User Tools

Site Tools


documentation:examples:strongswan_ipsec_mediation_feature

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:examples:strongswan_ipsec_mediation_feature [2017/07/03 14:43] (current)
Line 1: Line 1:
 +====== Strongswan IPSec mediation feature (NAT hole punching) ======
 +{{description>IPSec tunnel between devices both behind NAT gateways}}
 +This lab shows an interesting feature of Strongswan: IPSec tunnel between devices, both behind NAT gateways.
 +
 +===== Presentation =====
 +
 +==== Network diagram ====
 +
 +Lab build following [[documentation:examples:How to build a BSDRP router lab]]: 7 routers with full-meshed link and one shared LAN.
 +
 +Here is the logical and physical view:
 +
 +{{:documentation:examples:strongswan-ipsec-mediation.png}}
 +
 +==== Setting-up the lab ====
 +
 +=== Downloading BSD Router Project images ===
 +
 +Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.
 +
 +=== Download Lab scripts ====
 +
 +More information on these BSDRP lab scripts available on [[documentation:examples:How to build a BSDRP router lab]].
 +
 +Start the lab with full-meshed 7 routers and one shared LAN, on this example using bhyve lab script on FreeBSD:
 +
 +<code>
 +[root@FreeBSD]~# BSDRP-lab-bhyve.sh -i BSDRP-1.903-full-amd64-serial.img.xz -n 7 -l 1
 +
 +VM 1 have the following NIC:
 +- vtnet0 connected to VM 2
 +- vtnet1 connected to VM 3
 +- vtnet2 connected to VM 4
 +- vtnet3 connected to VM 5
 +- vtnet4 connected to VM 6
 +- vtnet5 connected to VM 7
 +- vtnet6 connected to LAN number 1
 +VM 2 have the following NIC:
 +- vtnet0 connected to VM 1
 +- vtnet1 connected to VM 3
 +- vtnet2 connected to VM 4
 +- vtnet3 connected to VM 5
 +- vtnet4 connected to VM 6
 +- vtnet5 connected to VM 7
 +- vtnet6 connected to LAN number 1
 +VM 3 have the following NIC:
 +- vtnet0 connected to VM 1
 +- vtnet1 connected to VM 2
 +- vtnet2 connected to VM 4
 +- vtnet3 connected to VM 5
 +- vtnet4 connected to VM 6
 +- vtnet5 connected to VM 7
 +- vtnet6 connected to LAN number 1
 +VM 4 have the following NIC:
 +- vtnet0 connected to VM 1
 +- vtnet1 connected to VM 2
 +- vtnet2 connected to VM 3
 +- vtnet3 connected to VM 5
 +- vtnet4 connected to VM 6
 +- vtnet5 connected to VM 7
 +- vtnet6 connected to LAN number 1
 +VM 5 have the following NIC:
 +- vtnet0 connected to VM 1
 +- vtnet1 connected to VM 2
 +- vtnet2 connected to VM 3
 +- vtnet3 connected to VM 4
 +- vtnet4 connected to VM 6
 +- vtnet5 connected to VM 7
 +- vtnet6 connected to LAN number 1
 +VM 6 have the following NIC:
 +- vtnet0 connected to VM 1
 +- vtnet1 connected to VM 2
 +- vtnet2 connected to VM 3
 +- vtnet3 connected to VM 4
 +- vtnet4 connected to VM 5
 +- vtnet5 connected to VM 7
 +- vtnet6 connected to LAN number 1
 +VM 7 have the following NIC:
 +- vtnet0 connected to VM 1
 +- vtnet1 connected to VM 2
 +- vtnet2 connected to VM 3
 +- vtnet3 connected to VM 4
 +- vtnet4 connected to VM 5
 +- vtnet5 connected to VM 6
 +- vtnet6 connected to LAN number 1
 +For connecting to VM'serial console, you can use:
 +- VM 1 : cu -l /dev/nmdm1B
 +- VM 2 : cu -l /dev/nmdm2B
 +- VM 3 : cu -l /dev/nmdm3B
 +- VM 4 : cu -l /dev/nmdm4B
 +- VM 5 : cu -l /dev/nmdm5B
 +- VM 6 : cu -l /dev/nmdm6B
 +- VM 7 : cu -l /dev/nmdm7B
 +</code>
 +===== Configuration =====
 +
 +Router 1 and Router 7 as a simple workstation, Router 2 and 6 as IPSec gateway, Router 4 as IPSec mediation, Router 4 and 5 as NAT gateway.
 +
 +==== Router 1: Workstation ====
 +
 +Router 1 is configured as a simple workstation.
 +
 +<code>
 +sysrc hostname=R1
 +sysrc gateway_enable=NO
 +sysrc ipv6_gateway_enable=NO
 +sysrc ifconfig_vtnet0="inet 192.168.1.1/24"
 +sysrc defaultrouter="192.168.1.2"
 +service hostname restart
 +service netif restart
 +service routing restart
 +config save
 +</code>
 +==== Router 2: IPSec gateway ====
 +
 +Router 2 is an IPSec gateway behind a NAT gateway that need to be directly reachable from Router 6 (then need to use a mediation server).
 +
 +Enable debug mode for IKEv2 into file /var/log/charon.log.
 +
 +<code>
 +sysrc hostname=R2
 +sysrc ifconfig_vtnet0="inet 192.168.1.2/24"
 +sysrc ifconfig_vtnet1="inet 10.0.0.2/24"
 +sysrc defaultrouter=10.0.0.3
 +sysrc strongswan_enable="yes"
 +service hostname restart
 +service netif restart
 +service routing restart
 +
 +cat > /usr/local/etc/ipsec.conf <<'EOF'
 +conn %default
 +        ikelifetime=60m
 +        keylife=20m
 +        rekeymargin=3m
 +        keyingtries=1
 +        authby=secret
 +        keyexchange=ikev2
 +        dpdaction=restart
 +        dpddelay=60s
 +        left=%defaultroute
 +
 +conn medsrv
 +        leftid=r2@medsrv.org
 +        leftauth=psk
 +        right=2.2.2.4
 +        rightid=r4@medsrv.org
 +        rightauth=psk
 +        mediation=yes
 +        auto=add
 +
 +conn peer
 +        leftsubnet=192.168.1.0/24
 +        leftid=r2@bsdrp.net
 +        right=%any
 +        rightid=r6@bsdrp.net
 +        rightsubnet=192.168.7.0/24
 +        mediated_by=medsrv
 +        me_peerid=r6@medsrv.org
 +        auto=start
 +'EOF'
 +
 +cat > /usr/local/etc/ipsec.secrets <<'EOF'
 +r2@medsrv.org : PSK "MediaServerPassword"
 +r2@bsdrp.net r6@bsdrp.net : PSK "IPsecPassword"
 +'EOF'
 +
 +cat > /usr/local/etc/strongswan.d/charon-logging.conf <<'EOF'
 +charon {
 +  filelog {
 +    /var/log/charon.log {
 +      default = 2
 +    }
 +  }
 +}
 +'EOF'
 +service strongswan start
 +config save
 +</code>
 +==== Router 3: NAT gateway ====
 +
 +Router 3 is configured as a NAT gateway (pf with NAT using static-port option).
 +
 +Option static-port is important with pf: Without this option, NAT UDP hole will not work.
 +
 +<code>
 +sysrc hostname=R3
 +sysrc ifconfig_vtnet1="inet 10.0.0.3/24"
 +sysrc ifconfig_vtnet6="inet 2.2.2.3/24"
 +sysrc pf_enable="YES"
 +service hostname restart
 +service netif restart
 +service routing restart
 +
 +cat > /etc/pf.conf <<'EOF'
 +ext_if = "vtnet6"
 +int_if = "vtnet1"
 +localnet = $int_if:network
 +nat on $ext_if from $localnet to any -> ($ext_if) static-port
 +pass from { lo0, $localnet } to any keep state
 +'EOF'
 +
 +service pf start
 +config save
 +</code>
 +==== Router 4: IPSec mediation server ====
 +
 +Router 4 is an IPSec mediation server (and debug log enabled).
 +
 +<code>
 +sysrc hostname=R4
 +sysrc ifconfig_vtnet6="inet 2.2.2.4/24"
 +sysrc strongswan_enable="yes"
 +service hostname restart
 +service netif restart
 +service routing restart
 +
 +cat > /usr/local/etc/ipsec.conf <<'EOF'
 +config setup
 +
 +conn %default
 +        ikelifetime=60m
 +        keylife=20m
 +        rekeymargin=3m
 +        keyingtries=1
 +        authby=secret
 +        keyexchange=ikev2
 +        mobike=no
 +        dpdaction=clear
 +        dpddelay=60s
 +
 +conn medsrv
 +        left=2.2.2.4
 +        leftid=r4@medsrv.org
 +        leftauth=psk
 +        right=%any
 +        rightauth=psk
 +        mediation=yes
 +        auto=add
 +'EOF'
 +
 +cat > /usr/local/etc/ipsec.secrets <<'EOF'
 +r2@medsrv.org : PSK "MediaServerPassword"
 +r6@medsrv.org : PSK "MediaServerPassword"
 +'EOF'
 +
 +cat > /usr/local/etc/strongswan.d/charon-logging.conf <<'EOF'
 +charon {
 +  filelog {
 +    /var/log/charon.log {
 +      default = 2
 +    }
 +  }
 +}
 +'EOF'
 +
 +service strongswan start
 +config save
 +</code>
 +==== Router 5: NAT gateway ====
 +
 +Router 5 has the same workstation mode configuration as R3.
 +
 +<code>
 +sysrc hostname=R5
 +sysrc ifconfig_vtnet6="inet 2.2.2.5/24"
 +sysrc ifconfig_vtnet4="inet 10.0.0.5/24"
 +sysrc pf_enable="YES"
 +
 +cat > /etc/pf.conf <<'EOF'
 +ext_if = "vtnet6"
 +int_if = "vtnet4"
 +localnet = $int_if:network
 +# ext_if IP address could be dynamic, hence ($ext_if)
 +nat on $ext_if from $localnet to any -> ($ext_if) static-port
 +pass from { lo0, $localnet } to any keep state
 +'EOF'
 +
 +hostname R5
 +service netif restart
 +service routing restart
 +service pf start
 +config save
 +</code>
 +==== Router 6: IPSec gateway ====
 +
 +Router 6 is like R2, an IPSec gateway using a mediation server (and debug log enabled).
 +
 +<code>
 +sysrc hostname=R6
 +sysrc defaultrouter="10.0.0.5"
 +sysrc ifconfig_vtnet5="inet 192.168.7.6/24"
 +sysrc ifconfig_vtnet4="inet 10.0.0.6/24"
 +sysrc strongswan_enable="yes"
 +service hostname restart
 +service netif restart
 +service routing restart
 +
 +cat > /usr/local/etc/ipsec.conf <<'EOF'
 +conn %default
 +        ikelifetime=60m
 +        keylife=20m
 +        rekeymargin=3m
 +        keyingtries=1
 +        authby=secret
 +        keyexchange=ikev2
 +        dpdaction=restart
 +        dpddelay=60s
 +        left=%defaultroute
 +
 +conn medsrv
 +        leftid=r6@medsrv.org
 +        leftauth=psk
 +        right=2.2.2.4
 +        rightid=r4@medsrv.org
 +        rightauth=psk
 +        mediation=yes
 +        auto=add
 +
 +conn peer
 +        leftsubnet=192.168.7.0/24
 +        leftid=r6@bsdrp.net
 +        right=%any
 +        rightid=r2@bsdrp.net
 +        rightsubnet=192.168.1.0/24
 +        mediated_by=medsrv
 +        me_peerid=r2@medsrv.org
 +        auto=start
 +'EOF'
 +
 +cat > /usr/local/etc/ipsec.secrets <<'EOF'
 +r6@medsrv.org : PSK "MediaServerPassword"
 +r2@bsdrp.net r6@bsdrp.net : PSK "IPsecPassword"
 +'EOF'
 +
 +cat > /usr/local/etc/strongswan.d/charon-logging.conf <<'EOF'
 +charon {
 +  filelog {
 +    /var/log/charon.log {
 +      default = 2
 +    }
 +  }
 +}
 +'EOF'
 +
 +service strongswan start
 +config save
 +</code>
 +
 +==== Router 7: Workstation ====
 +
 +Router 7 is, like R1, configured as a simple workstation.
 +
 +<code>
 +sysrc hostname=R7
 +sysrc gateway_enable=NO
 +sysrc ipv6_gateway_enable=NO
 +sysrc ifconfig_vtnet5="inet 192.168.7.7/24"
 +sysrc defaultrouter="192.168.7.6"
 +sysrc ifconfig_vtnet5="inet 192.168.7.7/24"
 +service hostname restart
 +service netif restart
 +service routing restart
 +config save
 +</code>
 +
 +===== Testing =====
 +
 +Status of IPSec tunnel:
 +
 +<code>
 +[root@R2]~# ipsec statusall
 +Status of IKE charon daemon (strongSwan 5.5.1, FreeBSD 12.0-CURRENT, amd64):
 +  uptime: 4 minutes, since Apr 28 00:13:06 2017
 +  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12
 +  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl f$
 +ps-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-gener$
 +c whitelist addrblock
 +Listening IP addresses:
 +  192.168.1.2
 +  10.0.0.2
 +Connections:
 +      medsrv:  %any...2.2.2.4  IKEv2, dpddelay=60s
 +      medsrv:   local:  [r2@medsrv.org] uses pre-shared key authentication
 +      medsrv:   remote: [r4@medsrv.org] uses pre-shared key authentication
 +      medsrv:   child:  dynamic === dynamic TUNNEL, dpdaction=restart
 +        peer:  %any...%any  IKEv2, dpddelay=60s
 +        peer:   local:  [r2@bsdrp.net] uses pre-shared key authentication
 +        peer:   remote: [r6@bsdrp.net] uses pre-shared key authentication
 +        peer:   child:  192.168.1.0/24 === 192.168.7.0/24 TUNNEL, dpdaction=restart
 +Security Associations (2 up, 0 connecting):
 +        peer[3]: ESTABLISHED 4 minutes ago, 10.0.0.2[r2@bsdrp.net]...2.2.2.5[r6@bsdrp.net]
 +        peer[3]: IKEv2 SPIs: da048fcc6b5080bd_i 474b56c815483bcf_r*, pre-shared key reauthentication in 49 minutes
 +        peer[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
 +        peer{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cdec034c_i ced4f737_o
 +        peer{2}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 284s ago), 0 bytes_o (0 pkts, 284s ago), rekeying in 11 minutes
 +        peer{2}:   192.168.1.0/24 === 192.168.7.0/24
 +      medsrv[2]: ESTABLISHED 4 minutes ago, 10.0.0.2[r2@medsrv.org]...2.2.2.4[r4@medsrv.org]
 +      medsrv[2]: IKEv2 SPIs: f7878154750454f8_i* 2077002ffa7ceaf9_r, pre-shared key reauthentication in 46 minutes
 +      medsrv[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
 +</code>
 +
 +Ping:
 +<code>
 +[root@R1]~# ping -c 3 192.168.7.7
 +PING 192.168.7.7 (192.168.7.7): 56 data bytes
 +64 bytes from 192.168.7.7: icmp_seq=0 ttl=62 time=0.627 ms
 +64 bytes from 192.168.7.7: icmp_seq=1 ttl=62 time=0.457 ms
 +64 bytes from 192.168.7.7: icmp_seq=2 ttl=62 time=0.594 ms
 +
 +--- 192.168.7.7 ping statistics ---
 +3 packets transmitted, 3 packets received, 0.0% packet loss
 +round-trip min/avg/max/stddev = 0.457/0.559/0.627/0.074 ms
 +</code>
 +
 +===== Limitations =====
 +
 +This mediation service works only if the NAT gateways try to preserve source UDP ports: Removing option "static-port" on pf configuration as example prevent to use this feature.
 +
 +===== Testing others NAT engines =====
 +==== FreeBSD ipfw (libalias) ====
 +
 +Replacing pf nat by ipfw kernel-in-nat.
 +
 +R3 modification:
 +
 +<code>
 +sysrc pf_enable=no
 +sysrc firewall_enable=yes
 +sysrc firewall_nat_enable=yes
 +sysrc firewall_script="/etc/ipfw.rules"
 +
 +cat > /etc/ipfw.rules <<'EOF'
 +#!/bin/sh
 +fwcmd="/sbin/ipfw -q"
 +int_if="vtnet1"
 +ext_if="vtnet6"
 +${fwcmd} -f flush
 +${fwcmd} nat 1 config if ${ext_if} same_ports deny_in unreg_only reset
 +${fwcmd} add pass ip from any to any via lo0
 +${fwcmd} add pass ip from any to any via ${int_if}
 +${fwcmd} add nat 1 ip from any to any via ${ext_if}
 +'EOF'
 +service pf onestop
 +service ipfw start
 +</code>
 +
 +R5 modification:
 +
 +<code>
 +sysrc pf_enable=no
 +sysrc firewall_enable=yes
 +sysrc firewall_nat_enable=yes
 +sysrc firewall_script="/etc/ipfw.rules"
 +
 +cat > /etc/ipfw.rules <<'EOF'
 +#!/bin/sh
 +fwcmd="/sbin/ipfw -q"
 +int_if="vtnet4"
 +ext_if="vtnet6"
 +${fwcmd} -f flush
 +${fwcmd} nat 1 config if ${ext_if} same_ports unreg_only reset
 +${fwcmd} add pass ip from any to any via lo0
 +${fwcmd} add pass ip from any to any via ${int_if}
 +${fwcmd} add nat 1 ip from any to any via ${ext_if}
 +'EOF'
 +service pf onestop
 +service ipfw start
 +</code>
 +
 +ipfw is not able to display NAT session table, then we will check strongswan log on mediation server:
 +
 +<code>
 +[root@R4]~# tail -f /var/log/charon.log | grep ME_ENDPOINT
 +13[IKE] received HOST ME_ENDPOINT 192.168.1.2[4500]
 +13[IKE] received HOST ME_ENDPOINT 10.0.0.2[4500]
 +13[IKE] received SERVER_REFLEXIVE ME_ENDPOINT 2.2.2.3[4500]
 +13[IKE] received HOST ME_ENDPOINT 10.0.0.6[4500]
 +13[IKE] received HOST ME_ENDPOINT 192.168.7.6[4500]
 +13[IKE] received SERVER_REFLEXIVE ME_ENDPOINT 2.2.2.5[4500]
 +</code>
 +
 +All peers reach to connect to mediation server using their original UDP source port 4500: ipfw seems to correctly keep original source port.
 +
 +But IPSec tunnel is down:
 +
 +<code>
 +[root@R2]~# ipsec status peer
 +Security Associations (2 up, 0 connecting):
 +        peer[1]: CREATED, %any[%any]...%any[%any]
 +</code>
 +
 +Checking with tcpdump on one Internet interface:
 +
 +<code>
 +[root@R3]~# tcpdump -pni vtnet6 host 2.2.2.5 and not icmp
 +tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 +listening on vtnet6, link-type EN10MB (Ethernet), capture size 262144 bytes
 +21:37:23.724744 IP 2.2.2.3.59172 > 2.2.2.5.4500: NONESP-encap: isakmp: child_sa  inf2[I]
 +21:37:23.749477 IP 2.2.2.5.4500 > 2.2.2.3.4500: NONESP-encap: isakmp: child_sa  inf2[I]
 +21:37:23.775475 IP 2.2.2.5.4500 > 2.2.2.3.4500: NONESP-encap: isakmp: child_sa  inf2[I]
 +21:37:23.821481 IP 2.2.2.5.4500 > 2.2.2.3.4500: NONESP-encap: isakmp: child_sa  inf2[I]
 +</code>
 +
 +ipfw nat engine is correctly keeping source port for packet going from:
 +  * R6 to R4
 +  * R6 to R2
 +  * R2 to R4
 +But it change source port for packet going from R2 to R6, and this broke mediation feature.
 +<note>
 +There is a problem here: ipfw didn't reach to keept the "same_ports" because. The only cause it's because it's already used, but by what???
 +</note>
 +
 +Digging further we found that Strongswan is generating IPSec packets using all addresses configured on R2, and the first try is using the :
 +  - The first packet generated by Strongswan is using source IP 192.168.1.2/24 (first interface, vtnet0), then consume on R3 the first NAT entry (R2, source port 4500 toward R6, destination port 4500)
 +  - The second packet generated by Strongswan is using source IP 10.0.0.2/24 (second interface, vnet1), then when R3 can't keept the same source port
 +
 +On R6, the first interface it tried is vtnet4 (with IP 10.0.0.6/24) before vtnet6 (192.168.7.6/24), then there is no problem of "already an entry into the NAT table".
 +
 +For fixing this problem we need to accept only local network address to ipfw configuration on R3 (same behavior as line "nat ... from $localnet" on pf configuration:
 +
 +<code>
 +cat > /etc/ipfw.rules <<'EOF'
 +#!/bin/sh
 +fwcmd="/sbin/ipfw -q"
 +int_if="vtnet1"
 +ext_if="vtnet6"
 +${fwcmd} -f flush
 +${fwcmd} nat 1 config if ${ext_if} same_ports deny_in reset
 +${fwcmd} add pass ip from any to any via lo0
 +${fwcmd} add pass ip from any to any via ${int_if}
 +${fwcmd} add nat 1 ip from 10.0.0.0/24 to any xmit ${ext_if}
 +${fwcmd} add nat 1 ip from any to any recv ${ext_if}
 +'EOF'
 +</code>
 +
 +And this fix this Strongswan bug:
 +<code>
 +[root@R2]~# ipsec status peer
 +Security Associations (2 up, 0 connecting):
 +        peer[1]: ESTABLISHED 61 seconds ago, 10.0.0.2[r2@bsdrp.net]...2.2.2.5[r6@bsdrp.net]
 +        peer{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c76f1a74_i c01aa5a4_o
 +        peer{1}:   192.168.1.0/24 === 192.168.7.0/24
 +</code>
 +==== Cisco IOS ====
 +
 +For this test:
 +  - we insert 2 new Cisco router (named C3 and C5, emulated by dynamips) in parrallel of existing R3 and R5.
 +  - We modify R2 and R6 to uses the new C3 and C5 as default gateway
 +
 +Example if we are using the bhyve lab script (then on a FreeBSD hypervisor).
 +
 +First, need to found bridge interface used for the shared LAN (Internet):
 +<code>
 +# ifconfig -a | egrep -B 1 'LAN_1$'
 +bridge6: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 +        description: LAN_1
 +</code>
 +=> We need to create 2 new TAP interfaces and add them it to this bridge6: They will be used on C3 and C5 as "Internet facing" interface
 +
 +Second, need to found LAN between R2 and R3. BSDRP lab script policy uses descrition name with "MESH_lower-router-id - higher-router-id". Then we need to found bridge with description "MESH_2-3":
 +<code>
 +# ifconfig -a | grep -B 1 'MESH_2-3$'
 +bridge7: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 +        description: MESH_2-3
 +</code>
 +=> We need to create a new TAP interface and add it to bridge7: It will be used on C3 as "Internal" interface.
 +
 +And same for R5-R6 bridge:
 +<code>
 +# ifconfig -a | grep -B 1 'MESH_5-6$'
 +bridge19: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 +        description: MESH_5-6
 +</code>
 +=> We need to create the last TAP interface and add it to bridge19: It will be used on C5 as "Internal" interface.
 +
 +Once done we start 2 dynamips instance (version 0.2.16 minimum for a working tap interface) emulating Cisco 3725 routers. Start dynamips on different tmux console.
 +
 +<code>
 +set C3_INT=`ifconfig tap create`
 +set C3_EXT=`ifconfig tap create`
 +set C5_INT=`ifconfig tap create`
 +set C5_EXT=`ifconfig tap create`
 +ifconfig bridge6 addm $C3_EXT
 +ifconfig bridge6 addm $C5_EXT
 +ifconfig bridge7 addm $C3_INT
 +ifconfig bridge19 addm $C3_INT
 +dynamips -P 3725 --idle-pc 0x602467a4 -r 256 -j -i 1 -s 0:0:tap:$C3_INT -s 0:1:tap:$C3_EXT c3725-adventerprisek9-mz.124-25d.bin
 +dynamips -P 3725 --idle-pc 0x602467a4 -r 256 -j -i 2 -s 0:0:tap:$C5_INT -s 0:1:tap:$C5_EXT c3725-adventerprisek9-mz.124-25d.bin
 +</code>
 +
 +Configuring dynamips instance 1 (C3):
 +
 +<code>
 +en
 +conf t
 +hostname C3
 +access-list 1 permit 10.0.0.0 0.0.0.255
 +ip nat inside source list 1 interface fastEthernet 0/1 overload
 +int fastEthernet 0/0
 + ip address 10.0.0.30 255.255.255.0
 + ip nat inside
 + no shutdown
 +int fastEthernet 0/1
 + ip address 2.2.2.30 255.255.255.0
 + ip nat outside
 + no shutdown
 +</code>
 +
 +Configuring dynamips instance 2 (C5):
 +
 +<code>
 +en
 +conf t
 +hostname C5
 +access-list 1 permit 10.0.0.0 0.0.0.255
 +ip nat inside source list 1 interface fastEthernet 0/1 overload
 +int fastEthernet 0/0
 + ip address 10.0.0.50 255.255.255.0
 + ip nat inside
 + no shutdown
 +int fastEthernet 0/1
 + ip address 2.2.2.50 255.255.255.0
 + ip nat outside
 + no shutdown
 +</code>
 +
 +Change R2 default route for using C3:
 +
 +<code>
 +service strongswan stop
 +sysrc defaultrouter="10.0.0.30"
 +service routing restart
 +service strongswan start
 +</code>
 +
 +Change R6 default route for using C5:
 +
 +<code>
 +service strongswan stop
 +sysrc defaultrouter="10.0.0.50"
 +service routing restart
 +service strongswan start
 +</code>
 +
 +And testing:
 +
 +<code>
 +[root@R2]~# ipsec status peer
 +Security Associations (3 up, 0 connecting):
 +        peer[3]: ESTABLISHED 40 seconds ago, 10.0.0.2[r2@bsdrp.net]...2.2.2.5[r6@bsdrp.net]
 +        peer{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cd81f3e1_i c209fd2f_o
 +        peer{2}:   192.168.1.0/24 === 192.168.7.0/24
 +        peer[1]: ESTABLISHED 40 seconds ago, 10.0.0.2[r2@bsdrp.net]...2.2.2.5[r6@bsdrp.net]
 +        peer{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cd43f0d6_i ccc64d56_o
 +        peer{1}:   192.168.1.0/24 === 192.168.7.0/24
 +</code>
 +
 +**It's working: The Cisco IOS nat engine try to preserve packet original source port.**
 +
 +And NAT translations table of C3 and C5 confirm it:
 +<code>
 +C3#sh ip nat translations
 +Pro Inside global      Inside local       Outside local      Outside global
 +udp 2.2.2.30:500       10.0.0.2:500       2.2.2.4:500        2.2.2.4:500
 +udp 2.2.2.30:4500      10.0.0.2:4500      2.2.2.4:4500       2.2.2.4:4500
 +udp 2.2.2.30:4500      10.0.0.2:4500      2.2.2.5:4500       2.2.2.5:4500
 +</code>
 +
 +<code>
 +C5#sh ip nat translations
 +Pro Inside global      Inside local       Outside local      Outside global
 +udp 2.2.2.50:500       10.0.0.6:500       2.2.2.4:500        2.2.2.4:500
 +udp 2.2.2.50:4500      10.0.0.6:4500      2.2.2.4:4500       2.2.2.4:4500
 +udp 2.2.2.50:4500      10.0.0.6:4500      2.2.2.30:4500      2.2.2.30:4500
 +</code>
  
documentation/examples/strongswan_ipsec_mediation_feature.txt · Last modified: 2017/07/03 14:43 (external edit)