Page MenuHomeFreeBSD
Paste P112

Route based IPsec
ActivePublic

Authored by ae on Nov 3 2016, 5:18 PM.
Tags
None
Referenced Files
F699207: Route based IPsec
Nov 5 2016, 7:54 AM
F697306: Route based IPsec
Nov 3 2016, 5:18 PM
Subscribers
None
IPsec tunnel using virtual tunnel interface with SAs installed by racoon.
[test15 src]# netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 87.250.242.158 UGS ix0
87.250.242.128/27 link#1 U ix0
87.250.242.145 link#1 UHS lo0
127.0.0.1 link#4 UH lo0
192.168.0.145 link#4 UH lo0
[test15 src]# sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 1
net.inet6.ip6.fastforwarding: 0
[test15 src]# kldstat
Id Refs Address Size Name
1 17 0xffffffff80200000 1a6e3d0 kernel
2 1 0xffffffff81c70000 2f4e90 zfs.ko
3 2 0xffffffff81f65000 ac78 opensolaris.ko
4 1 0xffffffff82011000 3625 ums.ko
5 1 0xffffffff82015000 31df cpuctl.ko
6 1 0xffffffff82019000 1a98 if_ipsec.ko
[test15 src]# setkey -D
No SAD entries.
[test15 src]# setkey -DP
No SPD entries.
[test15 src]# ifconfig ipsec0 create
[test15 src]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144
[test15 src]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144
[test15 src]# route add 172.16.0.0/16 10.0.0.144
add net 172.16.0.0: gateway 10.0.0.144 fib 0
[test15 src]# ifconfig ipsec0
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 87.250.242.145 --> 87.250.242.144
inet 10.0.0.145 --> 10.0.0.144 netmask 0xffffffff
inet6 fe80::225:90ff:fef9:3c92%ipsec0 prefixlen 64 scopeid 0x5
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
reqid: 16388
groups: ipsec
[test15 src]# setkey -D
No SAD entries.
[test15 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=13 seq=3 pid=1418
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=15 seq=2 pid=1418
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=14 seq=1 pid=1418
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=16 seq=0 pid=1418
refcnt=1
[test15 src]# setkey -DPF
[test15 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=13 seq=3 pid=1420
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16388
spid=15 seq=2 pid=1420
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=14 seq=1 pid=1420
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16388
spid=16 seq=0 pid=1420
refcnt=1
[test15 src]# racoon
-----------
[test25 src]# netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 87.250.242.158 UGS igb0
87.250.242.128/27 link#1 U igb0
87.250.242.144 link#1 UHS lo0
127.0.0.1 link#6 UH lo0
172.16.0.145 link#6 UH lo0
[test25 src]# sysctl -a | grep forwarding
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 1
net.inet6.ip6.fastforwarding: 0
[test25 src]# kldstat
Id Refs Address Size Name
1 20 0xffffffff80200000 1a6e3d0 kernel
2 1 0xffffffff81c70000 2f4e90 zfs.ko
3 2 0xffffffff81f65000 ac78 opensolaris.ko
4 1 0xffffffff82011000 3625 ums.ko
5 1 0xffffffff82015000 2b8e uhid.ko
6 1 0xffffffff82018000 31df cpuctl.ko
7 1 0xffffffff8201c000 1a98 if_ipsec.ko
[test25 src]# setkey -D
No SAD entries.
[test25 src]# setkey -DP
No SPD entries.
[test25 src]# ifconfig ipsec0 create
[test25 src]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145
[test25 src]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145
[test25 src]# route add 192.168.0.0/24 10.0.0.145
add net 192.168.0.0: gateway 10.0.0.145 fib 0
[test25 src]# ifconfig ipsec0
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 87.250.242.144 --> 87.250.242.145
inet 10.0.0.144 --> 10.0.0.145 netmask 0xffffffff
inet6 fe80::225:90ff:fe92:8548%ipsec0 prefixlen 64 scopeid 0x7
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
reqid: 16386
groups: ipsec
[test25 src]# setkey -D
No SAD entries.
[test25 src]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16386
spid=5 seq=3 pid=1404
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique#16386
spid=7 seq=2 pid=1404
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16386
spid=6 seq=1 pid=1404
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique#16386
spid=8 seq=0 pid=1404
refcnt=1
[test25 src]# racoon
-------------
[test15 src]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
[test15 src]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.506 ms
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.506/0.506/0.506/0.000 ms
[test15 src]# ping -c1 172.16.0.145
PING 172.16.0.145 (172.16.0.145): 56 data bytes
64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.423 ms
--- 172.16.0.145 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.423/0.423/0.423/0.000 ms
--------------
[test15 butcher]# tcpdump -ni ix0 esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ix0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:13:48.830044 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x1), length 132
17:13:48.830388 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x1), length 132
17:16:11.563357 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x0befd947,seq=0x3), length 132
17:16:11.563623 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x080b560c,seq=0x2), length 132
--------------
[test15 butcher]# tcpdump -ni ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
17:13:22.880665 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40197, seq 0, length 64
17:13:48.829976 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 40709, seq 0, length 64
17:13:48.830421 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 40709, seq 0, length 64
17:16:11.563292 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 42501, seq 0, length 64
17:16:11.563647 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 42501, seq 0, length 64
---------------
[test15 src]# setkey -D
87.250.242.145 87.250.242.144
esp mode=tunnel spi=200268103(0x0befd947) reqid=16388(0x00004004)
E: rijndael-cbc d150a373 e2ff25ec 13e59840 90c424d2
A: hmac-sha1 4d2704f5 36a44c97 1a234998 1bfd403a e0c1cffb
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016
diff: 111(s) hard: 28800(s) soft: 23040(s)
last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s)
current: 152(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=1 pid=1443 refcnt=1
87.250.242.144 87.250.242.145
esp mode=tunnel spi=134960652(0x080b560c) reqid=16388(0x00004004)
E: rijndael-cbc e7c9aa53 18ef46d9 b222111d a813af56
A: hmac-sha1 007f5908 755f4b88 e62c9de5 70122ebe 550d361d
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Nov 3 17:13:23 2016 current: Nov 3 17:15:14 2016
diff: 111(s) hard: 28800(s) soft: 23040(s)
last: Nov 3 17:13:48 2016 hard: 0(s) soft: 0(s)
current: 84(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=0 pid=1443 refcnt=1
-----------
IPsec tunnel using virtual tunnel interface with manually installed SAs.
[test15 butcher]# ifconfig ipsec0 create reqid 100
[test15 butcher]# ifconfig ipsec0 inet tunnel 87.250.242.145 87.250.242.144 up
[test15 butcher]# ifconfig ipsec0 inet 10.0.0.145/32 10.0.0.144
[test15 butcher]# route add 172.16.0.0/16 10.0.0.144
add net 172.16.0.0: gateway 10.0.0.144 fib 0
# setkey -c
add 87.250.242.145 87.250.242.144 esp 1000 -m tunnel -u 100 -E rijndael-cbc "1111111111111111";
add 87.250.242.144 87.250.242.145 esp 2000 -m tunnel -u 100 -E rijndael-cbc "2222222222222222";
^D
[test15 butcher]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=5 seq=3 pid=5682
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=7 seq=2 pid=5682
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=6 seq=1 pid=5682
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=8 seq=0 pid=5682
refcnt=1
[test15 butcher]# setkey -D
87.250.242.144 87.250.242.145
esp mode=tunnel spi=2000(0x000007d0) reqid=100(0x00000064)
E: rijndael-cbc 32323232 32323232 32323232 32323232
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 07:48:20 2016 current: Nov 5 07:48:58 2016
diff: 38(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=5683 refcnt=1
87.250.242.145 87.250.242.144
esp mode=tunnel spi=1000(0x000003e8) reqid=100(0x00000064)
E: rijndael-cbc 31313131 31313131 31313131 31313131
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 07:48:11 2016 current: Nov 5 07:48:58 2016
diff: 47(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=5683 refcnt=1
[test15 butcher]# ping -c1 10.0.0.144
PING 10.0.0.144 (10.0.0.144): 56 data bytes
64 bytes from 10.0.0.144: icmp_seq=0 ttl=64 time=0.632 ms
--- 10.0.0.144 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.632/0.632/0.632/0.000 ms
[test15 butcher]# ping -c1 172.16.0.145
PING 172.16.0.145 (172.16.0.145): 56 data bytes
64 bytes from 172.16.0.145: icmp_seq=0 ttl=64 time=0.427 ms
--- 172.16.0.145 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.427/0.427/0.427/0.000 ms
--------
[test25 butcher]# ifconfig ipsec0 create reqid 100
[test25 butcher]# ifconfig ipsec0 inet tunnel 87.250.242.144 87.250.242.145 up
[test25 butcher]# ifconfig ipsec0 inet 10.0.0.144/32 10.0.0.145
[test25 butcher]# setkey -c
add 87.250.242.145 87.250.242.144 esp 1000 -m tunnel -u 100 -E rijndael-cbc "1111111111111111";
add 87.250.242.144 87.250.242.145 esp 2000 -m tunnel -u 100 -E rijndael-cbc "2222222222222222";
^D
[test25 butcher]# setkey -D
87.250.242.144 87.250.242.145
esp mode=tunnel spi=2000(0x000007d0) reqid=100(0x00000064)
E: rijndael-cbc 32323232 32323232 32323232 32323232
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 12:03:02 2016 current: Nov 5 12:03:21 2016
diff: 19(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=6105 refcnt=1
87.250.242.145 87.250.242.144
esp mode=tunnel spi=1000(0x000003e8) reqid=100(0x00000064)
E: rijndael-cbc 31313131 31313131 31313131 31313131
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Nov 5 12:03:02 2016 current: Nov 5 12:03:21 2016
diff: 19(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=6105 refcnt=1
[test25 butcher]# setkey -DP
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=9 seq=3 pid=6106
refcnt=1
::/0[any] ::/0[any] any
in ipsec
esp/tunnel/87.250.242.145-87.250.242.144/unique:100
spid=11 seq=2 pid=6106
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=10 seq=1 pid=6106
refcnt=1
::/0[any] ::/0[any] any
out ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:100
spid=12 seq=0 pid=6106
refcnt=1
[test25 butcher]# tcpdump -ni ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
12:04:30.092828 IP 10.0.0.145 > 10.0.0.144: ICMP echo request, id 14358, seq 0, length 64
12:04:30.092885 IP 10.0.0.144 > 10.0.0.145: ICMP echo reply, id 14358, seq 0, length 64
12:05:09.869815 IP 10.0.0.145 > 172.16.0.145: ICMP echo request, id 15126, seq 0, length 64
12:05:09.869907 IP 172.16.0.145 > 10.0.0.145: ICMP echo reply, id 15126, seq 0, length 64
[test25 butcher]# tcpdump -ni igb0 host 87.250.242.145
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:04:30.092608 ARP, Request who-has 87.250.242.144 tell 87.250.242.145, length 46
12:04:30.092621 ARP, Reply 87.250.242.144 is-at 00:25:90:92:85:48, length 28
12:04:30.092807 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x000003e8,seq=0x1), length 120
12:04:30.092911 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x000007d0,seq=0x1), length 120
12:05:09.869789 IP 87.250.242.145 > 87.250.242.144: ESP(spi=0x000003e8,seq=0x2), length 120
12:05:09.869923 IP 87.250.242.144 > 87.250.242.145: ESP(spi=0x000007d0,seq=0x2), length 120
------

Event Timeline

ae created this object in space S1 Global.