pf_2vpn_ipsec

最後更新日：2004/12/14

FreeBSD 兩點 VPN 採用 FreeBSD 5.3 R + PF + IPSec_ESP

Environment :

硬體：VPN2、VPN3 兩台i386 Celeron 360 的 PC
網卡：4片網卡 ( 每台機器兩片 )
作業系統：FreeBSD 5.3 Release

Drawing :

Setp 1.

vpn2#cd /usr/src/sys/i386/conf
vpn2#cp GENERIC /etc/NEWVPN2
vpn2#ln -s /etc/NEWVPN2
vpn2#vi NEWVPN2

ident       NEWVPN2

device      pf
device      pflog
device      pfsync
options     ALTQ
options     ALTQ_CBQ
options     IPSEC
options     IPSEC_ESP
options     IPSEC_DEBUG

pseudo-device gif

vpn2#config NEWVPN2
vpn2#../compile/NEWVPN2
vpn2#make depend all install

vpn2#vi /etc/rc.conf   # 設定開機啟動環境及虛擬介面卡的 IP

defaultrouter="203.107.34.192"
hostname="vpn2.ntut.idv.tw"
ifconfig_fxp0="inet 203.107.34.2 netmask 255.255.255.192"
ifconfig_fxp1="inet 192.168.2.254 netmask 255.255.255.0"

gif_interfaces="gif0"
gifconfig_gif0="203.107.34.2 203.107.34.3"
ifconfig_gif0="inet 192.168.2.254 192.168.3.254 netmask 255.255.255.255"

ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"

pf_enable="YES"
pflog_enable="YES"

vpn2#vi /etc/sysctl.conf    # 開啟 NAT 的 IP Forwarding 環境

net.inet.ip.forwarding=1

vpn2#vi /etc/inetd.conf     # 打開 ftp 的替代 port ，如此 NAT 內部才能對外使用 ftp 抓東西

ftp-proxy       stream tcp     nowait root    /usr/libexec/ftp-proxy ftp-proxy

vpn2#vi /etc/pf.conf     # 設定防火牆規則

# Macros
ext_if="fxp0"
int_if="fxp1"

# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# Filter Rules
pass in all
pass out all

vpn2#vi /usr/local/etc/rc.d/ipsec.sh    # 加一筆 route 進入 vpn2 將 192.168.3.0/24 往 192.168.3.254 帶

#!/bin/sh
# Make a static route !!!
route add -net 192.168.3.0/24 192.168.3.254

vpn2#vi /etc/ipsec.conf    # 設定通道加密方式

# This is the test if the network connection will work
flush;
spdflush;

add 203.107.34.2 203.107.34.3 esp 9991 -E blowfish-cbc "123456789";
add 203.107.34.3 203.107.34.2 esp 9992 -E blowfish-cbc "123456789";

spdadd 203.107.34.2/32 203.107.34.3/32 ipencap -P out ipsec esp/tunnel/203.107.34.2-203.107.34.3/require;
spdadd 203.107.34.3/32 203.107.34.2/32 ipencap -P in ipsec esp/tunnel/203.107.34.3-203.107.34.2/require;

Setp 2.

vpn3#cd /usr/src/sys/i386/conf
vpn3#cp GENERIC /etc/NEWVPN3
vpn3#ln -s /etc/NEWVPN3
vpn3#vi NEWVPN3

device      pf
device      pflog
device      pfsync
options     ALTQ
options     ALTQ_CBQ
options     IPSEC
options     IPSEC_ESP
options     IPSEC_DEBUG

pseudo-device gif

vpn3#config NEWVPN3
vpn3#../compile/NEWVPN3
vpn3#make depend all install

vpn3#vi /etc/rc.conf

defaultrouter="203.107.34.62"
hostname="vpn3.ntut.idv.tw"
ifconfig_rl0="inet 203.107.34.3 netmask 255.255.255.192"
ifconfig_rl1="inet 192.168.3.254 netmask 255.255.255.0"

gif_interfaces="gif0"
gifconfig_gif0="203.107.34.3 203.107.34.2"
ifconfig_gif0="inet 192.168.3.254 192.168.2.254 netmask 255.255.255.255"

ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"

pf_enable="YES"
pflog_enable="YES"

vpn3#vi /etc/sysctl.conf     # 開啟 NAT 的 IP Forwarding 環境

net.inet.ip.forwarding=1

vpn3#vi /etc/inetd.conf     # 打開 ftp 的替代 port 如此 NAT 內部才能對外使用 ftp 抓東西

ftp-proxy       stream tcp     nowait root    /usr/libexec/ftp-proxy ftp-proxy

vpn3#vi /etc/pf.conf     # 設定防火牆規則

# Macros
ext_if="rl0"
int_if="rl1"

# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# Filter Rules
pass in all
pass out all

vpn3#vi /usr/local/etc/rc.d/ipsec.sh     # 加一筆 route 進入 vpn2 將 192.168.3.0/24 往 192.168.3.254 帶

#!/bin/sh
# Make a static route!!!
route add -net 192.168.2.0/24 192.168.2.254

vpn3#vi /etc/ipsec.conf      # 設定通道加密方式

flush;
spdflush;

add 203.107.34.2 203.107.34.3 esp 9991 -E blowfish-cbc "123456789";
add 203.107.34.3 203.107.34.2 esp 9992 -E blowfish-cbc "123456789";

spdadd 203.107.34.3/32 203.107.34.2/32 ipencap -P out ipsec esp/tunnel/203.107.34.3-203.107.34.2/require;
spdadd 203.107.34.2/32 203.107.34.3/32 ipencap -P in ipsec esp/tunnel/203.107.34.2-203.107.34.3/require;

Setp 3.

vpn2#setkey -DP   # 看 vpn2 與 vpn3 的 ipsec tunnel 有無起動

203.107.34.3[any] 203.107.34.2[any] ip4
        in ipsec
        esp/tunnel/203.107.34.3-203.107.34.2/require
        created: Dec 15 18:48:36 2004 lastused: Dec 15 21:45:42 2004
        lifetime: 0(s) validtime: 0(s)
        spid=16389 seq=1 pid=890
        refcnt=1
203.107.34.2[any] 203.107.34.3[any] ip4
        out ipsec
        esp/tunnel/203.107.34.2-203.107.34.3/require
        created: Dec 15 18:48:36 2004 lastused: Dec 15 21:45:42 2004
        lifetime: 0(s) validtime: 0(s)
        spid=16388 seq=0 pid=890
        refcnt=1

vpn3#setkey -DP   # 看vpn3 與 vpn2 的 ipsec tunnel 有無起動

203.107.34.2[any] 203.107.34.3[any] ip4
        in ipsec
        esp/tunnel/203.107.34.2-203.107.34.3/require
        created: Dec 15 18:58:12 2004 lastused: Dec 15 21:55:34 2004
        lifetime: 0(s) validtime: 0(s)
        spid=16389 seq=1 pid=877
        refcnt=1
203.107.34.3[any] 203.107.34.2[any] ip4
        out ipsec
        esp/tunnel/203.107.34.3-203.107.34.2/require
        created: Dec 15 18:58:12 2004 lastused: Dec 15 21:55:34 2004
        lifetime: 0(s) validtime: 0(s)
        spid=16388 seq=0 pid=877
        refcnt=1

vpn2#setkey -D    # 查看 Security Association Database (SAD)

203.107.34.3 203.107.34.2
        esp mode=any spi=9992(0x00002708) reqid=0(0x00000000)
        E: blowfish-cbc 31323334 35363738 39
        seq=0x00000000 replay=0 flags=0x00000040 state=mature
        created: Dec 15 18:48:36 2004   current: Dec 15 22:09:10 2004
        diff: 12034(s) hard: 0(s)      soft: 0(s)
        last: Dec 15 21:45:42 2004      hard: 0(s)      soft: 0(s)
        current: 2292(bytes)    hard: 0(bytes) soft: 0(bytes)
        allocated: 24   hard: 0 soft: 0
        sadb_seq=1 pid=886 refcnt=1
203.107.34.2 203.107.34.3
        esp mode=any spi=9991(0x00002707) reqid=0(0x00000000)
        E: blowfish-cbc 31323334 35363738 39
        seq=0x0000000e replay=0 flags=0x00000040 state=mature
        created: Dec 15 18:48:36 2004   current: Dec 15 22:09:10 2004
        diff: 12034(s) hard: 0(s)      soft: 0(s)
        last: Dec 15 21:45:42 2004      hard: 0(s)      soft: 0(s)
        current: 2000(bytes)    hard: 0(bytes) soft: 0(bytes)
        allocated: 14   hard: 0 soft: 0
        sadb_seq=0 pid=886 refcnt=2

vpn2#setkey -f /etc/ipsec.conf     # 重新導入 ipsec.conf 值

vpn2#ping -S 192.168.2.254 192.168.3.254    # 帶 Source 192.168.2.254 IP ping

PING 192.168.3.254 (192.168.3.254) from 192.168.2.254: 56 data bytes
64 bytes from 192.168.3.254: icmp_seq=0 ttl=64 time=1.439 ms
64 bytes from 192.168.3.254: icmp_seq=1 ttl=64 time=1.310 ms
^C
--- 192.168.3.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.310/1.375/1.439/0.065 ms

vpn3#ping -S 192.168.3.254 192.168.2.254    # 帶 Source 192.168.3.254 IP ping

PING 192.168.2.254 (192.168.2.254) from 192.168.3.254: 56 data bytes
64 bytes from 192.168.2.254: icmp_seq=0 ttl=64 time=1.518 ms
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=1.344 ms
^C
--- 192.168.2.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.344/1.431/1.518/0.087 ms

參考資料：

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
http://www.x-itec.de/projects/tuts/ipsec-howto.txt