Re: question on tunnels (VPN)

Julian Elischer Wed, 22 Sep 2004 18:20:15 -0700

Mikhail P. wrote:

On Wednesday 22 September 2004 21:26, Julian Elischer wrote:
I use MPD using the "UDP" transport.
in other words packets get sent as udp packets.
I then set up IPSEC to encrypt the UDP packets..
when I had a NAT in the way I did further encapsulate the GRE packets in UDP again :-)
Julian,
Thank you for your quick response. Do you have any pointers on how to implement such setup to send traffic as UDP in MPD?


look under 'link commands' in  the mpd docs.

here are my (obfuscated) config files..
# cat mpd.conf

default:
       set login ConsoleLogin
       log -console
       load vpn-lax
       load vpn-chi

vpn_standard:
       set iface disable on-demand
       set iface idle 0
       set iface mtu 1500
       set ipcp yes vjcomp
       set bundle enable multilink
#       set bundle enable round-robin

tun_standard:
       set link yes acfcomp protocomp
       set link no pap
       set link no chap
       set link keep-alive 2 15
       set link mru 900
       set link mtu 900
#       set link bandwidth 1440000

############### per-link settings #################
vpn-lax:
       new -i ng0 vpn-lax lax-ISP-B lax-ISP-A
       set iface addrs 10.x.x.x 10.z.z.z
       set iface route 192.168.aa.0/24
       set ipcp ranges 10.x.x.x/32 10.z.z.z/32
       load vpn_standard
       link lax-ISP-B
       load tun_standard
       link lax-ISP-A
       load tun_standard
       open

vpn-chi:
       new -i ng1 vpn-chi chi-ISP-B chi-ISP-A
       set iface addrs 10.x.x.x 10.y.y.y
       set iface route 192.168.bb.0/24
       set ipcp ranges 10.x.x.x/32 10.y.y.y/32
       load vpn_standard
       link chi-ISP-B
       load tun_standard
       link chi-ISP-A
       load tun_standard
       open


# cat mpd.links


lax-ISP-B:
       set link type udp
       set udp self bb.bb.bb.bb 4029
       set udp peer aa.aa.aa.aa 4029

lax-ISP-A:
       set link type udp
       set udp self dd.dd.dd.dd 4029
       set udp peer cc.cc.cc.cc 4029

chi-ISP-B:
       set link type udp
       set udp self bb.bb.bb.bb 4028
       set udp peer ee.ee.ee.ee 4028

chi-ISP-A:
       set link type udp
       set udp self dd.dd.dd.dd 4028
       set udp peer ff.ff.ff.ff 4028


these are the config files for a machine on the
internet that is connected to 2 other sites. in LA and Chicago for example,

Each site has a network behind it in the 192.168 range.
The links themselves are in the 10.xx.xx.xx range.

There are two LINKs for each bundle as we connect to the interent via 2 ISPs
at each site and use MPDs bonding to provide failover and soft degradation.
probably you don't have 2 ISPs..

In addition to this we have ipsec set up as follows:

# cat /etc/ipsec.conf
flush;
spdflush;


# LAX
spdadd aa.aa.aa.aa bb.bb.bb.bb any -P in ipsec esp/transport//require;
spdadd bb.bb.bb.bb aa.aa.aa.aa any -P out ipsec esp/transport//require;
spdadd cc.cc.cc.cc dd.dd.dd.dd any -P in ipsec esp/transport//require;
spdadd dd.dd.dd.dd cc.cc.cc.cc any -P out ipsec esp/transport//require;

# Chicago
spdadd bb.bb.bb.bb ee.ee.ee.ee any -P out ipsec esp/transport//require;
spdadd ee.ee.ee.ee bb.bb.bb.bb any -P in ipsec esp/transport//require;
spdadd dd.dd.dd.dd ff.ff.ff.ff any -P out ipsec esp/transport//require;
spdadd ff.ff.ff.ff dd.dd.dd.dd any -P in ipsec esp/transport//require;


and we run racoon for key serving..

this is the simplest config file we sometimes use:
(when we have just pre-shared secrets to start off the sequence)
normally we use certs but it gets trickier..


path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

path certificate "/usr/local/etc/cert" ;

log notify;

padding
{
       maximum_length 20;      # maximum padding length.
       randomize off;          # enable randomize length.
       strict_check off;       # enable strict check.
       exclusive_tail off;     # extract last one octet.
}

listen
{
       isakmp bb.bb.bb.bb [500];
       isakmp dd.dd.dd.dd [500];
       strict_address;         # required all addresses must be bound.
}

timer
{
       # These value can be changed per remote node.
       counter 5;              # maximum trying count to send.
       interval 20 sec;        # maximum interval to resend.
       persend 1;              # the number of packets per a send.

       # timer for waiting to complete each phase.
       phase1 30 sec;
       phase2 15 sec;
}

remote anonymous
{
       #exchange_mode main,aggressive;
       exchange_mode aggressive,main;
       doi ipsec_doi;
       situation identity_only;

       my_identifier address;

       nonce_size 16;
       lifetime time 10 min;   # sec,min,hour
       initial_contact on;
       support_mip6 off;
       proposal_check obey;    # obey, strict or claim

       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key ;
               dh_group 2 ;
       }
}

sainfo anonymous
{
       pfs_group 1;
       lifetime time 10 min;
       encryption_algorithm 3des ;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate ;
}


don't forget to set..
sysctl net.key.prefered_oldsa=0

I'll leave the firewalls and routing to you :-)

regards, M.


_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: question on tunnels (VPN)

Reply via email to