Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F699207
Route based IPsec
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Authored By
ae
Nov 5 2016, 7:54 AM
2016-11-05 07:54:44 (UTC+0)
Size
13 KB
Referenced Files
None
Subscribers
None
Route based IPsec
View Options
IPsec tunnel using virtual tunnel interface with SAs installed by racoon.
[test15 src]# netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 87.250.242.158 UGS ix0
87.250.242.128/27 link#1 U ix0
87.250.242.145 link#1 UHS lo0
127.0.0.1 link#4 UH lo0
192.168.0.145 link#4 UH lo0
[test15 src]# sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 1
net.inet6.ip6.fastforwarding: 0
[test15 src]# kldstat
Id Refs Address Size Name
1 17 0xffffffff80200000 1a6e3d0 kernel
2 1 0xffffffff81c70000 2f4e90 zfs.ko
3 2 0xffffffff81f65000 ac78 opensolaris.ko
4 1 0xffffffff82011000 3625 ums.ko
5 1 0xffffffff82015000 31df cpuctl.ko
6 1 0xffffffff82019000 1a98 if_ipsec.ko
[test15 src]# setkey -D
No SAD entries.
[test15 src]# setkey -DP
No SPD entries.
[test15 src]# ifconfig ipsec0 create
[test15 src]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144
[test15 src]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144
[test15 src]# route add 172.16.0.0/16 10.0.0.144
add net 172.16.0.0: gateway 10.0.0.144 fib 0
[test15 src]# ifconfig ipsec0
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 87.250.242.145 --> 87.250.242.144
inet 10.0.0.145 --> 10.0.0.144 netmask 0xffffffff
inet6 fe80::225:90ff:fef9:3c92%ipsec0 prefixlen 64 scopeid 0x5
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
reqid: 16388
groups: ipsec
[test15 src]# setkey -D
No SAD entries.
[test15 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=13 seq=3 pid=1418
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=15 seq=2 pid=1418
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=14 seq=1 pid=1418
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=16 seq=0 pid=1418
refcnt=1
[test15 src]# setkey -DPF
[test15 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=13 seq=3 pid=1420
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=15 seq=2 pid=1420
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=14 seq=1 pid=1420
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=16 seq=0 pid=1420
refcnt=1
[test15 src]# racoon
-----------
[test25 src]# netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 87.250.242.158 UGS igb0
87.250.242.128/27 link#1 U igb0
87.250.242.144 link#1 UHS lo0
127.0.0.1 link#6 UH lo0
172.16.0.145 link#6 UH lo0
[test25 src]# sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 1
net.inet6.ip6.fastforwarding: 0
[test25 src]# kldstat
Id Refs Address Size Name
1 20 0xffffffff80200000 1a6e3d0 kernel
2 1 0xffffffff81c70000 2f4e90 zfs.ko
3 2 0xffffffff81f65000 ac78 opensolaris.ko
4 1 0xffffffff82011000 3625 ums.ko
5 1 0xffffffff82015000 2b8e uhid.ko
6 1 0xffffffff82018000 31df cpuctl.ko
7 1 0xffffffff8201c000 1a98 if_ipsec.ko
[test25 src]# setkey -D
No SAD entries.
[test25 src]# setkey -DP
No SPD entries.
[test25 src]# ifconfig ipsec0 create
[test25 src]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145
[test25 src]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145
[test25 src]# route add 192.168.0.0/24 10.0.0.145
add net 192.168.0.0: gateway 10.0.0.145 fib 0
[test25 src]# ifconfig ipsec0
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 87.250.242.144 --> 87.250.242.145
inet 10.0.0.144 --> 10.0.0.145 netmask 0xffffffff
inet6 fe80::225:90ff:fe92:8548%ipsec0 prefixlen 64 scopeid 0x7
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
reqid: 16386
groups: ipsec
[test25 src]# setkey -D
No SAD entries.
[test25 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16386
spid=5 seq=3 pid=1404
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16386
spid=7 seq=2 pid=1404
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16386
spid=6 seq=1 pid=1404
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16386
spid=8 seq=0 pid=1404
refcnt=1
[test25 src]# racoon
-------------
[test15 src]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
[test15 src]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.506 ms
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.506/0.506/0.506/0.000 ms
[test15 src]# ping -c1 172.16.0.145
PING 172.16.0.145 (172.16.0.145): 56 data bytes
64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.423 ms
--- 172.16.0.145 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.423/0.423/0.423/0.000 ms
--------------
[test15 butcher]# tcpdump -ni ix0 esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ix0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:13:48.830044 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x1), length 132
17:13:48.830388 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x1), length 132
17:16:11.563357 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x3), length 132
17:16:11.563623 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x2), length 132
--------------
[test15 butcher]# tcpdump -ni ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
17:13:22.880665 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40197, seq 0, length 64
17:13:48.829976 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40709, seq 0, length 64
17:13:48.830421 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 40709, seq 0, length 64
17:16:11.563292 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 42501, seq 0, length 64
17:16:11.563647 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 42501, seq 0, length 64
---------------
[test15 src]# setkey -D
87.250.242.145 87.250.242.144
esp mode=tunnel spi=200268103(0x0befd947) reqid=16388(0x00004004)
E: rijndael-cbc d150a373 e2ff25ec 13e59840 90c424d2
A: hmac-sha1 4d2704f5 36a44c97 1a234998 1bfd403a e0c1cffb
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016
diff: 111(s) hard: 28800(s) soft: 23040(s)
last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s)
current: 152(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=1 pid=1443 refcnt=1
87.250.242.144 87.250.242.145
esp mode=tunnel spi=134960652(0x080b560c) reqid=16388(0x00004004)
E: rijndael-cbc e7c9aa53 18ef46d9 b222111d a813af56
A: hmac-sha1 007f5908 755f4b88 e62c9de5 70122ebe 550d361d
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016
diff: 111(s) hard: 28800(s) soft: 23040(s)
last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s)
current: 84(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=0 pid=1443 refcnt=1
-----------
IPsec tunnel using virtual tunnel interface with manually installed SAs.
[test15 butcher]# ifconfig ipsec0 create reqid 100
[test15 butcher]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144 up
[test15 butcher]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144
[test15 butcher]# route add 172.16.0.0/16 10.0.0.144
add net 172.16.0.0: gateway 10.0.0.144 fib 0
# setkey -c
add 87.250.242.145 87.250.242.144 esp 1000 -m tunnel -u 100 -E rijndael-cbc "1111111111111111";
add 87.250.242.144 87.250.242.145 esp 2000 -m tunnel -u 100 -E rijndael-cbc "2222222222222222";
^D
[test15 butcher]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=5 seq=3 pid=5682
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=7 seq=2 pid=5682
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=6 seq=1 pid=5682
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=8 seq=0 pid=5682
refcnt=1
[test15 butcher]# setkey -D
87.250.242.144 87.250.242.145
esp mode=tunnel spi=2000(0x000007d0) reqid=100(0x00000064)
E: rijndael-cbc 32323232 32323232 32323232 32323232
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 07:48:20 2016 current: Nov 5 07:48:58 2016
diff: 38(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=5683 refcnt=1
87.250.242.145 87.250.242.144
esp mode=tunnel spi=1000(0x000003e8) reqid=100(0x00000064)
E: rijndael-cbc 31313131 31313131 31313131 31313131
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 07:48:11 2016 current: Nov 5 07:48:58 2016
diff: 47(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=5683 refcnt=1
[test15 butcher]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.632 ms
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.632/0.632/0.632/0.000 ms
[test15 butcher]# ping -c1 172.16.0.145
PING 172.16.0.145 (172.16.0.145): 56 data bytes
64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.427 ms
--- 172.16.0.145 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.427/0.427/0.427/0.000 ms
--------
[test25 butcher]# ifconfig ipsec0 create reqid 100
[test25 butcher]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145 up
[test25 butcher]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145
[test25 butcher]# setkey -c
add 87.250.242.145 87.250.242.144 esp 1000 -m tunnel -u 100 -E rijndael-cbc "1111111111111111";
add 87.250.242.144 87.250.242.145 esp 2000 -m tunnel -u 100 -E rijndael-cbc "2222222222222222";
^D
[test25 butcher]# setkey -D
87.250.242.144 87.250.242.145
esp mode=tunnel spi=2000(0x000007d0) reqid=100(0x00000064)
E: rijndael-cbc 32323232 32323232 32323232 32323232
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 12:03:02 2016 current: Nov 5 12:03:21 2016
diff: 19(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=6105 refcnt=1
87.250.242.145 87.250.242.144
esp mode=tunnel spi=1000(0x000003e8) reqid=100(0x00000064)
E: rijndael-cbc 31313131 31313131 31313131 31313131
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 12:03:02 2016 current: Nov 5 12:03:21 2016
diff: 19(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=6105 refcnt=1
[test25 butcher]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=9 seq=3 pid=6106
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=11 seq=2 pid=6106
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=10 seq=1 pid=6106
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=12 seq=0 pid=6106
refcnt=1
[test25 butcher]# tcpdump -ni ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
12:04:30.092828 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 14358, seq 0, length 64
12:04:30.092885 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 14358, seq 0, length 64
12:05:09.869815 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 15126, seq 0, length 64
12:05:09.869907 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 15126, seq 0, length 64
[test25 butcher]# tcpdump -ni igb0 host 87.250.242.145
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:04:30.092608 ARP, Request who-has 87.250.242.144 tell 87.250.242.145, length 46
12:04:30.092621 ARP, Reply 87.250.242.144 is-at 00:25:90:92:85:48, length 28
12:04:30.092807 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x000003e8,seq=0x1), length 120
12:04:30.092911 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x000007d0,seq=0x1), length 120
12:05:09.869789 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x000003e8,seq=0x2), length 120
12:05:09.869923 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x000007d0,seq=0x2), length 120
------
File Metadata
Details
Attached
Mime Type
text/plain; charset=utf-8
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
652805
Default Alt Text
Route based IPsec (13 KB)
Attached To
Mode
P112 Route based IPsec
Attached
Detach File
Event Timeline
Log In to Comment