divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb.git
Log | Files | Refs | README | LICENSE

ipsec.md (3823B)


      1 ### Securing services with IPsec tunnels
      2 
      3 This short document will get you started on how to configure simple
      4 IPsec tunnels between your remote hosts.  All peers need to run the
      5 key management daemon and have IPsec enabled and allowed through PF.
      6 
      7 /etc/rc.conf.local:
      8 
      9     isakmpd_flags="-K"
     10     ipsec=YES
     11 
     12 /etc/pf.conf:
     13 
     14     # Allow incoming IPsec traffic
     15     pass quick on egress proto {esp, ah}
     16     pass in quick on egress proto udp to port {isakmp, ipsec-nat-t}
     17 
     18 The next part shows how we run mail message submission and POP version 3
     19 services through IPsec tunnels.
     20 
     21 
     22 #### Server configuration
     23 
     24 /etc/ipsec.conf:
     25 
     26     peers="{hosta.example.org, hostb.example.org, hostc.example.org}"
     27     ike passive esp proto tcp from egress to $peers \
     28         port submission \
     29         psk "hackme"
     30     ike passive esp proto tcp from egress to $peers \
     31         port pop3 \
     32         psk "hackmemore"
     33 
     34 
     35 #### Client configuration
     36 
     37 /etc/ipsec.conf:
     38 
     39     peer=ipsec.example.org
     40     ike esp proto tcp from egress to $peer \
     41         port submission \
     42         psk "hackme"
     43     ike esp proto tcp from egress to $peer \
     44         port pop3 \
     45         psk "hackmemore"
     46 
     47 The isakmpd server uses UDP port 500 for key management; UDP port 4500
     48 is used for IPsec NAT features.  You should forward those ports on your
     49 router if needed.  The ports can be found with:
     50 
     51     $ grep ipsec /etc/services
     52     ipsec-nat-t     4500/tcp        ipsec-msft      # IPsec NAT-Traversal
     53     ipsec-nat-t     4500/udp        ipsec-msft      # IPsec NAT-Traversal
     54     $ grep isakmp /etc/services
     55     isakmp          500/udp                         # ISAKMP key management
     56 
     57 Furthermore, here is a little trick to bypass some nasty firewalls that
     58 block low ports.  This makes port 500 to effectively appear as port 5000
     59 to other peers.
     60 
     61 /etc/pf.conf:
     62 
     63     # Rewrite outgoing src port isakmp to src port 5000 and back
     64     pass out on egress proto udp from any port isakmp to any port isakmp \
     65         nat-to (egress) port 5000
     66 
     67 
     68 #### Testing the setup
     69 
     70 If all went OK, from a client you should see something like the following,
     71 when the server's IP address is 1.2.3.4 while the client's IP address is
     72 5.6.7.8.
     73 
     74     $ ipsecctl -s flow
     75     FLOWS:
     76     flow esp in proto tcp from 1.2.3.4 port pop3 to 5.6.7.8 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type use
     77     flow esp out proto tcp from 5.6.7.8 to 1.2.3.4 port pop3 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type require
     78     flow esp in proto tcp from 1.2.3.4 port submission to 5.6.7.8 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type use
     79     flow esp out proto tcp from 5.6.7.8 to 1.2.3.4 port submission peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type require
     80 
     81     $ route -n show -encap
     82     Routing tables
     83 
     84     Encap:
     85     Source      Port  Destination   Port  Proto  SA(Address/Proto/Type/Direction)
     86     1.2.3.4/32   110   5.6.7.8/32      0      6     1.2.3.4/esp/use/in
     87     5.6.7.8/32     0   1.2.3.4/32    110      6     1.2.3.4/esp/require/out
     88     1.2.3.4/32   587   5.6.7.8/32      0      6     1.2.3.4/esp/use/in
     89     5.6.7.8/32     0   1.2.3.4/32    587      6     1.2.3.4/esp/require/out
     90 
     91     $ nc -v server.example.org 587
     92     Connection to server.example.org 587 port [tcp/submission] succeeded!
     93     $ nc -v server.example.org 110
     94     Connection to server.example.org 110 port [tcp/pop3] succeeded!
     95     +OK
     96 
     97 
     98 #### Notes
     99 
    100 There is no actual server and client in the protocol, however in this
    101 setup the server knows all other hosts, and they only know the server.
    102 The server is configured as passive while others start negotiation
    103 immediately.  The server needs to know all peers in order to correctly
    104 setup the Encap routes.  A config with `peers=any` will create a default
    105 route pointing to the peer negotiated last.  Such a setup is broken!
    106 
    107 That is certainly not all folks!
    108 
    109 Cheers!
    110 
    111 lostd@