From Wiki

This article is in work.
You can add/edit content.

HOWTOS	edit

L2TP/IPSEC Linux-iPhone • Gentoo LVM LUKS • User level Firewalling (PF, iptables) • build a custom DragonFlyBSD-RELEASE kernel • Virtual Networking in FreeBSD Jail (bridge + nat) • Roadwarrior IPSec on FreeBSD • Bind9 DLZ with LDAP driver

FreeBSD server

Requirements

FeeBSD 7+ system
FreeBSD sources up to date (use cvsup)
FreeBSD ports up to date (use cvsup)

Build your own custom kernel

Your need to build a custom kernel which will includes IPSEC and CRYPTO(4) devices.

To make your private subnet work on a natted network you'll need PF(4) or IPF(4).

--- /usr/src/sys/amd64/conf/GENERIC	2009-11-10 00:48:01.000000000 +0100
+++ /usr/src/sys/amd64/conf/MYKERNEL	2010-06-09 19:23:00.000000000 +0200
@@ -318,3 +319,15 @@
 device		fwip		# IP over FireWire (RFC 2734,3146)
 device		dcons		# Dumb console driver
 device		dcons_crom	# Configuration ROM for dcons
+options 	IPSEC
+options        IPSEC_NAT_T
+device		crypto
+options        IPSEC_FILTERTUNNEL
+device         pf
+device         pflog

build your kernel :

cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL
# Then reboot your system

Installing required ports

cd /usr/ports/security/ipsec-tools/
make config
 
 
──────────────────────────────────────────────────────────────────────
│ │[X] DEBUG      enable Debug support                             │ │
│ │[X] IPV6       enable IPV6 support                              │ │
│ │[X] ADMINPORT  enable Admin port                                │ │
│ │[ ] STATS      enable Statistics logging function               │ │
│ │[X] DPD        enable Dead Peer Detection                       │ │
│ │[X] NATT       enable NAT-Traversal (kernel-patch required)     │ │
│ │[X] NATTF      require NAT-Traversal (fail without kernel-patch)│ │
│ │[X] FRAG       enable IKE fragmentation payload support         │ │
│ │[X] HYBRID     enable Hybrid, Xauth and Mode-cfg support        │ │
│ │[X] PAM        enable PAM authentication (Xauth server)         │ │
│ │[X] RADIUS     enable Radius authentication (Xauth server)      │ │
│ │[X] LDAP       enable LDAP authentication (Xauth server)        │ │
│ │[ ] GSSAPI     enable GSS-API authentication                    │ │
│ │[ ] SAUNSPEC   enable Unspecified SA mode                       │ │
│ │[X] RC5        enable RC5 encryption (patented)                 │ │
│ │[ ] IDEA       enable IDEA encryption (patented)                │ │
──────────────────────────────────────────────────────────────────────
 
 
make all install clean

Build your own certificate authority

TODO

Use openssl not the openvpn tool

I use easy-rsa from the OpenVPN project for simplicity

cd /usr/ports/security/openvpn
make fetch extract
cp -r work/openvpn-2.1.1/easy-rsa/2.0/ /usr/local/etc/racoon/easy-rsa
make clean
cd /usr/local/etc/racoon/easy-rsa
vim vars
. ./vars
./build-ca
./build-key-server myserver.mydomain.com
./build-key-pkcs12 client1
cd keys
ln -s ca.crt `openssl x509 -noout -hash -in ca.crt`.0

Configure IPSec

File: /etc/rc.conf

[--snipped--]
# IPSEC
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
 
# racoon
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
[--snipped--]

File: /usr/local/etc/racoon/setkey.conf

flush;
spdflush;

File: /usr/local/etc/racoon/motd

Your are now connected to your IPSec vpn
 
Have fun !

TODO

ure another auth_source (ie: ldap, radius)

File: /usr/local/etc/racoon/racoon.conf

path certificate "/usr/local/etc/racoon/easy-rsa/keys" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log info;
 
listen {
	isakmp MY.PUBLIC.IP.ADDRESS;
	isakmp_natt MY.PUBLIC.IP.ADDRESS[4500];
}
 
timer
{
	counter 5;
	interval 20 sec;
	persend 1;
	phase1 30 sec;
	phase2 15 sec;
}
 
remote anonymous
{
	exchange_mode main;
	my_identifier asn1dn;
	certificate_type x509 "myserver.mydomain.com.crt" "myserver.mydomain.com.key" ;
	verify_cert on;
	proposal_check strict;
	passive on;
	support_proxy on;
	generate_policy on;
	nonce_size 16;
	dpd_delay 20;
	dpd_retry 5;
	dpd_maxfail 5;
 
	proposal {
		authentication_method xauth_rsa_server;
		encryption_algorithm aes;
		hash_algorithm sha1;
		dh_group 2; 
	}
}
 
sainfo anonymous
{
	pfs_group 2;
	lifetime time 10 hour;
	encryption_algorithm aes;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
}
 
mode_cfg {
	auth_source pam;
	save_passwd on;
	pool_size 254;
	network4 MY.IPV4.PRIVATE.FIRST_IP;  
	netmask4 MY.IPV4.PRIVATE.NETMASK;
	dns4 MY.IPV4.DNS.IP;
	default_domain "mydomain.com";
        banner "/usr/local/etc/racoon/motd";
	pfs_group 2;
}

Start services

/etc/rc.d/ipsec start
/usr/local/etc/rc.d/racoon start

Nat with OpenBSD Packet Filter

File: /etc/pf.conf

my_server="MY.PUBLIC.IP.ADDRESS"
 
# local
ipsec_lan="MY.IPV4.PRIVATE.IP/NETMASK"
 
if="your public interface"
 
set skip on lo
 
# NAT
nat on $if from $ipsec_lan to !$ipsec_lan -> $my_server
 
# default
pass out on $if from $my_server to any
#block in log on $if
 
# IPSEC lan
pass in on $if from any to $ipsec_lan
pass in on $if from $ipsec_lan to any
 
# Host machine
# -- ipsec --
pass in quick on $if proto esp from any to $my_server
pass in quick on $if proto ipencap from any to $my_server
pass in quick on $if proto udp from any to $my_server port isakmp
pass in quick on $if proto udp from any to $my_server port 4500
 
# -- ssh --
pass in quick on $if proto tcp from any to $my_server port ssh

Reload PF rules :

pfctl -ef /etc/pf.conf

Clients

TODO

more client example

Linux / FreeBSD
MacOS 10.4+
Windows

iPhone

Send the client certificate to your iPhone

cd /usr/local/etc/racoon/easy-rsa/keys
echo "See the attached certificate (CA + client)" | mutt -s "[IPSec] your client certificate" -a ca.crt -a client1.p12 email_configured@my_iphone.com

Add the authority and your client certificate to your iPhone

Open the email

Add ca.crt to your profiles

Add your certificate (client1.p12) to your profiles

Entrer the passphrase to unlock the pkcs12 file

Configure IPSec VPN

Choose add a VPN configuration

Choose Cisco IPSec

Fill fields

Choose your certificate

Your are connected !

Result (on a jailbroken device)

tcpdump IPSec session trace

tcpdump -ni em0 esp or proto ipencap or port isakmp or port 4500
 
 
"isakmp: phase 1 negociation"
   #16:08:42.563374 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 1 I ident
   #16:08:42.563879 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 1 R ident
   #16:08:42.864193 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 1 I ident
   #16:08:42.866900 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 1 R ident
   #16:08:43.539778 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 1 I ident[E]
   #16:08:43.542770 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 1 R ident[E]
"isakmp: phase2 negociation"
   #16:08:43.542887 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 2/others R #6[E]
   #16:08:43.770144 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 2/others I inf[E]
   #16:08:50.909337 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 2/others I #6[E]
   #16:08:50.911952 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 2/others R #6[E]
   #16:08:50.994277 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 2/others I #6[E]
   #16:08:51.003271 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 2/others I #6[E]
   #16:08:51.003501 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 2/others R #6[E]
   #16:08:51.753824 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 2/others I oakley-quick[E]
   #16:08:51.756807 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 2/others R oakley-quick[E]
   #16:08:51.842770 IP client.ip.address.500 > server.ip.address.500: isakmp: phase 2/others I oakley-quick[E]
"ESP tunnel now Open"
   #16:08:53.647175 IP client.ip.address > server.ip.address: ESP(spi=0x06c54037,seq=0x1), length 100
   #16:08:53.734128 IP client.ip.address > server.ip.address: ESP(spi=0x06c54037,seq=0x2), length 116
   #16:08:53.789620 IP server.ip.address > client.ip.address: ESP(spi=0x02877804,seq=0x1), length 388
   #16:08:53.801138 IP server.ip.address > client.ip.address: ESP(spi=0x02877804,seq=0x2), length 324
   #16:09:03.847168 IP server.ip.address.500 > client.ip.address.500: isakmp: phase 2/others R inf[E]
[....]

Linux

Requirements

install ipsec-tools from your package system

Get scripts from the sources

mkdir -p /etc/racoon/scripts
wget http://downloads.sourceforge.net/project/ipsec-tools/ipsec-tools/0.7.3/ipsec-tools-0.7.3.tar.gz
tar xzf ipsec-tools-0.7.3.tar.gz
cp ./ipsec-tools-0.7.3/src/racoon/samples/roadwarrior/client/phase1-up.sh /etc/racoon/scripts/
cp ./ipsec-tools-0.7.3/src/racoon/samples/roadwarrior/client/phase1-down.sh /etc/racoon/scripts/

Get certificate

mkdir -p /etc/racoon/certs
cd /etc/racoon/certs
# put your ca.crt, client.crt and client.key here

Configure racoon

Howto:FreeBSD Roadwarrior IPSec

From Wiki

Contents

FreeBSD server

Requirements

Build your own custom kernel

Installing required ports

Build your own certificate authority

Configure IPSec

Start services

Nat with OpenBSD Packet Filter

Clients

iPhone

Send the client certificate to your iPhone

Add the authority and your client certificate to your iPhone

Configure IPSec VPN

Result (on a jailbroken device)

tcpdump IPSec session trace

Linux

Requirements

Get scripts from the sources

Get certificate

Configure racoon

Views

Personal tools

Navigation

Search

Toolbox