User Tools

Site Tools


documentation:examples:gre_ipsec_and_openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
documentation:examples:gre_ipsec_and_openvpn [2020/01/12 17:58] – [Router 2] olivierdocumentation:examples:gre_ipsec_and_openvpn [2023/07/10 12:40] (current) – [Router 4] olivier
Line 1: Line 1:
-====== VPN with GRE, GIF, IPSec and OpenVPN ======+====== VPN with GRE, GIF, IPSecOpenVPN and Wireguard ======
  
-This lab shows some VPN examples with BSDRP 1.59 (FreeBSD 10.3 based).+This lab shows some VPN examples with BSDRP 1.991.
  
 ===== Presentation ===== ===== Presentation =====
Line 79: Line 79:
  
 <code> <code>
-sysrc hostname=R1 \+sysrc hostname=VM1 \
  gateway_enable=NO \  gateway_enable=NO \
  ipv6_gateway_enable=NO \  ipv6_gateway_enable=NO \
Line 87: Line 87:
  ipv6_defaultrouter=2001:db8:12::2  ipv6_defaultrouter=2001:db8:12::2
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R1+hostname VM1
 service netif restart service netif restart
 service routing restart service routing restart
Line 94: Line 94:
 ==== Router 2 ==== ==== Router 2 ====
  
-Router 2 base configuration: A simple connected-network router with a default route pointing to R3.+Router 2 base configuration: A simple connected-network router with a default route pointing to VM3.
  
 <code> <code>
-sysrc hostname=R2 \+sysrc hostname=VM2 \
   ifconfig_em0="inet 10.0.12.2/24" \   ifconfig_em0="inet 10.0.12.2/24" \
   ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64" \   ifconfig_em0_ipv6="inet6 2001:db8:12::2 prefixlen 64" \
Line 105: Line 105:
   ipv6_defaultrouter="2001:db8:23::3"   ipv6_defaultrouter="2001:db8:23::3"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R2+hostname VM2
 service netif restart service netif restart
 service routing restart service routing restart
Line 115: Line 115:
  
 <code> <code>
-sysrc hostname=R3 \+sysrc hostname=VM3 \
  ifconfig_em1="inet 10.0.23.3/24" \  ifconfig_em1="inet 10.0.23.3/24" \
  ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64" \  ifconfig_em1_ipv6="inet6 2001:db8:23::3 prefixlen 64" \
Line 121: Line 121:
  ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"  ifconfig_em2_ipv6="inet6 2001:db8:34::3 prefixlen 64"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R3+hostname VM3
 service netif restart service netif restart
 config save config save
Line 127: Line 127:
 ==== Router 4 ==== ==== Router 4 ====
  
-Router 4 base configuration, like R2: A simple connected-network router with a default route pointing to R3.+Router 4 base configuration, like VM2: A simple connected-network router with a default route pointing to VM3.
  
 <code> <code>
-sysrc hostname=R4 \+sysrc hostname=VM4 \
  ifconfig_em2="inet 10.0.34.4/24" \  ifconfig_em2="inet 10.0.34.4/24" \
  ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64" \  ifconfig_em2_ipv6="inet6 2001:db8:34::4 prefixlen 64" \
Line 138: Line 138:
  ipv6_defaultrouter="2001:db8:34::3"  ipv6_defaultrouter="2001:db8:34::3"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R4+hostname VM4
 service netif restart service netif restart
 service routing restart service routing restart
Line 145: Line 145:
 ==== Router 5 ==== ==== Router 5 ====
  
-Router 5 has the same workstation mode configuration as R1.+Router 5 has the same workstation mode configuration as VM1.
  
 <code> <code>
-sysrc hostname=R5 \+sysrc hostname=VM5 \
  gateway_enable=NO \  gateway_enable=NO \
  ipv6_gateway_enable=NO \  ipv6_gateway_enable=NO \
Line 156: Line 156:
  ipv6_defaultrouter="2001:db8:45::4"  ipv6_defaultrouter="2001:db8:45::4"
 ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf ifconfig -l | grep -q vtnet && sed -i "" 's/em/vtnet/g' /etc/rc.conf
-hostname R5+hostname VM5
 service netif restart service netif restart
 service routing restart service routing restart
Line 187: Line 187:
 ==== Router 4 ==== ==== Router 4 ====
  
-Configure the GRE tunnel using R2 IPv4 as end-point.+Configure the GRE tunnel using VM2 IPv4 as end-point.
  
 === Modify configuration === === Modify configuration ===
Line 193: Line 193:
 Here is the parameters to add: Here is the parameters to add:
 <code> <code>
-sysrc cloned_interfaces=gre0 +sysrc cloned_interfaces=gre0 \ 
-sysrc ifconfig_gre0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" + ifconfig_gre0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" \ 
-sysrc ifconfig_gre0_ipv6="inet6 2001:db8:24::4 prefixlen 64" + ifconfig_gre0_ipv6="inet6 2001:db8:24::4 prefixlen 64" \ 
-sysrc static_routes="tunnel4" + static_routes="tunnel4" \ 
-sysrc route_tunnel4="10.0.12.0/24 10.0.24.2" + route_tunnel4="10.0.12.0/24 10.0.24.2" \ 
-sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" + ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" \ 
-sysrc ipv6_static_routes="tunnel6"+ ipv6_static_routes="tunnel6"
 service netif restart service netif restart
 service routing restart service routing restart
Line 207: Line 207:
  
 <code> <code>
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
Line 216: Line 216:
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
Line 238: Line 238:
  
 If you have previous gre configuration from the gre example: remove them. If you have previous gre configuration from the gre example: remove them.
- 
-Here is the line to ADD to /etc/rc.conf file: 
  
 <code> <code>
Line 252: Line 250:
 service routing restart service routing restart
 config save config save
 +</code>
 +
 +Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example:
 +<code>
 +set skip on lo0
 +scrub on gif1 inet all max-mss 1200
 +scrub on gif1 inet6 all max-mss 1180
 +pass
 </code> </code>
 ==== Router 4 ==== ==== Router 4 ====
  
-Configure the 2 gif tunnel using R2 addresses as end-point.+Configure the 2 gif tunnel using VM2 addresses as end-point.
  
-Here are the changes to apply to rc file: 
 <code> <code>
 sysrc cloned_interfaces="gif0 gif1" sysrc cloned_interfaces="gif0 gif1"
Line 273: Line 278:
  
 <code> <code>
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=18.659 ms
Line 282: Line 287:
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms round-trip min/avg/max/stddev = 1.019/7.012/18.659/8.237 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.142 ms
Line 329: Line 334:
 And check it: And check it:
 <code> <code>
-[root@R2]~# setkey -DP+[root@VM2]~# setkey -DP
 10.0.45.0/24[any] 10.0.12.0/24[any] any 10.0.45.0/24[any] 10.0.12.0/24[any] any
         in ipsec         in ipsec
Line 350: Line 355:
         spid=3 seq=0 pid=66654 scope=global         spid=3 seq=0 pid=66654 scope=global
         refcnt=1         refcnt=1
-[root@R2]~# setkey -D+[root@VM2]~# setkey -D
 2001:db8:34::4 2001:db8:23::2 2001:db8:34::4 2001:db8:23::2
         esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)         esp mode=any spi=4099(0x00001003) reqid=0(0x00000000)
Line 402: Line 407:
 </code> </code>
  
-Create a file /etc/ipsec.conf with these lines (same as R2: only to have to invert the in/out keyword):+Create a file /etc/ipsec.conf with these lines (same as VM2: only to have to invert the in/out keyword):
  
 <code> <code>
Line 427: Line 432:
 === Testing === === Testing ===
  
-Start a tcpdump on R3-em1 and from R1 ping R5:+Start a tcpdump on VM3-em1 and from VM1 ping VM5:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 446: Line 451:
  
 <code> <code>
-[root@R1]/etc/rc.d# ping 10.0.45.5+[root@VM1]/etc/rc.d# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.014 ms
 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms 64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=2.851 ms
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=1.942 ms
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=70.074 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=70.074 ms
Line 583: Line 588:
 === Testing === === Testing ===
  
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
  
-R3 tcpdump paquets:+VM3 tcpdump paquets:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 629: Line 634:
 </code> </code>
  
-Racoon log file on R2:+Racoon log file on VM2:
 <code> <code>
-[root@R2]~# tail -f /var/log/racoon.log+[root@VM2]~# tail -f /var/log/racoon.log
 2013-10-26 09:28:01: INFO: 2001:db8:23::2[500] used as isakmp port (fd=16) 2013-10-26 09:28:01: INFO: 2001:db8:23::2[500] used as isakmp port (fd=16)
 2013-10-26 09:28:01: INFO: 2001:db8:23::2[4500] used as isakmp port (fd=17) 2013-10-26 09:28:01: INFO: 2001:db8:23::2[4500] used as isakmp port (fd=17)
Line 661: Line 666:
 </code> </code>
  
-Ping result on R1:+Ping result on VM1:
  
 <code> <code>
-[root@R1]# ping 10.0.45.5+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
Line 670: Line 675:
 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
Line 679: Line 684:
  
 Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan. Using Strongswan, the SP will be installed automatically and the SA will be negotiated by strongswan.
- 
-Strongswan use Left (for Local) and Right (for Remote). 
  
 === Router 2 === === Router 2 ===
  
-Configure strongswan on R2 with: +Configure strongswan on VM2 with: 
-  * IKEv2 +  * IKEv2 (version = 2) 
-  * Preshared-key +  * Preshared-key (psk) 
-  * Disabling Mobile IP +  * Disabling Mobile IP (mobike = no) 
-  * forcing the tunnel going UP (auto=start)+  * forcing the tunnel going UP (start_action trap)
   * configuring Dead-Peer-Detection at 5 seconds   * configuring Dead-Peer-Detection at 5 seconds
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm4.conf <<EOF 
-config setup+connections { 
 +  net-net { 
 +    local_addrs = 10.0.23.2 
 +    remote_addrs = 10.0.34.4 
 +    local { 
 +      auth = psk 
 +      id = vm2 
 +    } 
 +    remote { 
 +      auth = psk 
 +      id = vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        local_ts  = 10.0.12.0/24 
 +        remote_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +    dpd_delay = 5s 
 +  } 
 +}
  
-conn %default +secrets { 
-     authby=secret +  ike-1 { 
-     keyexchange=ikev2 +    id-1 vm4 
-     mobike=no +    secret "This is a strong password" 
-     dpdaction=restart +  } 
-     dpddelay=5 +} 
- +EOF
-conn R4 +
-    left=10.0.23.2 +
-    leftsubnet=10.0.12.0/24 +
-    leftid=R2 +
-    right=10.0.34.4 +
-    rightsubnet=10.0.45.0/24 +
-    rightid=R4 +
-    auto=start +
-'EOF'+
 </code> </code>
  
-Then define the password to use for the remote site:+Enable strongswan:
  
 <code> <code>
-cat > /usr/local/etc/ipsec.secrets <<'EOF' +service strongswan enable 
-R4 R2 : PSK "This is a strong password" +service strongswan restart
-'EOF'+
 </code> </code>
  
-Enable strongswan: +And check if it correctly loaded its configuration:
 <code> <code>
-sysrc strongswan_enable=YES +root@VM2:~ # swanctl --list-conns 
-service strongswan restart+net-net: IKEv2, no reauthentication, rekeying every 14400s 
 +  local:  10.0.23.2 
 +  remote: 10.0.34.4 
 +  local pre-shared key authentication: 
 +    id: vm2 
 +  remote pre-shared key authentication: 
 +    id: vm4 
 +  net-net: TUNNEL, rekeying every 3600s 
 +    local:  10.0.12.0/24 
 +    remote: 10.0.45.0/24
 </code> </code>
  
 === Router 4 === === Router 4 ===
  
-Configure strongswan on R4 with:+Configure strongswan on VM4 with:
   * IKEv2   * IKEv2
   * Preshared-key   * Preshared-key
   * Disabling Mobile IP   * Disabling Mobile IP
-  * automatic traffic detection (auto=route)+  * automatic traffic detection
   * configuring Dead-Peer-Detection at 5 seconds   * configuring Dead-Peer-Detection at 5 seconds
  
 <code> <code>
-cat > /usr/local/etc/ipsec.conf <<'EOF' +cat > /usr/local/etc/swanctl/conf.d/vm2.conf <<EOF 
-config setup+connections { 
 +  net-net { 
 +    remote_addrs = 10.0.23.2 
 +    local_addrs = 10.0.34.4 
 +    remote { 
 +      auth = psk 
 +      id = vm2 
 +    } 
 +    local { 
 +      auth = psk 
 +      id = vm4 
 +    } 
 +    children { 
 +      net-net { 
 +        remote_ts  = 10.0.12.0/24 
 +        local_ts = 10.0.45.0/24 
 +        start_action = trap 
 +      } 
 +    } 
 +    version = 2 
 +    mobike = no 
 +    dpd_delay = 5s 
 +  } 
 +}
  
-conn %default +secrets { 
-    authby=secret +  ike-1 { 
-    keyexchange=ikev2 +    id-1 vm2 
-    mobike=no +    secret "This is a strong password" 
-    dpdaction=restart +  } 
-    dpddelay=5 +} 
-conn R2 +EOF
-    left=10.0.34.4 +
-    leftsubnet=10.0.45.0/24 +
-    leftid=R4 +
-    right=10.0.23.2 +
-    rightsubnet=10.0.12.0/24 +
-    rightid=R2 +
-    auto=route +
-'EOF+
-</code>+
  
-Then define the password to use for the remote site: 
- 
-<code> 
-cat > /usr/local/etc/ipsec.secrets <<'EOF' 
-R4 R2 : PSK "This is a strong password" 
-'EOF' 
 </code> </code>
  
Line 769: Line 801:
  
 <code> <code>
-sysrc strongswan_enable=YES+service strongswan enable
 service strongswan restart service strongswan restart
 +</code>
 +
 +And check the status:
 +<code>
 +root@VM4: # swanctl --list-conns
 +net-net: IKEv2, no reauthentication, rekeying every 14400s
 +  local:  10.0.34.4
 +  remote: 10.0.23.2
 +  local pre-shared key authentication:
 +    id: vm4
 +  remote pre-shared key authentication:
 +    id: vm2
 +  net-net: TUNNEL, rekeying every 3600s
 +    local:  10.0.45.0/24
 +    remote: 10.0.12.0/24
 +
 +root@VM4: # grep charon /var/log/daemon.log
 +Jul  8 12:39:44 router charon[79963]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.6, FreeBSD 14.0-CURRENT, amd64)
 +Jul  8 12:39:44 router charon[79963]: 00[KNL] unable to set UDP_ENCAP: Invalid argument
 +Jul  8 12:39:44 router charon[79963]: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
 +Jul  8 12:39:44 router charon[79963]: 00[CFG]   loaded IKE secret for VM4 VM2
 +Jul  8 12:39:44 router charon[79963]: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation co
 +nstraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 xcbc cmac hmac kdf gcm drbg curl attr kernel-pf
 +key kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whit
 +elist addrblock counters
 +Jul  8 12:39:44 router charon[79963]: 00[JOB] spawning 16 worker threads
 +Jul  8 12:39:45 router charon[79963]: 13[CFG] loaded IKE shared key with id 'ike-1' for: 'vm2'
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] added vici connection: net-net
 +Jul  8 12:39:45 router charon[79963]: 12[CFG] installing 'net-net'
 </code> </code>
  
 === Testing === === Testing ===
  
-Like previous test, ping R5 from R1 with a tcpdump on R3, and racoon log displayed on R2:+Like previous test, ping VM5 from VM1 with a tcpdump on VM3, and racoon log displayed on VM2:
  
-R3 tcpdump paquets:+VM3 tcpdump paquets:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 801: Line 868:
 </code> </code>
  
-Log file on R2: +Ping result on VM1:
-<code> +
-[root@R2]~# tail -f /var/log/auth.log +
-Jun  8 00:24:28 R2 ipsec_starter[981]: no netkey IPsec stack detected +
-Jun  8 00:24:28 R2 ipsec_starter[981]: no KLIPS IPsec stack detected +
-Jun  8 00:24:28 R2 ipsec_starter[981]: no known IPsec stack detected, ignoring! +
-Jun  8 00:24:28 R2 ipsec_starter[984]: charon (986) started after 20 ms +
-Jun  8 00:25:26 R2 login: login on ttyu0 as root +
-Jun  8 00:25:26 R2 login: ROOT LOGIN (root) ON ttyu0 +
-Jun  8 00:34:53 R2 charon: 12[IKE] initiating IKE_SA R4[1] to 10.0.34.4 +
-Jun  8 00:34:53 R2 charon: 12[IKE] establishing CHILD_SA R4 +
-Jun  8 00:34:53 R2 charon: 12[IKE] IKE_SA R4[1] established between 10.0.23.2[R2]...10.0.34.4[R4] +
-Jun  8 00:34:53 R2 charon: 12[IKE] CHILD_SA R4{1} established with SPIs c6d01ce8_i c2357cdd_o and TS 10.0.12.0/24 === 10.0.45.0/24 +
-</code> +
- +
-Ping result on R1:+
  
 <code> <code>
-[root@R1]# ping 10.0.45.5+[root@VM1]# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms 64 bytes from 10.0.45.5: icmp_seq=2 ttl=62 time=2.846 ms
Line 825: Line 877:
 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms 64 bytes from 10.0.45.5: icmp_seq=4 ttl=62 time=2.987 ms
 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms 64 bytes from 10.0.45.5: icmp_seq=5 ttl=62 time=2.289 ms
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.264 ms
Line 838: Line 890:
  
 <code> <code>
-sysrc cloned_interfaces=ipsec0 +sysrc cloned_interfaces=ipsec0 \ 
-sysrc create_args_ipsec0="reqid 100" + create_args_ipsec0="reqid 100" \ 
-sysrc ifconfig_ipsec0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" + ifconfig_ipsec0="inet 10.0.24.2/24 10.0.24.4 tunnel 10.0.23.2 10.0.34.4 up" \ 
-sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::2 prefixlen 64" + ifconfig_ipsec0_ipv6="inet6 2001:db8:24::2 prefixlen 64" \ 
-sysrc static_routes="tunnel4" + static_routes="tunnel4" \ 
-sysrc route_tunnel4="10.0.45.0/24 10.0.24.4" + route_tunnel4="10.0.45.0/24 10.0.24.4" \ 
-sysrc ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" + ipv6_route_tunnel6="2001:db8:45:: -prefixlen 64 2001:db8:24::4" \ 
-sysrc ipv6_static_routes="tunnel6"+ ipv6_static_routes="tunnel6"
 cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
 flush; flush;
Line 853: Line 905:
 EOF EOF
 service netif restart service netif restart
-sysrc ipsec_enable=YES+service ipsec enable
 service ipsec restart service ipsec restart
 service routing restart service routing restart
Line 861: Line 913:
  
 <code> <code>
-[root@R2]~# setkey -DP+[root@VM2]~# setkey -DP
 0.0.0.0/0[any] 0.0.0.0/0[any] any 0.0.0.0/0[any] 0.0.0.0/0[any] any
         in ipsec         in ipsec
Line 882: Line 934:
         spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0         spid=4 seq=0 pid=778 scope=ifnet ifname=ipsec0
         refcnt=1         refcnt=1
-[root@R2]~# setkey -D+[root@VM2]~# setkey -D
 10.0.34.4 10.0.23.2 10.0.34.4 10.0.23.2
         esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)         esp mode=tunnel spi=4097(0x00001001) reqid=100(0x00000064)
Line 903: Line 955:
         allocated: 2    hard: 0 soft: 0         allocated: 2    hard: 0 soft: 0
         sadb_seq=0 pid=1649 refcnt=1         sadb_seq=0 pid=1649 refcnt=1
-[root@R2]~# ifconfig ipsec0+[root@VM2]~# ifconfig ipsec0
 ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
         tunnel inet 10.0.23.2 --> 10.0.34.4         tunnel inet 10.0.23.2 --> 10.0.34.4
Line 917: Line 969:
  
 <code> <code>
-sysrc cloned_interfaces=ipsec0 +sysrc cloned_interfaces=ipsec0 \ 
-sysrc create_args_ipsec0="reqid 200" + create_args_ipsec0="reqid 200" \ 
-sysrc ifconfig_ipsec0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" + ifconfig_ipsec0="inet 10.0.24.4/24 10.0.24.2 tunnel 10.0.34.4 10.0.23.2 up" \ 
-sysrc ifconfig_ipsec0_ipv6="inet6 2001:db8:24::4 prefixlen 64" + ifconfig_ipsec0_ipv6="inet6 2001:db8:24::4 prefixlen 64" \ 
-sysrc static_routes="tunnel4" + static_routes="tunnel4" \ 
-sysrc route_tunnel4="10.0.12.0/24 10.0.24.2" + route_tunnel4="10.0.12.0/24 10.0.24.2" \ 
-sysrc ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" + ipv6_route_tunnel6="2001:db8:12:: -prefixlen 64 2001:db8:24::2" \ 
-sysrc ipv6_static_routes="tunnel6"+ ipv6_static_routes="tunnel6"
 cat > /etc/ipsec.conf <<EOF cat > /etc/ipsec.conf <<EOF
 flush; flush;
Line 932: Line 984:
 EOF EOF
 service netif restart service netif restart
-sysrc ipsec_enable=YES+service ipsec enable
 service ipsec restart service ipsec restart
 service routing restart service routing restart
Line 940: Line 992:
  
 <code> <code>
-[root@R1]~# ping -c 3 10.0.45.5+[root@VM1]~# ping -c 3 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=0.944 ms
Line 949: Line 1001:
 3 packets transmitted, 3 packets received, 0.0% packet loss 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 0.382/0.589/0.944/0.252 ms round-trip min/avg/max/stddev = 0.382/0.589/0.944/0.252 ms
-[root@R1]~# ping6 -c3 2001:db8:45::5+[root@VM1]~# ping6 -c3 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=0.617 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=0.617 ms
Line 964: Line 1016:
 ==== CA and certificates generation ==== ==== CA and certificates generation ====
  
-All these step will be done on R2 (OpenVPN server)+All these step will be done on VM2 (OpenVPN server)
  
 Start by copying easyrsa3 configuration folder and define new configuration file: Start by copying easyrsa3 configuration folder and define new configuration file:
Line 970: Line 1022:
 cp -r /usr/local/share/easy-rsa /usr/local/etc/ cp -r /usr/local/share/easy-rsa /usr/local/etc/
 setenv EASYRSA /usr/local/etc/easy-rsa setenv EASYRSA /usr/local/etc/easy-rsa
 +setenv EASYRSA_PKI $EASYRSA/pki
 </code> </code>
  
Line 980: Line 1033:
 Build a root certificate: Build a root certificate:
 <code> <code>
-[root@R2]~# easyrsa build-ca nopass+[root@VM2]~# easyrsa build-ca nopass
  
 Note: using Easy-RSA configuration from: /usr/local/etc/easy-rsa/vars Note: using Easy-RSA configuration from: /usr/local/etc/easy-rsa/vars
Line 1003: Line 1056:
  
 </code> </code>
-Make a server certificate called R2, and client certificate called R4 using a locally generated root certificate:+Make a server certificate called VM2, and client certificate called VM4 using a locally generated root certificate:
 <code> <code>
-easyrsa build-server-full R2 nopass +easyrsa build-server-full VM2 nopass 
-easyrsa build-client-full R4 nopass+easyrsa build-client-full VM4 nopass
 </code> </code>
  
-==== R2: OpenVPN server ====+==== Standard userland mode (slow) ==== 
 + 
 +=== VM2: OpenVPN server ===
  
 Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf: Create the openvpn configuration file for server mode as /usr/local/etc/openvpn/openvpn.conf:
Line 1018: Line 1073:
 tun-ipv6 tun-ipv6
 ca /usr/local/etc/easy-rsa/pki/ca.crt ca /usr/local/etc/easy-rsa/pki/ca.crt
-cert /usr/local/etc/easy-rsa/pki/issued/R2.crt +cert /usr/local/etc/easy-rsa/pki/issued/VM2.crt 
-key /usr/local/etc/easy-rsa/pki/private/R2.key+key /usr/local/etc/easy-rsa/pki/private/VM2.key
 dh /usr/local/etc/easy-rsa/pki/dh.pem dh /usr/local/etc/easy-rsa/pki/dh.pem
 server 10.0.24.0 255.255.255.0 server 10.0.24.0 255.255.255.0
Line 1032: Line 1087:
 </code> </code>
  
-Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client R4:+Create the Client-Configuration-dir and declare the volatile route to the subnet behind the client VM4:
 <code> <code>
 mkdir /usr/local/etc/openvpn/ccd mkdir /usr/local/etc/openvpn/ccd
-cat > /usr/local/etc/openvpn/ccd/R4 <<'EOF'+cat > /usr/local/etc/openvpn/ccd/VM4 <<'EOF'
 iroute 10.0.45.0 255.255.255.0 iroute 10.0.45.0 255.255.255.0
 iroute-ipv6 2001:db8:45::/64 iroute-ipv6 2001:db8:45::/64
Line 1043: Line 1098:
 Enable and start openvpn and sshd (we will get certificates files by SCP later): Enable and start openvpn and sshd (we will get certificates files by SCP later):
 <code> <code>
-sysrc sshd_enable=YES +service sshd enable 
-sysrc openvpn_enable=YES+service openvpn enable
 service openvpn start service openvpn start
 service sshd start service sshd start
Line 1053: Line 1108:
 passwd passwd
 </code> </code>
-==== R4: OpenVPN client ==== 
  
-As OpenVPN client, R4 should get these files from R2 and put them in /usr/local/etc/openvpn: +Now Generate client configuration file with embedded certificates:
-  * ca.crt +
-  * R4.crt +
-  * R4.key+
  
-On this lab, scp can be used for getting these files: 
 <code> <code>
-mkdir /usr/local/etc/openvpn +cat > /usr/local/etc/openvpn/VM4-openvpn.conf <<EOF 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn +client 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/R4.crt /usr/local/etc/openvpn +dev tun 
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/R4.key /usr/local/etc/openvpn+remote 10.0.23.2 
 +<ca> 
 +EOF 
 +cat /usr/local/etc/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '</ca>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '<cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +cat /usr/local/etc/easy-rsa/pki/issued/VM4.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '</cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '<key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +cat /usr/local/etc/easy-rsa/pki/private/VM4.key >> /usr/local/etc/openvpn/VM4-openvpn.conf 
 +echo '</key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 </code> </code>
  
-Configure openvpn as a client:+=== VM4OpenVPN client ===
  
 +As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in /usr/local/etc/openvpn.
 +
 +On this lab, scp can be used for getting these files:
 <code> <code>
-cat > /usr/local/etc/openvpn/openvpn.conf <<'EOF' +mkdir /usr/local/etc/openvpn 
-client +scp 10.0.23.2:/usr/local/etc/openvpn/VM4-openvpn.conf /usr/local/etc/openvpn/openvpn.conf
-dev tun +
-remote 10.0.23.2 +
-ca ca.crt +
-cert R4.crt +
-key R4.key +
-'EOF'+
 </code> </code>
  
 Enable and start openvpn: Enable and start openvpn:
 <code> <code>
-sysrc openvpn_enable=YES+service openvpn enable
 service openvpn start service openvpn start
 </code> </code>
-==== Testing ==== 
  
-Pinging R5 from R1:+=== Testing === 
 + 
 +Pinging VM5 from VM1:
 <code> <code>
-[root@R1]~# ping6 2001:db8:45::5+[root@VM1]~# ping6 2001:db8:45::5
 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5 PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.453 ms 16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=5.453 ms
Line 1100: Line 1158:
 round-trip min/avg/max/std-dev = 3.652/4.442/5.453/0.752 ms round-trip min/avg/max/std-dev = 3.652/4.442/5.453/0.752 ms
  
-[root@R1]~# ping 10.0.45.5+[root@VM1]~# ping 10.0.45.5
 PING 10.0.45.5 (10.0.45.5): 56 data bytes PING 10.0.45.5 (10.0.45.5): 56 data bytes
 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms 64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=3.192 ms
Line 1111: Line 1169:
 </code> </code>
  
-OpenVPN log file on R2:+OpenVPN log file on VM2:
 <code> <code>
-Oct 26 16:58:32 R2 openvpn[2769]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 +Oct 26 16:58:32 VM2 openvpn[2769]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 
-Oct 26 16:58:32 R2 openvpn[2769]: WARNING: --keepalive option is missing from server config +Oct 26 16:58:32 VM2 openvpn[2769]: WARNING: --keepalive option is missing from server config 
-Oct 26 16:58:32 R2 openvpn[2769]: TUN/TAP device /dev/tun0 opened +Oct 26 16:58:32 VM2 openvpn[2769]: TUN/TAP device /dev/tun0 opened 
-Oct 26 16:58:32 R2 kernel: tun0: link state changed to UP +Oct 26 16:58:32 VM2 kernel: tun0: link state changed to UP 
-Oct 26 16:58:32 R2 openvpn[2769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 +Oct 26 16:58:32 VM2 openvpn[2769]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 
-Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up +Oct 26 16:58:32 VM2 openvpn[2769]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.255 up 
-Oct 26 16:58:32 R2 openvpn[2769]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64 +Oct 26 16:58:32 VM2 openvpn[2769]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64 
-Oct 26 16:58:32 R2 openvpn[2769]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric -1) dev tun0 +Oct 26 16:58:32 VM2 openvpn[2769]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric -1) dev tun0 
-Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link local (bound): [undef] +Oct 26 16:58:32 VM2 openvpn[2789]: UDPv4 link local (bound): [undef] 
-Oct 26 16:58:32 R2 openvpn[2789]: UDPv4 link remote: [undef] +Oct 26 16:58:32 VM2 openvpn[2789]: UDPv4 link remote: [undef] 
-Oct 26 16:58:32 R2 openvpn[2789]: ifconfig_pool_read(), in='R4,10.0.24.4,2001:db8:24::1000', TODO: IPv6 +Oct 26 16:58:32 VM2 openvpn[2789]: ifconfig_pool_read(), in='VM4,10.0.24.4,2001:db8:24::1000', TODO: IPv6 
-Oct 26 16:58:32 R2 openvpn[2789]: succeeded -> ifconfig_pool_set() +Oct 26 16:58:32 VM2 openvpn[2789]: succeeded -> ifconfig_pool_set() 
-Oct 26 16:58:32 R2 openvpn[2789]: Initialization Sequence Completed +Oct 26 16:58:32 VM2 openvpn[2789]: Initialization Sequence Completed 
-Oct 26 16:58:33 R2 openvpn[2789]: 10.0.34.4:1194 [R4] Peer Connection Initiated with [AF_INET]10.0.34.4:1194 +Oct 26 16:58:33 VM2 openvpn[2789]: 10.0.34.4:1194 [VM4] Peer Connection Initiated with [AF_INET]10.0.34.4:1194 
-Oct 26 16:58:33 R2 openvpn[2789]: R4/10.0.34.4:1194 MULTI_sva: pool returned IPv4=10.0.24.6, IPv6=2001:db8:24::1000 +Oct 26 16:58:33 VM2 openvpn[2789]: VM4/10.0.34.4:1194 MULTI_sva: pool returned IPv4=10.0.24.6, IPv6=2001:db8:24::1000 
-Oct 26 16:58:35 R2 openvpn[2789]: R4/10.0.34.4:1194 send_push_reply(): safe_cap=940+Oct 26 16:58:35 VM2 openvpn[2789]: VM4/10.0.34.4:1194 send_push_reply(): safe_cap=940
 </code> </code>
  
-OpenVPN log file on R4:+OpenVPN log file on VM4:
 <code> <code>
-Oct 26 16:58:32 R4 openvpn[2495]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 +Oct 26 16:58:32 VM4 openvpn[2495]: OpenVPN 2.3.2 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Oct 23 2013 
-Oct 26 16:58:32 R4 openvpn[2495]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info. +Oct 26 16:58:32 VM4 openvpn[2495]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info. 
-Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link local (bound): [undef] +Oct 26 16:58:32 VM4 openvpn[2496]: UDPv4 link local (bound): [undef] 
-Oct 26 16:58:32 R4 openvpn[2496]: UDPv4 link remote: [AF_INET]10.0.23.2:1194 +Oct 26 16:58:32 VM4 openvpn[2496]: UDPv4 link remote: [AF_INET]10.0.23.2:1194 
-Oct 26 16:58:32 R4 openvpn[2496]: [R2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194 +Oct 26 16:58:32 VM4 openvpn[2496]: [VM2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194 
-Oct 26 16:58:34 R4 openvpn[2496]: TUN/TAP device /dev/tun0 opened +Oct 26 16:58:34 VM4 openvpn[2496]: TUN/TAP device /dev/tun0 opened 
-Oct 26 16:58:34 R4 kernel: tun0: link state changed to UP +Oct 26 16:58:34 VM4 kernel: tun0: link state changed to UP 
-Oct 26 16:58:34 R4 openvpn[2496]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 +Oct 26 16:58:34 VM4 openvpn[2496]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 
-Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up +Oct 26 16:58:34 VM4 openvpn[2496]: /sbin/ifconfig tun0 10.0.24.6 10.0.24.5 mtu 1500 netmask 255.255.255.255 up 
-Oct 26 16:58:34 R4 openvpn[2496]: /sbin/ifconfig tun0 inet6 2001:db8:24::1000/64 +Oct 26 16:58:34 VM4 openvpn[2496]: /sbin/ifconfig tun0 inet6 2001:db8:24::1000/64 
-Oct 26 16:58:34 R4 openvpn[2496]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric -1) dev tun0 +Oct 26 16:58:34 VM4 openvpn[2496]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric -1) dev tun0 
-Oct 26 16:58:34 R4 openvpn[2496]: Initialization Sequence Completed+Oct 26 16:58:34 VM4 openvpn[2496]: Initialization Sequence Completed
 </code> </code>
  
-Tcpdump on R3:+Tcpdump on VM3:
  
 <code> <code>
-[root@R3]~# tcpdump -pni em1+[root@VM3]~# tcpdump -pni em1
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
Line 1159: Line 1217:
 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114 16:52:40.744771 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 114
 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22 16:52:40.744786 IP 10.0.34.4.1194 > 10.0.23.2.1194: UDP, length 22
 +</code>
 +
 +==== Data Channel Offload (DCO), kernel mode (fast) ====
 +
 +Start with a working userland configuration, then modify existing configuration files like that:
 +  * Need to load if_ovpn module on both side
 +  * Need to enable subnet topology on the server side
 +
 +=== VM2: OpenVPN server ===
 +
 +<code>
 +service openvpn stop
 +sysrc kld_list="if_ovpn"
 +kldload if_ovpn
 +echo "topology subnet" >> /usr/local/etc/openvpn/openvpn.conf
 +service openvpn start
 +</code>
 +
 +=== VM4: OpenVPN client ===
 +
 +<code>
 +service openvpn stop
 +sysrc kld_list="if_ovpn"
 +kldload if_ovpn
 +service openvpn start
 +</code>
 +
 +=== Testing ===
 +
 +Pinging VM5 from VM1:
 +<code>
 +root@VM1:~ # ping -c 2 10.0.45.5
 +PING 10.0.45.5 (10.0.45.5): 56 data bytes
 +64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=1.700 ms
 +64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=1.629 ms
 +
 +--- 10.0.45.5 ping statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/stddev = 1.629/1.665/1.700/0.035 ms
 +root@VM1:~ # ping -c 2 2001:db8:45::5
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 +16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=2.699 ms
 +16 bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=1.618 ms
 +
 +--- 2001:db8:45::5 ping6 statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 1.618/2.158/2.699/0.541 ms
 +
 +</code>
 +
 +OpenVPN log file on VM2 (error installing route are due to DCO restriction):
 +<code>
 +Oct  4 18:29:40 VM2 openvpn[89399]: OpenVPN 2.6_git [git:734de8f9aa2df56bcb45ebab7cfa799a23f36403] amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Oct  4 2022
 +Oct  4 18:29:40 VM2 openvpn[89399]: library versions: OpenSSL 1.1.1q-freebsd  5 Jul 2022, LZO 2.10
 +Oct  4 18:29:40 VM2 openvpn[89399]: WARNING: --keepalive option is missing from server config
 +Oct  4 18:29:40 VM2 openvpn[89399]: DCO device tun0 opened
 +Oct  4 18:29:40 VM2 openvpn[89399]: /sbin/ifconfig tun0 10.0.24.1 10.0.24.2 mtu 1500 netmask 255.255.255.0 up
 +Oct  4 18:29:40 VM2 openvpn[89399]: /sbin/ifconfig tun0 inet6 2001:db8:24::1/64 mtu 1500 up
 +Oct  4 18:29:41 VM2 openvpn[89399]: /sbin/ifconfig tun0 inet6 -ifdisabled
 +Oct  4 18:29:41 VM2 openvpn[89399]: add_route_ipv6(2001:db8:45::/64 -> 2001:db8:24::2 metric 200) dev tun0
 +Oct  4 18:29:41 VM2 openvpn[89399]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
 +Oct  4 18:29:41 VM2 openvpn[89399]: setsockopt(IPV6_V6ONLY=0)
 +Oct  4 18:29:41 VM2 openvpn[89399]: UDPv6 link local (bound): [AF_INET6][undef]:1194
 +Oct  4 18:29:41 VM2 openvpn[89399]: UDPv6 link remote: [AF_UNSPEC]
 +Oct  4 18:29:41 VM2 openvpn[89399]: NOTE: IPv4 pool size is 253, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool
 +Oct  4 18:29:41 VM2 openvpn[89399]: ifconfig_pool_read(), in='VM4,10.0.24.4,2001:db8:24::1002'
 +Oct  4 18:29:41 VM2 openvpn[89399]: succeeded -> ifconfig_pool_set(hand=2)
 +Oct  4 18:29:41 VM2 openvpn[89399]: Initialization Sequence Completed
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_VER=2.6_git
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_PLAT=freebsd
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_TCPNL=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_NCP=2
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_PROTO=94
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_LZO_STUB=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_COMP_STUB=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 peer info: IV_COMP_STUBv2=1
 +Oct  4 18:30:11 VM2 openvpn[89399]: 10.0.34.4:10468 [VM4] Peer Connection Initiated with [AF_INET6]::ffff:10.0.34.4:10468
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 MULTI_sva: pool returned IPv4=10.0.24.4, IPv6=2001:db8:24::1002
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 /sbin/route add -net 10.0.45.0/24 10.0.24.4 -fib 0
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 ERROR: FreeBSD route add command failed: external program exited with error status: 1
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 /sbin/route -6 add -net 2001:db8:45::/64 2001:db8:24::1002 -fib 0
 +Oct  4 18:30:11 VM2 openvpn[89399]: VM4/10.0.34.4:10468 ERROR: FreeBSD route add command failed: external program exited with error status: 1
 +</code>
 +
 +OpenVPN log file on VM4:
 +<code>
 +Oct  4 18:30:11 VM4 openvpn[86737]: OpenVPN 2.6_git [git:734de8f9aa2df56bcb45ebab7cfa799a23f36403] amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Oct  4 2022
 +Oct  4 18:30:11 VM4 openvpn[86737]: library versions: OpenSSL 1.1.1q-freebsd  5 Jul 2022, LZO 2.10
 +Oct  4 18:30:11 VM4 openvpn[86737]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
 +Oct  4 18:30:11 VM4 openvpn[86737]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.23.2:1194
 +Oct  4 18:30:11 VM4 openvpn[86737]: UDPv4 link local: (not bound)
 +Oct  4 18:30:11 VM4 openvpn[86737]: UDPv4 link remote: [AF_INET]10.0.23.2:1194
 +Oct  4 18:30:11 VM4 openvpn[86737]: [VM2] Peer Connection Initiated with [AF_INET]10.0.23.2:1194
 +Oct  4 18:30:11 VM4 openvpn[86737]: DCO device tun0 opened
 +Oct  4 18:30:11 VM4 openvpn[86737]: /sbin/ifconfig tun0 10.0.24.4 10.0.24.1 mtu 1500 netmask 255.255.255.0 up
 +Oct  4 18:30:11 VM4 openvpn[86737]: /sbin/ifconfig tun0 inet6 2001:db8:24::1002/64 mtu 1500 up
 +Oct  4 18:30:12 VM4 openvpn[86737]: /sbin/ifconfig tun0 inet6 -ifdisabled
 +Oct  4 18:30:12 VM4 openvpn[86737]: add_route_ipv6(2001:db8:12::/64 -> 2001:db8:24::1 metric 200) dev tun0
 +Oct  4 18:30:12 VM4 openvpn[86737]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
 +Oct  4 18:30:12 VM4 openvpn[86737]: Initialization Sequence Completed
 +</code>
 +
 +===== Wireguard =====
 +
 +On current (14.0) needs only wireguard-tools (kernel module included), on older (12 or 13) needs wireguard-kmod.
 +==== Key pairs generation on VM2 and VM4 ====
 +
 +The first step is to generate a couple of private and public keys on each wireguard endpoint.
 +
 +The standard way of generating keys is using this command:
 +
 +<code>
 +cd /usr/local/etc/wireguard
 +wg genkey > private
 +chmod 600 private
 +wg pubkey < private > public
 +</code>
 +
 +But on this example, we will use static keys as example.
 +==== Router 2 ====
 +
 +Write example-only static and public key, on real-life, used the one generated by wg.
 +
 +<code>
 +echo "oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38=" > /usr/local/etc/wireguard/private
 +echo "z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=" > /usr/local/etc/wireguard/public
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = oFsqDWpgtlma4Dy3YkPd918d3Nw9xdV9MBVn4YT1N38=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=
 +AllowedIPs = 10.0.45.0/24,2001:db8:45::/64
 +Endpoint = 10.0.34.4:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Router 4 ====
 +
 +Generate example-only router 4 wg keys, and declare 2 public key.
 +
 +<code>
 +echo "4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE=" > /usr/local/etc/wireguard/private
 +echo "o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=" > /usr/local/etc/wireguard/public
 +cat > /usr/local/etc/wireguard/wg0.conf <<EOF
 +[Interface]
 +PrivateKey = 4HRXmxN77CVb5VykdNX6mqkzCh2ycu4hfWfYHTvkLGE=
 +ListenPort = 51820
 +
 +[Peer]
 +PublicKey = z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=
 +AllowedIPs = 10.0.12.0/24,2001:db8:12::/64
 +Endpoint = 10.0.23.2:51820
 +EOF
 +
 +sysrc wireguard_interfaces=wg0
 +service wireguard enable
 +service wireguard start
 +</code>
 +
 +==== Testing ====
 +
 +Pinging VM5 from VM1:
 +
 +<code>
 +[root@VM1]~# ping -c2 10.0.45.5
 +PING 10.0.45.5 (10.0.45.5): 56 data bytes
 +64 bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms
 +64 bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms
 +
 +--- 10.0.45.5 ping statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/stddev = 0.783/1.459/2.135/0.676 ms
 +
 +[root@VM1]~# ping6 -c2 2001:db8:45::5
 +PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
 +16 bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.779 ms
 +16 bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=0.764 ms
 +
 +--- 2001:db8:45::5 ping6 statistics ---
 +2 packets transmitted, 2 packets received, 0.0% packet loss
 +round-trip min/avg/max/std-dev = 0.764/1.272/1.779/0.507 ms
 +</code>
 +
 +Are we using the kernel module?
 +<code>
 +root@VM2:~ # kldstat -v -n if_wg.ko
 +Id Refs Address                Size Name
 +    1 0xffffffff82b17000    2e550 if_wg.ko (/boot/kernel/if_wg.ko)
 +        Contains modules:
 +                 Id Name
 +                473 wg
 +</code>
 +
 +Displaying wg status on VM2:
 +<code>
 +root@VM2:~ # ifconfig wg0
 +wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
 +        options=80000<LINKSTATE>
 +        groups: wg
 +        nd6 options=101<PERFORMNUD,NO_DAD>
 +root@VM2:~ # netstat -rn | grep "Dest\|wg0"
 +Destination        Gateway            Flags     Netif Expire
 +10.0.45.0/24       link#            US          wg0
 +Destination                       Gateway                       Flags     Netif Expire
 +2001:db8:45::/64                  link#                       US          wg0
 +root@VM2:~ # wg show
 +interface: wg0
 +  public key: z9wBhxr/K405uQeYnCoGRi6VGWu/QAhym7JgH1BguxE=
 +  private key: (hidden)
 +  listening port: 51820
 +
 +peer: o267Qf43WlVTawLq/8nrET4GQKijrjWFKiux9iNLv04=
 +  endpoint: 10.0.34.4:51820
 +  allowed ips: 2001:db8:45::/64, 10.0.45.0/24
 +  latest handshake: 32 seconds ago
 +  transfer: 356 B received, 436 B sent
 </code> </code>
documentation/examples/gre_ipsec_and_openvpn.1578848281.txt.gz · Last modified: 2020/01/12 17:58 by olivier

Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki