets transmitted,​ 3 packets received, 0.0% packet loss 3 packets transmitted,​ 3 packets received, 0.0% packet loss
 round-trip min/​avg/​max/​stddev = 1.019/​7.012/​18.659/​8.237 ms round-trip min/​avg/​max/​stddev = 1.019/​7.012/​18.659/​8.237 ms
-[root@R1]~# ping6 -c3 2001:​db8:​45::​5+[root@VM1]~# ping6 -c3 2001:​db8:​45::​5
 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=1.142 ms 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=1.142 ms
Line 255: Line 255:
 ==== Router 4 ==== ==== Router 4 ====
  
-Configure the 2 gif tunnel using R2 addresses as end-point.+Configure the 2 gif tunnel using VM2 addresses as end-point.
  
 Here are the changes to apply to rc file: Here are the changes to apply to rc file:
Line 273: Line 273:
  
 <​code>​ <​code>​
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5):​ 56 data bytes PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
Line 282: Line 282:
 3 packets transmitted,​ 3 packets received, 0.0% packet loss 3 packets transmitted,​ 3 packets received, 0.0% packet loss
 round-trip min/​avg/​max/​stddev = 1.019/​7.012/​18.659/​8.237 ms round-trip min/​avg/​max/​stddev = 1.019/​7.012/​18.659/​8.237 ms
-[root@R1]~# ping6 -c3 2001:​db8:​45::​5+[root@VM1]~# ping6 -c3 2001:​db8:​45::​5
 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=1.142 ms 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=1.142 ms
Line 329: Line 329:
 And check it: And check it:
 <​code>​ <​code>​
-[root@R2]~# setkey -DP+[root@VM2]~# setkey -DP
 10.0.45.0/​24[any] 10.0.12.0/​24[any] any 10.0.45.0/​24[any] 10.0.12.0/​24[any] any
         in ipsec         in ipsec
Line 350: Line 350:
         spid=3 seq=0 pid=66654 scope=global         spid=3 seq=0 pid=66654 scope=global
         refcnt=1         refcnt=1
-[root@R2]~# setkey -D+[root@VM2]~# setkey -D
 2001:​db8:​34::​4 2001:​db8:​23::​2 2001:​db8:​34::​4 2001:​db8:​23::​2
         esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)         esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)
Line 402: Line 402:
 </​code>​ </​code>​
  
-Create a file /​etc/​ipsec.conf with these lines (same as R2: only to have to invert the in/out keyword):+Create a file /​etc/​ipsec.conf with these lines (same as VM2: only to have to invert the in/out keyword):
  
 <​code>​ <​code>​
Line 427: Line 427:
 === Testing === === Testing ===
  
-Start a tcpdump on R3-em1 and from R1 ping R5:+Start a tcpdump on VM3-em1 and from VM1 ping VM5:
  
 <​code>​ <​code>​
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 446: Line 446:
  
 <​code>​ <​code>​
-[root@R1]/etc/rc.d# ping 10.0.45.5+[root@VM1]/etc/rc.d# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5):​ 56 data bytes PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms
 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms
-[root@R1]~# ping6 2001:​db8:​45::​5+[root@VM1]~# ping6 2001:​db8:​45::​5
 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=70.074 ms 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=70.074 ms
Line 583: Line 583:
 === Testing === === Testing ===
  
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
  
-R3 tcpdump paquets:+VM3 tcpdump paquets:
  
 <​code>​ <​code>​
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 629: Line 629:
 </​code>​ </​code>​
  
-Racoon log file on R2:+Racoon log file on VM2:
 <​code>​ <​code>​
-[root@R2]~# tail -f /​var/​log/​racoon.log+[root@VM2]~# tail -f /​var/​log/​racoon.log
 2013-10-26 09:28:01: INFO: 2001:​db8:​23::​2[500] used as isakmp port (fd=16) 2013-10-26 09:28:01: INFO: 2001:​db8:​23::​2[500] used as isakmp port (fd=16)
 2013-10-26 09:28:01: INFO: 2001:​db8:​23::​2[4500] used as isakmp port (fd=17) 2013-10-26 09:28:01: INFO: 2001:​db8:​23::​2[4500] used as isakmp port (fd=17)
Line 661: Line 661:
 </​code>​ </​code>​
  
-Ping result on R1:+Ping result on VM1:
  
 <​code>​ <​code>​
-[root@R1]# ping 10.0.45.5+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5):​ 56 data bytes PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
Line 670: Line 670:
 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:​db8:​45::​5+[root@VM1]~# ping6 2001:​db8:​45::​5
 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=5.264 ms 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=5.264 ms
Line 684: Line 684:
 === Router 2 === === Router 2 ===
  
-Configure strongswan on R2 with:+Configure strongswan on VM2 with:
   * IKEv2   * IKEv2
   * Preshared-key   * Preshared-key
Line 702: Line 702:
      ​dpddelay=5      ​dpddelay=5
  
-conn R4+conn VM4
     left=10.0.23.2     left=10.0.23.2
     leftsubnet=10.0.12.0/​24     leftsubnet=10.0.12.0/​24
-    leftid=R2+    leftid=VM2
     right=10.0.34.4     right=10.0.34.4
     rightsubnet=10.0.45.0/​24     rightsubnet=10.0.45.0/​24
-    rightid=R4+    rightid=VM4
     auto=start     auto=start
 '​EOF'​ '​EOF'​
Line 717: Line 717:
 <​code>​ <​code>​
 cat > /​usr/​local/​etc/​ipsec.secrets <<'​EOF'​ cat > /​usr/​local/​etc/​ipsec.secrets <<'​EOF'​
-R4 R2 : PSK "This is a strong password"​+VM4 VM2 : PSK "This is a strong password"​
 '​EOF'​ '​EOF'​
 </​code>​ </​code>​
Line 730: Line 730:
 === Router 4 === === Router 4 ===
  
-Configure strongswan on R4 with:+Configure strongswan on VM4 with:
   * IKEv2   * IKEv2
   * Preshared-key   * Preshared-key
Line 747: Line 747:
     dpdaction=restart     dpdaction=restart
     dpddelay=5     dpddelay=5
-conn R2+conn VM2
     left=10.0.34.4     left=10.0.34.4
     leftsubnet=10.0.45.0/​24     leftsubnet=10.0.45.0/​24
-    leftid=R4+    leftid=VM4
     right=10.0.23.2     right=10.0.23.2
     rightsubnet=10.0.12.0/​24     rightsubnet=10.0.12.0/​24
-    rightid=R2+    rightid=VM2
     auto=route     auto=route
 '​EOF'​ '​EOF'​
Line 762: Line 762:
 <​code>​ <​code>​
 cat > /​usr/​local/​etc/​ipsec.secrets <<'​EOF'​ cat > /​usr/​local/​etc/​ipsec.secrets <<'​EOF'​
-R4 R2 : PSK "This is a strong password"​+VM4 VM2 : PSK "This is a strong password"​
 '​EOF'​ '​EOF'​
 </​code>​ </​code>​
Line 775: Line 775:
 === Testing === === Testing ===
  
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
  
-R3 tcpdump paquets:+VM3 tcpdump paquets:
  
 <​code>​ <​code>​
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 801: Line 801:
 </​code>​ </​code>​
  
-Log file on R2:+Log file on VM2:
 <​code>​ <​code>​
-[root@R2]~# tail -f /​var/​log/​auth.log +[root@VM2]~# tail -f /​var/​log/​auth.log 
-Jun  8 00:​24:​28 ​R2 ipsec_starter[981]:​ no netkey IPsec stack detected +Jun  8 00:​24:​28 ​VM2 ipsec_starter[981]:​ no netkey IPsec stack detected 
-Jun  8 00:​24:​28 ​R2 ipsec_starter[981]:​ no KLIPS IPsec stack detected +Jun  8 00:​24:​28 ​VM2 ipsec_starter[981]:​ no KLIPS IPsec stack detected 
-Jun  8 00:​24:​28 ​R2 ipsec_starter[981]:​ no known IPsec stack detected, ignoring! +Jun  8 00:​24:​28 ​VM2 ipsec_starter[981]:​ no known IPsec stack detected, ignoring! 
-Jun  8 00:​24:​28 ​R2 ipsec_starter[984]:​ charon (986) started after 20 ms +Jun  8 00:​24:​28 ​VM2 ipsec_starter[984]:​ charon (986) started after 20 ms 
-Jun  8 00:​25:​26 ​R2 login: login on ttyu0 as root +Jun  8 00:​25:​26 ​VM2 login: login on ttyu0 as root 
-Jun  8 00:​25:​26 ​R2 login: ROOT LOGIN (root) ON ttyu0 +Jun  8 00:​25:​26 ​VM2 login: ROOT LOGIN (root) ON ttyu0 
-Jun  8 00:​34:​53 ​R2 charon: 12[IKE] initiating IKE_SA ​R4[1] to 10.0.34.4 +Jun  8 00:​34:​53 ​VM2 charon: 12[IKE] initiating IKE_SA ​VM4[1] to 10.0.34.4 
-Jun  8 00:​34:​53 ​R2 charon: 12[IKE] establishing CHILD_SA ​R4 +Jun  8 00:​34:​53 ​VM2 charon: 12[IKE] establishing CHILD_SA ​VM4 
-Jun  8 00:​34:​53 ​R2 charon: 12[IKE] IKE_SA ​R4[1] established between 10.0.23.2[R2]...10.0.34.4[R4+Jun  8 00:​34:​53 ​VM2 charon: 12[IKE] IKE_SA ​VM4[1] established between 10.0.23.2[VM2]...10.0.34.4[VM4
-Jun  8 00:​34:​53 ​R2 charon: 12[IKE] CHILD_SA ​R4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/​24 === 10.0.45.0/​24+Jun  8 00:​34:​53 ​VM2 charon: 12[IKE] CHILD_SA ​VM4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/​24 === 10.0.45.0/​24
 </​code>​ </​code>​
  
-Ping result on R1:+Ping result on VM1:
  
 <​code>​ <​code>​
-[root@R1]# ping 10.0.45.5+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5):​ 56 data bytes PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
Line 825: Line 825:
 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:​db8:​45::​5+[root@VM1]~# ping6 2001:​db8:​45::​5
 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=5.264 ms 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=5.264 ms
Line 833: Line 833:
 ==== VTI Tunnel without IKE ==== ==== VTI Tunnel without IKE ====
  
-This method ​allow to present ​a routing interface (like creating a GRE tunnel over IPSec): Useful for running a routing protocol over IPSec tunnels.+This method ​presents ​a routing interface (like creating a GRE tunnel over IPSec): Useful for running a routing protocol over IPSec tunnels.
  
 === Router 2 === === Router 2 ===
  
 <​code>​ <​code>​
-sysrc cloned_interfaces=ipsec0 +sysrc cloned_interfaces=ipsec0 ​\ 
-sysrc create_args_ipsec0="​reqid 100" + ​create_args_ipsec0="​reqid 100" ​\ 
-sysrc ifconfig_ipsec0="​inet 10.0.24.2/​24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" + ​ifconfig_ipsec0="​inet 10.0.24.2/​24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" ​\ 
-sysrc ifconfig_ipsec0_ipv6="​inet6 2001:​db8:​24::​2 prefixlen 64" + ​ifconfig_ipsec0_ipv6="​inet6 2001:​db8:​24::​2 prefixlen 64" ​\ 
-sysrc static_routes="​tunnel4"​ + ​static_routes="​tunnel4" ​\ 
-sysrc route_tunnel4="​10.0.45.0/​24 10.0.24.4"​ + ​route_tunnel4="​10.0.45.0/​24 10.0.24.4" ​\ 
-sysrc ipv6_route_tunnel6="​2001:​db8:​45::​ -prefixlen 64 2001:​db8:​24::​4"​ + ​ipv6_route_tunnel6="​2001:​db8:​45::​ -prefixlen 64 2001:​db8:​24::​4" ​\ 
-sysrc ipv6_static_routes="​tunnel6"​+ ​ipv6_static_routes="​tunnel6"​
 cat > /​etc/​ipsec.conf <<EOF cat > /​etc/​ipsec.conf <<EOF
 flush; flush;
Line 853: Line 853:
 EOF EOF
 service netif restart service netif restart
-sysrc ipsec_enable=YES+service ipsec enable
 service ipsec restart service ipsec restart
 service routing restart service routing restart
Line 861: Line 861:
  
 <​code>​ <​code>​
-[root@R2]~# setkey -DP+[root@VM2]~# setkey -DP
 0.0.0.0/​0[any] 0.0.0.0/​0[any] any 0.0.0.0/​0[any] 0.0.0.0/​0[any] any
         in ipsec         in ipsec
Line 882: Line 882:
         spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0         spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0
         refcnt=1         refcnt=1
-[root@R2]~# setkey -D+[root@VM2]~# setkey -D
 10.0.34.4 10.0.23.2 10.0.34.4 10.0.23.2
         esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)         esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)
Line 903: Line 903:
         allocated: 2    hard: 0 soft: 0         allocated: 2    hard: 0 soft: 0
         sadb_seq=0 pid=1649 refcnt=1         sadb_seq=0 pid=1649 refcnt=1
-[root@R2]~# ifconfig ipsec0+[root@VM2]~# ifconfig ipsec0
 ipsec0: flags=8051<​UP,​POINTOPOINT,​RUNNING,​MULTICAST>​ metric 0 mtu 1400 ipsec0: flags=8051<​UP,​POINTOPOINT,​RUNNING,​MULTICAST>​ metric 0 mtu 1400
         tunnel inet 10.0.23.2 --> 10.0.34.4         tunnel inet 10.0.23.2 --> 10.0.34.4
Line 917: Line 917:
  
 <​code>​ <​code>​
-sysrc cloned_interfaces=ipsec0 +sysrc cloned_interfaces=ipsec0 ​\ 
-sysrc create_args_ipsec0="​reqid 200" + ​create_args_ipsec0="​reqid 200" ​\ 
-sysrc ifconfig_ipsec0="​inet 10.0.24.4/​24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" + ​ifconfig_ipsec0="​inet 10.0.24.4/​24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" ​\ 
-sysrc ifconfig_ipsec0_ipv6="​inet6 2001:​db8:​24::​4 prefixlen 64" + ​ifconfig_ipsec0_ipv6="​inet6 2001:​db8:​24::​4 prefixlen 64" ​\ 
-sysrc static_routes="​tunnel4"​ + ​static_routes="​tunnel4" ​\ 
-sysrc route_tunnel4="​10.0.12.0/​24 10.0.24.2"​ + ​route_tunnel4="​10.0.12.0/​24 10.0.24.2" ​\ 
-sysrc ipv6_route_tunnel6="​2001:​db8:​12::​ -prefixlen 64 2001:​db8:​24::​2"​ + ​ipv6_route_tunnel6="​2001:​db8:​12::​ -prefixlen 64 2001:​db8:​24::​2" ​\ 
-sysrc ipv6_static_routes="​tunnel6"​+ ​ipv6_static_routes="​tunnel6"​
 cat > /​etc/​ipsec.conf <<EOF cat > /​etc/​ipsec.conf <<EOF
 flush; flush;
Line 932: Line 932:
 EOF EOF
 service netif restart service netif restart
-sysrc ipsec_enable=YES+service ipsec enable
 service ipsec restart service ipsec restart
 service routing restart service routing restart
Line 940: Line 940:
  
 <​code>​ <​code>​
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5):​ 56 data bytes PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms
Line 949: Line 949:
 3 packets transmitted,​ 3 packets received, 0.0% packet loss 3 packets transmitted,​ 3 packets received, 0.0% packet loss
 round-trip min/​avg/​max/​stddev = 0.382/​0.589/​0.944/​0.252 ms round-trip min/​avg/​max/​stddev = 0.382/​0.589/​0.944/​0.252 ms
-[root@R1]~# ping6 -c3 2001:​db8:​45::​5+[root@VM1]~# ping6 -c3 2001:​db8:​45::​5
 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=0.617 ms 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=0.617 ms
Line 964: Line 964:
 ==== CA and certificates generation ==== ==== CA and certificates generation ====
  
-All these step will be done on R2 (OpenVPN server)+All these step will be done on VM2 (OpenVPN server)
  
 Start by copying easyrsa3 configuration folder and define new configuration file: Start by copying easyrsa3 configuration folder and define new configuration file:
Line 970: Line 970:
 cp -r /​usr/​local/​share/​easy-rsa /​usr/​local/​etc/​ cp -r /​usr/​local/​share/​easy-rsa /​usr/​local/​etc/​
 setenv EASYRSA /​usr/​local/​etc/​easy-rsa setenv EASYRSA /​usr/​local/​etc/​easy-rsa
 +setenv EASYRSA_PKI $EASYRSA/​pki
 </​code>​ </​code>​
  
Line 980: Line 981:
 Build a root certificate:​ Build a root certificate:​
 <​code>​ <​code>​
-[root@R2]~# easyrsa build-ca nopass+[root@VM2]~# easyrsa build-ca nopass
  
 Note: using Easy-RSA configuration from: /​usr/​local/​etc/​easy-rsa/​vars Note: using Easy-RSA configuration from: /​usr/​local/​etc/​easy-rsa/​vars
Line 1003: Line 1004:
  
 </​code>​ </​code>​
-Make a server certificate called ​R2, and client certificate called ​R4 using a locally generated root certificate:​+Make a server certificate called ​VM2, and client certificate called ​VM4 using a locally generated root certificate:​
 <​code>​ <​code>​
-easyrsa build-server-full ​R2 nopass +easyrsa build-server-full ​VM2 nopass 
-easyrsa build-client-full ​R4 nopass+easyrsa build-client-full ​VM4 nopass
 </​code>​ </​code>​
  
-==== R2: OpenVPN server ====+==== VM2: OpenVPN server ====
  
 Create the openvpn configuration file for server mode as /​usr/​local/​etc/​openvpn/​openvpn.conf:​ Create the openvpn configuration file for server mode as /​usr/​local/​etc/​openvpn/​openvpn.conf:​
Line 1018: Line 1019:
 tun-ipv6 tun-ipv6
 ca /​usr/​local/​etc/​easy-rsa/​pki/​ca.crt ca /​usr/​local/​etc/​easy-rsa/​pki/​ca.crt
-cert /​usr/​local/​etc/​easy-rsa/​pki/​issued/​R2.crt +cert /​usr/​local/​etc/​easy-rsa/​pki/​issued/​VM2.crt 
-key /​usr/​local/​etc/​easy-rsa/​pki/​private/​R2.key+key /​usr/​local/​etc/​easy-rsa/​pki/​private/​VM2.key
 dh /​usr/​local/​etc/​easy-rsa/​pki/​dh.pem dh /​usr/​local/​etc/​easy-rsa/​pki/​dh.pem
 server 10.0.24.0 255.255.255.0 server 10.0.24.0 255.255.255.0
Line 1032: Line 1033:
 </​code>​ </​code>​
  
-Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client ​R4:+Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client ​VM4:
 <​code>​ <​code>​
 mkdir /​usr/​local/​etc/​openvpn/​ccd mkdir /​usr/​local/​etc/​openvpn/​ccd
-cat > /​usr/​local/​etc/​openvpn/​ccd/​R4 <<'​EOF'​+cat > /​usr/​local/​etc/​openvpn/​ccd/​VM4 <<'​EOF'​
 iroute 10.0.45.0 255.255.255.0 iroute 10.0.45.0 255.255.255.0
 iroute-ipv6 2001:​db8:​45::/​64 iroute-ipv6 2001:​db8:​45::/​64
Line 1043: Line 1044:
 Enable and start openvpn and sshd (we will get certificates files by SCP later): Enable and start openvpn and sshd (we will get certificates files by SCP later):
 <​code>​ <​code>​
-sysrc sshd_enable=YES +service sshd enable 
-sysrc openvpn_enable=YES+service openvpn enable
 service openvpn start service openvpn start
 service sshd start service sshd start
Line 1053: Line 1054:
 passwd passwd
 </​code>​ </​code>​
-==== R4: OpenVPN client ====+==== VM4: OpenVPN client ====
  
-As OpenVPN client, ​R4 should get these files from R2 and put them in /​usr/​local/​etc/​openvpn:​+As OpenVPN client, ​VM4 should get these files from VM2 and put them in /​usr/​local/​etc/​openvpn:​
   * ca.crt   * ca.crt
-  * R4.crt +  * VM4.crt 
-  * R4.key+  * VM4.key
  
 On this lab, scp can be used for getting these files: On this lab, scp can be used for getting these files:
Line 1064: Line 1065:
 mkdir /​usr/​local/​etc/​openvpn mkdir /​usr/​local/​etc/​openvpn
 scp 10.0.23.2:/​usr/​local/​etc/​easy-rsa/​pki/​ca.crt /​usr/​local/​etc/​openvpn scp 10.0.23.2:/​usr/​local/​etc/​easy-rsa/​pki/​ca.crt /​usr/​local/​etc/​openvpn
-scp 10.0.23.2:/​usr/​local/​etc/​easy-rsa/​pki/​issued/​R4.crt /​usr/​local/​etc/​openvpn +scp 10.0.23.2:/​usr/​local/​etc/​easy-rsa/​pki/​issued/​VM4.crt /​usr/​local/​etc/​openvpn 
-scp 10.0.23.2:/​usr/​local/​etc/​easy-rsa/​pki/​private/​R4.key /​usr/​local/​etc/​openvpn+scp 10.0.23.2:/​usr/​local/​etc/​easy-rsa/​pki/​private/​VM4.key /​usr/​local/​etc/​openvpn
 </​code>​ </​code>​
  
Line 1076: Line 1077:
 remote 10.0.23.2 remote 10.0.23.2
 ca ca.crt ca ca.crt
-cert R4.crt +cert VM4.crt 
-key R4.key+key VM4.key
 '​EOF'​ '​EOF'​
 </​code>​ </​code>​
Line 1083: Line 1084:
 Enable and start openvpn: Enable and start openvpn:
 <​code>​ <​code>​
-sysrc openvpn_enable=YES+service openvpn enable
 service openvpn start service openvpn start
 </​code>​ </​code>​
 ==== Testing ==== ==== Testing ====
  
-Pinging ​R5 from R1:+Pinging ​VM5 from VM1:
 <​code>​ <​code>​
-[root@R1]~# ping6 2001:​db8:​45::​5+[root@VM1]~# ping6 2001:​db8:​45::​5
 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5 PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=5.453 ms 16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=5.453 ms
Line 1100: Line 1101:
 round-trip min/​avg/​max/​std-dev = 3.652/​4.442/​5.453/​0.752 ms round-trip min/​avg/​max/​std-dev = 3.652/​4.442/​5.453/​0.752 ms
  
-[root@R1]~# ping 10.0.45.5+[root@VM1]~# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5):​ 56 data bytes PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms
Line 1111: Line 1112:
 </​code>​ </​code>​
  
-OpenVPN log file on R2:+OpenVPN log file on VM2:
 <​code>​ <​code>​
-Oct 26 16:​58:​32 ​R2 openvpn[2769]:​ OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 +Oct 26 16:​58:​32 ​VM2 openvpn[2769]:​ OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 
-Oct 26 16:​58:​32 ​R2 openvpn[2769]:​ WARNING: --keepalive option is missing from server config +Oct 26 16:​58:​32 ​VM2 openvpn[2769]:​ WARNING: --keepalive option is missing from server config 
-Oct 26 16:​58:​32 ​R2 openvpn[2769]:​ TUN/TAP device /dev/tun0 opened +Oct 26 16:​58:​32 ​VM2 openvpn[2769]:​ TUN/TAP device /dev/tun0 opened 
-Oct 26 16:​58:​32 ​R2 kernel: tun0: link state changed to UP +Oct 26 16:​58:​32 ​VM2 kernel: tun0: link state changed to UP 
-Oct 26 16:​58:​32 ​R2 openvpn[2769]:​ do_ifconfig,​ tt->​ipv6=1,​ tt->​did_ifconfig_ipv6_setup=1 +Oct 26 16:​58:​32 ​VM2 openvpn[2769]:​ do_ifconfig,​ tt->​ipv6=1,​ tt->​did_ifconfig_ipv6_setup=1 
-Oct 26 16:​58:​32 ​R2 openvpn[2769]:​ /​sbin/​ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up +Oct 26 16:​58:​32 ​VM2 openvpn[2769]:​ /​sbin/​ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up 
-Oct 26 16:​58:​32 ​R2 openvpn[2769]:​ /​sbin/​ifconfig tun0 inet6 2001:​db8:​24::​1/​64 +Oct 26 16:​58:​32 ​VM2 openvpn[2769]:​ /​sbin/​ifconfig tun0 inet6 2001:​db8:​24::​1/​64 
-Oct 26 16:​58:​32 ​R2 openvpn[2769]:​ add_route_ipv6(2001:​db8:​45::/​64 -> 2001:​db8:​24::​2 metric -1) dev tun0 +Oct 26 16:​58:​32 ​VM2 openvpn[2769]:​ add_route_ipv6(2001:​db8:​45::/​64 -> 2001:​db8:​24::​2 metric -1) dev tun0 
-Oct 26 16:​58:​32 ​R2 openvpn[2789]:​ UDPv4 link local (bound): [undef] +Oct 26 16:​58:​32 ​VM2 openvpn[2789]:​ UDPv4 link local (bound): [undef] 
-Oct 26 16:​58:​32 ​R2 openvpn[2789]:​ UDPv4 link remote: [undef] +Oct 26 16:​58:​32 ​VM2 openvpn[2789]:​ UDPv4 link remote: [undef] 
-Oct 26 16:​58:​32 ​R2 openvpn[2789]:​ ifconfig_pool_read(),​ in='R4,​10.0.24.4,​2001:​db8:​24::​1000',​ TODO: IPv6 +Oct 26 16:​58:​32 ​VM2 openvpn[2789]:​ ifconfig_pool_read(),​ in='VM4,​10.0.24.4,​2001:​db8:​24::​1000',​ TODO: IPv6 
-Oct 26 16:​58:​32 ​R2 openvpn[2789]:​ succeeded -> ifconfig_pool_set() +Oct 26 16:​58:​32 ​VM2 openvpn[2789]:​ succeeded -> ifconfig_pool_set() 
-Oct 26 16:​58:​32 ​R2 openvpn[2789]:​ Initialization Sequence Completed +Oct 26 16:​58:​32 ​VM2 openvpn[2789]:​ Initialization Sequence Completed 
-Oct 26 16:​58:​33 ​R2 openvpn[2789]:​ 10.0.34.4:​1194 [R4] Peer Connection Initiated with [AF_INET]10.0.34.4:​1194 +Oct 26 16:​58:​33 ​VM2 openvpn[2789]:​ 10.0.34.4:​1194 [VM4] Peer Connection Initiated with [AF_INET]10.0.34.4:​1194 
-Oct 26 16:​58:​33 ​R2 openvpn[2789]: ​R4/​10.0.34.4:​1194 MULTI_sva: pool returned IPv4=10.0.24.6,​ IPv6=2001:​db8:​24::​1000 +Oct 26 16:​58:​33 ​VM2 openvpn[2789]: ​VM4/​10.0.34.4:​1194 MULTI_sva: pool returned IPv4=10.0.24.6,​ IPv6=2001:​db8:​24::​1000 
-Oct 26 16:​58:​35 ​R2 openvpn[2789]: ​R4/​10.0.34.4:​1194 send_push_reply():​ safe_cap=940+Oct 26 16:​58:​35 ​VM2 openvpn[2789]: ​VM4/​10.0.34.4:​1194 send_push_reply():​ safe_cap=940
 </​code>​ </​code>​
  
-OpenVPN log file on R4:+OpenVPN log file on VM4:
 <​code>​ <​code>​
-Oct 26 16:​58:​32 ​R4 openvpn[2495]:​ OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 +Oct 26 16:​58:​32 ​VM4 openvpn[2495]:​ OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 
-Oct 26 16:​58:​32 ​R4 openvpn[2495]:​ WARNING: No server certificate verification method has been enabled. ​ See http://​openvpn.net/​howto.html#​mitm for more info. +Oct 26 16:​58:​32 ​VM4 openvpn[2495]:​ WARNING: No server certificate verification method has been enabled. ​ See http://​openvpn.net/​howto.html#​mitm for more info. 
-Oct 26 16:​58:​32 ​R4 openvpn[2496]:​ UDPv4 link local (bound): [undef] +Oct 26 16:​58:​32 ​VM4 openvpn[2496]:​ UDPv4 link local (bound): [undef] 
-Oct 26 16:​58:​32 ​R4 openvpn[2496]:​ UDPv4 link remote: [AF_INET]10.0.23.2:​1194 +Oct 26 16:​58:​32 ​VM4 openvpn[2496]:​ UDPv4 link remote: [AF_INET]10.0.23.2:​1194 
-Oct 26 16:​58:​32 ​R4 openvpn[2496]:​ [R2] Peer Connection Initiated with [AF_INET]10.0.23.2:​1194 +Oct 26 16:​58:​32 ​VM4 openvpn[2496]:​ [VM2] Peer Connection Initiated with [AF_INET]10.0.23.2:​1194 
-Oct 26 16:​58:​34 ​R4 openvpn[2496]:​ TUN/TAP device /dev/tun0 opened +Oct 26 16:​58:​34 ​VM4 openvpn[2496]:​ TUN/TAP device /dev/tun0 opened 
-Oct 26 16:​58:​34 ​R4 kernel: tun0: link state changed to UP +Oct 26 16:​58:​34 ​VM4 kernel: tun0: link state changed to UP 
-Oct 26 16:​58:​34 ​R4 openvpn[2496]:​ do_ifconfig,​ tt->​ipv6=1,​ tt->​did_ifconfig_ipv6_setup=1 +Oct 26 16:​58:​34 ​VM4 openvpn[2496]:​ do_ifconfig,​ tt->​ipv6=1,​ tt->​did_ifconfig_ipv6_setup=1 
-Oct 26 16:​58:​34 ​R4 openvpn[2496]:​ /​sbin/​ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up +Oct 26 16:​58:​34 ​VM4 openvpn[2496]:​ /​sbin/​ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up 
-Oct 26 16:​58:​34 ​R4 openvpn[2496]:​ /​sbin/​ifconfig tun0 inet6 2001:​db8:​24::​1000/​64 +Oct 26 16:​58:​34 ​VM4 openvpn[2496]:​ /​sbin/​ifconfig tun0 inet6 2001:​db8:​24::​1000/​64 
-Oct 26 16:​58:​34 ​R4 openvpn[2496]:​ add_route_ipv6(2001:​db8:​12::/​64 -> 2001:​db8:​24::​1 metric -1) dev tun0 +Oct 26 16:​58:​34 ​VM4 openvpn[2496]:​ add_route_ipv6(2001:​db8:​12::/​64 -> 2001:​db8:​24::​1 metric -1) dev tun0 
-Oct 26 16:​58:​34 ​R4 openvpn[2496]:​ Initialization Sequence Completed+Oct 26 16:​58:​34 ​VM4 openvpn[2496]:​ Initialization Sequence Completed
 </​code>​ </​code>​
  
-Tcpdump on R3:+Tcpdump on VM3:
  
 <​code>​ <​code>​
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 1159: Line 1160:
 16:​52:​40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194:​ UDP, length 114 16:​52:​40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194:​ UDP, length 114
 16:​52:​40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194:​ UDP, length 22 16:​52:​40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194:​ UDP, length 22
 +</​code>​
 +
 +===== Wireguard =====
 +
 +==== Key pairs generation ====
 +
 +The first step is to generate a couple of private and public keys on each wireguard endpoint.
 +
 +On VM2 and on VM4, generate the keys:
 +
 +<​code>​
 +cd /​usr/​local/​etc/​wireguard
 +wg genkey > private
 +chmod 600 private
 +wg pubkey < private > public
 +</​code>​
 +
 +==== Router 2 ====
 +
 +Display router 2 private key, and router 4 public key.
 +
 +<​code>​
 +cat > /​usr/​local/​etc/​wireguard/​wg0.conf <<EOF
 +[Interface]
 +PrivateKey = 8Og1cCmvirK+zcGus/​EyaA8aiFdzjjtS9GbuBa/​bqFQ=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = FSvVqj2s1FZqsSIvPLrE1RRTgbaPLbfG87P36F21M1g=
 +AllowedIPs = 10.0.45.0/​24,​2001:​db8:​45::​2/​64
 +Endpoint = 10.0.34.4:​51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</​code>​
 +
 +==== Router 4 ====
 +
 +Display router 4 private key, and router 2 public key.
 +
 +<​code>​
 +cat > /​usr/​local/​etc/​wireguard/​wg0.conf <<EOF
 +[Interface]
 +PrivateKey = ADfm6+sXZnoyDAkG/​MXXy062pjSgh2GgfAIKwX+ewGg=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = gaQij176wrz3g+2RTJ/​S1oEnc7rx2reU1Z0Thrv4oXc=
 +AllowedIPs = 10.0.12.0/​24,​2001:​db8:​12::​2/​64
 +Endpoint = 10.0.23.2:​51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</​code>​
 +
 +==== Testing ====
 +
 +Pinging VM5 from VM1:
 +
 +<​code>​
 +[root@VM1]~#​ ping -c2 10.0.45.5
 +PING 10.0.45.5 (10.0.45.5):​ 56 data bytes
 +64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms
 +64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms
 +
 +--- 10.0.45.5 ping statistics ---
 +2 packets transmitted,​ 2 packets received, 0.0% packet loss
 +round-trip min/​avg/​max/​stddev = 0.783/​1.459/​2.135/​0.676 ms
 +
 +[root@VM1]~#​ ping6 -c2 2001:​db8:​45::​5
 +PING6(56=40+8+8 bytes) 2001:​db8:​12::​1 --> 2001:​db8:​45::​5
 +16 bytes from 2001:​db8:​45::​5,​ icmp_seq=0 hlim=62 time=1.779 ms
 +16 bytes from 2001:​db8:​45::​5,​ icmp_seq=1 hlim=62 time=0.764 ms
 +
 +--- 2001:​db8:​45::​5 ping6 statistics ---
 +2 packets transmitted,​ 2 packets received, 0.0% packet loss
 +round-trip min/​avg/​max/​std-dev = 0.764/​1.272/​1.779/​0.507 ms
 </​code>​ </​code>​
documentation/examples/gre_ipsec_and_openvpn.1530435671.txt.gz · Last modified: 2018/07/01 11:01 by 127.0.0.1