question regarding IPSEC Setup

2009-07-13 Thread rascal 
So I have a couple of questions regarding a scenario that has recently been
brought to me.  I have two sites, one with a cisco device and one with a
server running freebsd 7.2.  The client wants to connect the two sites using
these devices and I am told that the best way would be to establish an IPSEC
tunnel between the cisco device and the freebsd server.  The cisco is a
concentrator 3000 and the server is just a dell poweredge 860 with 4 nics in
the back running 7.2 freebsd.  I guess my two questions are:

1.  Has anyone done this before and what are their results?
2.  Is setting up an IPSEC tunnel the best route for this or is there
something else I should be looking at?
3.  Any tips/tricks/good sites to check on for setting up IPSEC on freebsd
(I am currently reading
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html which
is pretty darn good)?

Thanks in advance for any help!!

---
Matthew
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: question regarding IPSEC Setup

2009-07-14 Thread rascal 
Thanks for the input on this everyone!  Eugene, I'll take you up on your
offer of examples!  I have a good idea of how to do this, I just want to
make sure I get it right and if I have some examples to compare to that
would be great!  Thanks much!

On Tue, Jul 14, 2009 at 9:41 AM, Eugene Perevyazko  wrote:

> On Mon, Jul 13, 2009 at 11:09:11AM -0400, rascal wrote:
> > So I have a couple of questions regarding a scenario that has recently
> been
> > brought to me.  I have two sites, one with a cisco device and one with a
> > server running freebsd 7.2.  The client wants to connect the two sites
> using
> > these devices and I am told that the best way would be to establish an
> IPSEC
> > tunnel between the cisco device and the freebsd server.  The cisco is a
> > concentrator 3000 and the server is just a dell poweredge 860 with 4 nics
> in
> > the back running 7.2 freebsd.  I guess my two questions are:
> >
> > 1.  Has anyone done this before and what are their results?
>
> I'm using several IPSec tunnels between cisco 851's  and freebsd routers.
> It "just works".
>
> > 2.  Is setting up an IPSEC tunnel the best route for this or is there
> > something else I should be looking at?
> IPSec is the standard for tunnels over internet. Cisco VPN requires their
> proprietary client, OpenVPN is not for ciscos.
>
> > 3.  Any tips/tricks/good sites to check on for setting up IPSEC on
> freebsd
> > (I am currently reading
> > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.htmlwhich
> > is pretty darn good)?
> I use IPSec tunnels without gif interface on freebsd, don't know if it will
> work with it. I declare policy in /etc/ipsec.conf, and use racoon
> (ports/security/ipsec-tools) to do all the rest. It's pretty simple on cisco
> side too. Just say if you need an example.
>
> --
> Eugene Perevyazko
> ___
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: question regarding IPSEC Setup

2009-07-14 Thread rascal 
Thanks very much David, I really appreciate it!

I have the racoon2 package; does this make a big difference or do these
configs work close to the same?

On Tue, Jul 14, 2009 at 8:15 PM, David DeSimone  wrote:

> rascal  wrote:
> >
> > Thanks for the input on this everyone!  Eugene, I'll take you up on
> > your offer of examples!  I have a good idea of how to do this, I
> > just want to make sure I get it right and if I have some examples to
> > compare to that would be great!  Thanks much!
>
> Here is an example IPSEC config that we use, that interoperates with
> Cisco, Checkpoint, and probably other standard IPSEC implementations.
>
> We're using PF for firewalling.
>
> Example config:
>
>Here:  11.22.33.44  (FreeBSD machine)
>
>Networks behind:
>10.10.30.40/24
>10.10.30.50/24
>
>There:  55.66.77.88  (Some other IPSEC)
>
>Networks behind:
>10.20.50.60/24
>10.20.50.70/24
>
>Parameters:
>IKE:
>Phase 1:
>Pre-shared Secret
>AES + SHA1
>DH Group 2
>Lifetime 24 hours
>Phase 2:
>One SPI per subnet pair
>No PFS
>Lifetime 1 hour
>ESP:
>AES + SHA1
>
> Kernel build options:
>
>options  IPSEC
>options  IPSEC_ESP
>options  IPSEC_DEBUG
>
> /etc/rc.conf:
>
>gateway_enable="YES"
>
>pf_enable="YES"
>pf_rules="/usr/local/etc/pf.conf"
>
>racoon_enable="YES"
>ipsec_enable="YES"
>ipsec_file="/usr/local/etc/ipsec.conf"
>
> Partial /usr/local/etc/pf.conf:
>
>EXT="dc0"   # Interface for external traffic
>EXTIP="(dc0)"   # External virtual IP
>
>table  file "/usr/local/etc/ipsec.peers"
>
>pass in log quick on $EXT proto udp from  to $EXTIP port
> 500 keep state
>pass in quick on $EXT proto esp from  to $EXTIP
>  keep state
>
> /usr/local/etc/ipsec.peers:
>
>55.66.77.88
>
> /usr/local/etc/ipsec.conf:
>
>spdflush;
>
>spdadd 10.20.50.60/24  10.10.30.40/24  any \
>-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>spdadd 10.10.30.40/24  10.20.50.60/24  any \
>-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
>spdadd 10.20.50.60/24  10.10.30.50/24  any \
>-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>spdadd 10.10.30.50/24  10.20.50.60/24  any \
>-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
>spdadd 10.20.50.70/24  10.10.30.40/24  any \
>-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>spdadd 10.10.30.40/24  10.20.50.70/24  any \
>-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
>spdadd 10.20.50.70/24  10.10.30.50/24  any \
>-P in  ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique;
>spdadd 10.10.30.50/24  10.20.50.70/24  any \
>-P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique;
>
> /usr/local/etc/racoon/racoon.conf:
>
>log  debug; # notify(*), debug, debug2
>
>path  pre_shared_key  "/usr/local/etc/ipsec.keys";
>path  pidfile "/var/run/racoon.pid";
>
>listen
>{
>isakmp  11.22.33.44;
>strict_address; # Needed?
>}
>
>remote  55.66.77.88
>{
>exchange_mode  aggressive,main,base;
>
>my_identifier address  11.22.33.44;
>peers_identifier  address  55.66.77.88;
>
>verify_identifier  off;
>
>proposal_check  claim;  # obey, strict, claim(*), exact(*)
>
>proposal
>{
>encryption_algorithmaes;
>hash_algorithm  sha1;
>authentication_method   pre_shared_key;
>dh_group2;
>lifetimetime24 hours;
>}
>}
>
>
>sainfo  address  10.20.50.60/24 any   address  10.10.30.40/24 any
>{
>lifetimetime1 hour;
>
>encryption_algorithmaes;
>authentication_algorithmhmac_sha1;
>compression_algorithm   deflate;
>}
>
>sainfo  address  10.10.30.40/24 any   address  10.20.50.60/24 any
>{
>lifetimetime1 hour;
>
>encryption_algorithmaes;
>authentication_algorithmhmac_sha1;
>compression_algorithm   deflate;
>}
>
>

Re: question regarding IPSEC Setup

2009-07-14 Thread rascal 
very good then, I'll have to uninstall racoon2/install the ipsectools.  I
must have missed when I installed ipsectools but no worries.  If I could ask
one more favor; what does your cisco config look like that would match one
of these?  I have got mine configed based on someone else's tunnel specs and
while I am sure they are comparable I wanted to make sure I wasn't missing
anything.  I was trying to go off of this:
http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2002-09/11533.html
But it's a little outdated and wanted to make sure I was doing it
correctly.  It sounds like I am on the right path for this, just a few more
pieces to go!  Thanks very much again for the help!

On Tue, Jul 14, 2009 at 10:12 PM, David DeSimone  wrote:

> rascal  wrote:
> >
> > I have the racoon2 package; does this make a big difference or do
> > these configs work close to the same?
>
> I did not have any luck using racoon2 because apparently it does not
> interoperate well with older IPSEC implementations.  At least, it did
> not a couple of years ago when I set up my IPSEC.
>
> What you probably want is the security/ipsec-tools port, which contains
> the original racoon IKE daemon.
>
> --
> David DeSimone == Network Admin == f...@verio.net
>  "I don't like spinach, and I'm glad I don't, because if I
>   liked it I'd eat it, and I just hate it." -- Clarence Darrow
>
>
> This email message is intended for the use of the person to whom it has
> been sent, and may contain information that is confidential or legally
> protected. If you are not the intended recipient or have received this
> message in error, you are not authorized to copy, distribute, or otherwise
> use this message or its attachments. Please notify the sender immediately by
> return e-mail and permanently delete this message and any attachments.
> Verio, Inc. makes no warranty that this email is error or virus free.  Thank
> you.
>
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: question regarding IPSEC Setup

2009-07-21 Thread rascal 
Sorry for the delay on replying to this but I have been horribly swamped
with a handful of other fires.  I am coming back to this tomorrow and with a
fresh cisco device!  So I am hoping to have an update for you all tomorrow
or the next day.  Thanks again David for the fresh cisco example; I can
already see at least to points of issue that I have made!  I'll get back to
you all soon and thanks again!

On Fri, Jul 17, 2009 at 2:22 AM, David DeSimone  wrote:

> rascal  wrote:
> >
> > If I could ask one more favor; what does your cisco config look like
> > that would match one of these?  I have got mine configed based on
> > someone else's tunnel specs and while I am sure they are comparable I
> > wanted to make sure I wasn't missing anything.
>
> Here's an example config that I sanitized from one of our Cisco routers;
> I think it should work, but it's only an example.  At some point you
> have to adapt these configs to your own situation.  :)
>
>crypto isakmp policy 1
> encr aes
> authentication pre-share
> group 2
>
>crypto isakmp key SecretKey!! address 11.22.33.44
>
>crypto ipsec transform-set AES-SHA1 esp-aes esp-sha-hmac
>
>crypto map IPSEC local-address GigabitEthernet0/1
>
>crypto map IPSEC 1 ipsec-isakmp
> set peer 11.22.33.44
> set transform-set AES-SHA1
> match address remote-site
>
>interface GigabitEthernet0/1
> ip address 55.66.77.88 255.255.255.224
> crypto map IPSEC
>
>ip access-list extended remote-site
> permit ip 10.20.50.60 0.0.0.255 10.10.30.40 0.0.0.255
> permit ip 10.20.50.60 0.0.0.255 10.10.30.50 0.0.0.255
> permit ip 10.20.50.70 0.0.0.255 10.10.30.40 0.0.0.255
> permit ip 10.20.50.70 0.0.0.255 10.10.30.50 0.0.0.255
>
> --
> David DeSimone == Network Admin == f...@verio.net
>  "I don't like spinach, and I'm glad I don't, because if I
>   liked it I'd eat it, and I just hate it." -- Clarence Darrow
>
>
> This email message is intended for the use of the person to whom it has
> been sent, and may contain information that is confidential or legally
> protected. If you are not the intended recipient or have received this
> message in error, you are not authorized to copy, distribute, or otherwise
> use this message or its attachments. Please notify the sender immediately by
> return e-mail and permanently delete this message and any attachments.
> Verio, Inc. makes no warranty that this email is error or virus free.  Thank
> you.
>
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"