Some Configuration Details

This article does not cover all the details on IPsec and secure tunneling. It is intended to give a brief introduction and recipe for these specific configurations.

Configuration of a secure tunnel between two FreeBSD hosts with dynamic IP-addresses

We use two FreeBSD 4.6-STABLE hosts on two locations as internetgateway and local fileserver. In order to provide mutual access to the local networks we needed a private connection between both hosts. IP over isdn was too expensive and as both locations have a flatrate to the internet, we decided to use a secure tunnel (esp) between these hosts with dynamic IP-addresses.

As our provider resets the pppoe-connection (established using ppp -ddial ...) once a day at rather random times we needed a solution which could handle the change of public IP-addresses at any time.
First we installed, registered and configured a dynamic dns-client (/usr/ports/net/ddup/) to resolve the actual IP-addresses of both hosts.
Next we decided to run a shell-script by cron which would check the addresses and see weather they had changed. In this case, the tunnel interface and the kernel keys are updated to the new values.
As racoon (see /usr/ports/security/racoon) needs fixed configuration entries based on public IP-addresses we could not use dynamic key-exchange. So we used manual configured secrets.

The shell-script which runs on both hosts does the following:

Creating your own tunnel is straitforward. Configure your kernel to support IPSEC either by enabling IPV6 or IPSEC in the kernel. Install and configure a dynamic dns-client, edit the script to suit your needs (hostnames, private IPs, private networks and secrets), copy it to the target machines and add an entry to /etc/crontab. Make sure that there is no configured interface with the same endpoints, otherwise it won't work.

Configuration of a secure tunnel between FreeBSD-4.6 and Red Hat LINUX

The initial situation: two company networks in europe, both with a permanent connection to the internet.
In order to access a database from both nets, a VPN over a secure tunnel was needed.

On one side of the tunnel there is a FreeBSD host with static public IP, a tight firewall allowing access to icmp, ip ports ssh, dns, sendmail, etc. The other side is a LINUX host, sitting behind a firewall with a public and private IP on one ethernet interface. In this special case it is strongly recommended to set eth0 to the public ip-address and eth0:0 (the alias-interface) to the internal ip-address. The tunnel-interface on LINUX (IPsec0) will use the ip-address from eth0 so it is vital to have the public IP associated with it, otherwise it won't work.

We decided to use dynamic key-exchange. So we installed kame/racoon on the FreeBSD host (see /usr/ports/security/racoon) and the FreeS/WAN package on the Linux host.

Next you must open the firewall to allow ip access from <pub_src_ip> port isakmp to <pub_dst_ip> port isakmp and vice versa to allow for key-exchange. Furthermore we only wanted to use esp/tunnel so we opened the firewall for protocol esp between <pub_src_ip> and <pub_dst_ip>. Now configure your startup-script /etc/rc.conf on FreeBSD to initialize the tunnel-interface:

gif_interfaces="gifN"
gifconfig_gifN="pub_src_ip pub_dst_ip"
ifconfig_gifN="prv_src_ip prv_dst_ip"
network_interfaces="... gifN"	# if you don't use "auto"
Create (if it doesn't exist) /etc/ipsec.conf and add the following lines: 
#
# The next 2 lines delete all existing entries from the SPD and SAD
flush;
spdflush;
# Add the policy
spdadd prv_src_net prv_dst_net any -P out ipsec
esp/tunnel/pub_src_ip-pub_dst_ip/require;
spdadd prv_dst_net prv_src_net any -P in ipsec
esp/tunnel/pub_dst_ip-pub_src_ip/require;
Configuration files for racoon.
Configuration files for Red Hat Linux.

last modified 18. Jun 2002 by Andreas Haakh