Last changed: August 14, 2003
Here is my first attemt to share the results of my experiments in establishing a secure tunnel between OpenBSD and Cisco router. Any corrections, suggestions and questions are welcome to: osipAT[NOSPAM]mikunis.net (please remove [NOSPAM] from the address and replace AT with @)
Cisco 2600 router with 48 MB DRAM, 16 MB Flash, AIM-VPN card, IOS version
12.1(6) with IPSec 3DES and Firewall Features Set. It serves as a
firewall/gateway for a middle-size brunch office network. Any other Cisco router
with IPSec features in IOS will presumably work.
An old 486 IBM PC with 1
Mbit ADSL connection to Internet. It runs OpenBSD 2.9 release with IPFilter/NAT.
It serves as a firewall/gateway for a home network of several PC's. Any box
running OpenBSD 2.9 release and an Internet connection will presumably
work.
Public network 150.150.150.0/23 is connected to the ethernet interface
of the Cisco router with the IP address 150.150.150.1. Cisco is connected to the
Internet through it's serial interface. Private network 192.169.100.0/24 is
connected to the internal inerface of the OpenBSD box. External inerface of this
box has public address 80.80.80.80/28.
Changes to /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet.esp.enable=1
Changes to /etc/rc.conf:
ipfilter=YES
ipnat=YES
isakmpd_flags=""
Changes to /etc/ipnat.rules:
map ep0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp
map ep0
192.168.100.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ep0
192.168.100.0/24 -> 0/32
Changes to /etc/ipf.rules:
# All outgoing traffic is allowed
# Incoming filters for IPSec
pass in
quick on ep0 proto udp from 150.150.250.1 to any port = isakmp
pass in quick
on ep0 proto esp from 150.150.250.1 to any
# Passing encrypted
traffic
pass in quick on enc0
Changes to /etc/isakmpd/isakmpd.policy:
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that
uses the right password
Authorizer: "POLICY"
Licensees:
"passphrase:my_secret_password"
Conditions: app_domain == "IPsec policy"
&&
esp_present == "yes" &&
esp_enc_alg != "null" ->
"true";
Changes to /etc/isakmpd/isakmpd.conf:
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on=
80.80.80.80
[Phase 1]
150.150.250.1= ISAKMP-peer-east
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-east]
Phase= 1
Transport= udp
Local-address=
80.80.80.80
Address= 150.150.250.1
Configuration=
Default-main-mode
Authentication= my_secret_password
[IPsec-east-west]
Phase= 2
ISAKMP-peer=
ISAKMP-peer-east
Configuration= Default-quick-mode
Local-ID=
Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.100.0
Netmask=
255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 150.150.150.0
Netmask=
255.255.254.0
# Main mode descriptions
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms=
3DES-MD5
# Main mode transforms
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM=
MD5
AUTHENTICATION_METHOD= PRE_SHARED
#AUTHENTICATION_METHOD=
HMAC_MD5
GROUP_DESCRIPTION= MODP_768
Life= LIFE_3600_SECS
# Quick mode description
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites=
QM-ESP-3DES-MD5-PFS-SUITE
# Quick mode protection suites
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols=
QM-ESP-3DES-MD5-PFS
[QM-ESP-3DES-MD5]
PROTOCOL_ID=
IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms=
QM-ESP-3DES-MD5-PFS-XF
# Quick mode transforms
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE=
TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
Life= LIFE_3600_SECS
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE=
TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION=
MODP_768
Life= LIFE_3600_SECS
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
#
end
To check the working connections:
# netstat -rn -f encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
150.150.150/23 0 192.168.100/24 0 0
150.150.250.1/50/require/in
192.168.100/24 0 150.150.150/23 0 0
150.150.250.1/50/require/out
! Create new policy
crypto isakmp policy 10
encr 3des
hash
md5
authentication pre-share
lifetime 3600
! define pre-shared key with
peer
crypto isakmp key my_secret_password address 80.80.80.80
! define
transforms
crypto ipsec transform-set msvpn esp-3des esp-md5-hmac
!
define local IPSec endpoint
crypto map ToOBSD local-address Loopback0
!
Define crypto map
crypto map ToOBSD 1 ipsec-isakmp
set peer
80.80.80.80
set transform-set msvpn
set pfs group1
match address
103
! Define loopback interface as an end-point
interface Loopback0
ip
address 150.150.250.1 255.255.255.255
crypto map ToOBSD
! add incoming
filters to pass IPSec traffic through incoming access list
permit udp host
80.80.80.80 host 150.150.250.1 eq isakmp
permit esp host 80.80.80.80 host
150.150.250.1
! define "interesting" traffic for encryption
access-list
103 permit ip 150.150.150.0 0.0.1.255 192.168.100.0 0.0.0.255
! add routing
for the remote private network
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route
192.168.100.0 255.255.255.0 Loopback0
end
To check the configuration and working connections:
# sh crypto isakmp pol
Protection suite of priority 10
encryption algorithm: Three key triple
DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared
Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 3600 seconds, no volume
limit
# sh crypto isakmp sa
dst src state conn-id slot
150.150.250.1 80.80.80.80 QM_IDLE 6 0
# sh crypto ipsec sa
interface: Loopback0
Crypto map tag: ToOBSD, local addr. 150.150.250.1
local ident (addr/mask/prot/port):
(150.150.150.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.100.0/255.255.255.0/0/0)
current_peer: 80.80.80.80
PERMIT,
flags={origin_is_acl,}
#pkts encaps: 8295, #pkts encrypt: 8295, #pkts digest
8295
#pkts decaps: 5504, #pkts decrypt: 5504, #pkts verify 5504
#pkts
compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0, #pkts decompress failed: 0
#send errors 9, #recv errors 0
local crypto endpt.: 150.150.250.1, remote crypto endpt.: 80.80.80.80
path
mtu 1514, media mtu 1514
current outbound spi: 48C53C91
inbound esp sas:
spi: 0x8161F80(135667584)
transform: esp-3des
esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004,
flow_id: 5, crypto map: ToOBSD
sa timing: remaining key lifetime (k/sec):
(4607989/628)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x48C53C91(1220885649)
transform: esp-3des
esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005,
flow_id: 6, crypto map: ToOBSD
sa timing: remaining key lifetime (k/sec):
(4607987/628)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
# sh crypto map
Interfaces using crypto map ToOBSD:
Crypto Map: "ToOBSD" idb: Loopback0 local address: 150.150.250.1
Crypto Map "ToOBSD" 1 ipsec-isakmp
Peer = 80.80.80.80
Extended IP
access list 103
access-list 103 permit ip 150.150.150.0 0.0.1.255
192.168.100.0 0.0.0.255
Current peer: 80.80.80.80
Security association
lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group:
group1
Transform sets={ msvpn, openbsd, }
Interfaces using crypto map
ToOBSD:
Loopback0
Besøende nr.
