Ключевые слова:openbsd, cisco, vpn, tunnel, ipsec, (найти похожие документы)
From: <osipAT[NOSPAM]mikunis.net>
Date: Mon, 2 Mar 2005 18:21:07 +0000 (UTC)
Subject: IPSec туннель между OpenBSD и Cisco (eng)
Оригинал: http://www.mikunis.net/vpn.html
Mini How-to: OpenBSD to Cisco VPN
Here is my first attemt to share the results of my experiments in
establishing a secure tunnel between OpenBSD and Cisco router. Any
corrections, suggestions and questions are welcome to:
osipAT[NOSPAM]mikunis.net (please remove [NOSPAM] from the address and
replace AT with @)
What is given
Cisco 2600 router with 48 MB DRAM, 16 MB Flash, AIM-VPN card, IOS
version 12.1(6) with IPSec 3DES and Firewall Features Set. It serves
as a firewall/gateway for a middle-size brunch office network. Any
other Cisco router with IPSec features in IOS will presumably work.
An old 486 IBM PC with 1 Mbit ADSL connection to Internet. It runs
OpenBSD 2.9 release with IPFilter/NAT. It serves as a firewall/gateway
for a home network of several PC's. Any box running OpenBSD 2.9
release and an Internet connection will presumably work.
Public network 150.150.150.0/23 is connected to the ethernet interface
of the Cisco router with the IP address 150.150.150.1. Cisco is
connected to the Internet through it's serial interface. Private
network 192.169.100.0/24 is connected to the internal inerface of the
OpenBSD box. External inerface of this box has public address
80.80.80.80/28.
Configurations
OpenBSD
Changes to /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet.esp.enable=1
Changes to /etc/rc.conf:
ipfilter=YES
ipnat=YES
isakmpd_flags=""
Changes to /etc/ipnat.rules:
map ep0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp
map ep0 192.168.100.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ep0 192.168.100.0/24 -> 0/32
Changes to /etc/ipf.rules:
# All outgoing traffic is allowed
# Incoming filters for IPSec
pass in quick on ep0 proto udp from 150.150.250.1 to any port = isakmp
pass in quick on ep0 proto esp from 150.150.250.1 to any
# Passing encrypted traffic
pass in quick on enc0
Changes to /etc/isakmpd/isakmpd.policy:
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:my_secret_password"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
Changes to /etc/isakmpd/isakmpd.conf:
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 80.80.80.80
[Phase 1]
150.150.250.1= ISAKMP-peer-east
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-east]
Phase= 1
Transport= udp
Local-address= 80.80.80.80
Address= 150.150.250.1
Configuration= Default-main-mode
Authentication= my_secret_password
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-east
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.100.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 150.150.150.0
Netmask= 255.255.254.0
# Main mode descriptions
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
# Main mode transforms
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
#AUTHENTICATION_METHOD= HMAC_MD5
GROUP_DESCRIPTION= MODP_768
Life= LIFE_3600_SECS
# Quick mode description
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-PFS-SUITE
# Quick mode protection suites
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols= QM-ESP-3DES-MD5-PFS
[QM-ESP-3DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-PFS-XF
# Quick mode transforms
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
Life= LIFE_3600_SECS
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_768
Life= LIFE_3600_SECS
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
# end
To check the working connections:
# netstat -rn -f encap
Routing tables
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
150.150.150/23 0 192.168.100/24 0 0 150.150.250.1/50/require/in
192.168.100/24 0 150.150.150/23 0 0 150.150.250.1/50/require/out
Cisco
! Create new policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 3600
! define pre-shared key with peer
crypto isakmp key my_secret_password address 80.80.80.80
! define transforms
crypto ipsec transform-set msvpn esp-3des esp-md5-hmac
! define local IPSec endpoint
crypto map ToOBSD local-address Loopback0
! Define crypto map
crypto map ToOBSD 1 ipsec-isakmp
set peer 80.80.80.80
set transform-set msvpn
set pfs group1
match address 103
! Define loopback interface as an end-point
interface Loopback0
ip address 150.150.250.1 255.255.255.255
crypto map ToOBSD
! add incoming filters to pass IPSec traffic through incoming access list
permit udp host 80.80.80.80 host 150.150.250.1 eq isakmp
permit esp host 80.80.80.80 host 150.150.250.1
! define "interesting" traffic for encryption
access-list 103 permit ip 150.150.150.0 0.0.1.255 192.168.100.0 0.0.0.255
! add routing for the remote private network
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 192.168.100.0 255.255.255.0 Loopback0
end
To check the configuration and working connections:
# sh crypto isakmp pol
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 3600 seconds, no volume limit
# sh crypto isakmp sa
dst src state conn-id slot
150.150.250.1 80.80.80.80 QM_IDLE 6 0
# sh crypto ipsec sa
interface: Loopback0
Crypto map tag: ToOBSD, local addr. 150.150.250.1
local ident (addr/mask/prot/port): (150.150.150.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 80.80.80.80
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8295, #pkts encrypt: 8295, #pkts digest 8295
#pkts decaps: 5504, #pkts decrypt: 5504, #pkts verify 5504
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 9, #recv errors 0
local crypto endpt.: 150.150.250.1, remote crypto endpt.: 80.80.80.80
path mtu 1514, media mtu 1514
current outbound spi: 48C53C91
inbound esp sas:
spi: 0x8161F80(135667584)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 5, crypto map: ToOBSD
sa timing: remaining key lifetime (k/sec): (4607989/628)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x48C53C91(1220885649)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 6, crypto map: ToOBSD
sa timing: remaining key lifetime (k/sec): (4607987/628)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
# sh crypto map
Interfaces using crypto map ToOBSD:
Crypto Map: "ToOBSD" idb: Loopback0 local address: 150.150.250.1
Crypto Map "ToOBSD" 1 ipsec-isakmp
Peer = 80.80.80.80
Extended IP access list 103
access-list 103 permit ip 150.150.150.0 0.0.1.255 192.168.100.0 0.0.0.255
Current peer: 80.80.80.80
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group1
Transform sets={ msvpn, openbsd, }
Interfaces using crypto map ToOBSD:
Loopback0
