2 * RCSID $Id: rgb_setup.txt,v 1.6 1999/04/06 04:54:24 rgb Exp $
5 This is an example of a network set up to test the FreeS/WAN KLIPS
6 package. It details the hardware setup and the steps necessary to
7 manually configure and set up two types of connections. It assumes
8 that all machines are configured and can talk to each other.
10 1. Here is a simplified view of RGB's testbed:
13 +---------+ +---------+
15 +----*----+ +----*----+
16 eth0 * 192.168.4.104 eth0 * 192.168.5.104
18 ************************* *************************
20 eth1 * 192.168.4.110 eth1 * 192.168.5.100
21 +----*-----+ +----*-----+
22 | gonzales | | magellan ***-> eth2 to Internet
23 +----*-----+ +----*-----+
24 eth0 * 192.168.2.110 eth0 * 192.168.2.100
26 ******************************************************************
29 Only magellan and gonzales need to run IPSEC.
31 All netmasks in this example are 255.255.255.0, but yours should reflect
32 your network architecture.
34 Ping4 has a route to 192.168.5.x via gonzales, and ping5 has a route to
35 192.168.4.x via magellan.
37 gonzales and magellan know how to route only to their connected subnets;
38 gonzales does not (yet) know how to get to 192.168.5.x and magellan does
39 not know how to get to 192.168.4.x.
41 First, follow the instructions in the top-level INSTALL to compile and
42 install the software on both gonzales and magellan, and reboot.
44 Let us set up gonzales.
46 ipsec0 needs to be associated with a real interface. In our case,
47 we shall associate it with the interface on the 192.168.2.0 subnet, that
48 is, eth0, because that's where IPSEC'ed traffic will flow. Then we
49 need to configure the new pseudo interface:
51 gonzales# ipsec tncfg --attach --virtual ipsec0 --physical eth0
52 gonzales# ifconfig ipsec0 192.168.2.110 netmask 255.255.255.0
54 On magellan, do the same:
56 magellan# ipsec tncfg --attach --virtual ipsec0 --physical eth0
57 magellan# ifconfig ipsec0 192.168.2.100 netmask 255.255.255.0
59 Note: The ipsec interface IP, broadcast address and netmask should be
60 identical to the physical interface to which it is attached.
64 Let us have gonzales and magellan communicate securely, using the latest and
65 greatest IPSEC transform: triple-DES with 96-bits of HMAC-MD5 hash. This
66 transform requires an 8-byte (16 nybble) Initialisation Vector
67 (0x1000000000000001), a 24-byte (48 nybble) encryption key
68 (0x663066306630663066306630663066306630663066301111) and a 16-byte (32 nybble)
69 authentication key (0x66306630663066306630663066302222).
71 To set the actual Security Association, type:
73 gonzales# ipsec spi --edst 192.168.2.100 --spi 0x125 --proto esp \
75 --enckey 0x663066306630663066306630663066306630663066301111 \
76 --authkey 0x66306630663066306630663066302222
78 To verify it worked, type:
80 gonzales# cat /proc/net/ipsec_spi
84 esp0x125@192.168.2.100 ESP_proto_3DES_encrypt_MD5_auth_: dir=out
85 win=0 seq=0 bit=0x00000000 flags=0x0
87 And set the same SA on magellan, so it will know how to decrypt packets:
89 magellan# ipsec spi --edst 192.168.2.100 --spi 0x125 --proto esp \
91 --enckey 0x663066306630663066306630663066306630663066301111 \
92 --authkey 0x66306630663066306630663066302222
94 Then, issue the following command, which tells gonzales to process packets
95 originating with it and destined for magellan by applying a transform
96 defined by destination address 192.168.2.100 (magellan), SPI 0x125 and
99 gonzales# ipsec eroute --add --src 192.168.2.110/32 \
100 --dst 192.168.2.100/32 \
101 --edst 192.168.2.100 --spi 0x125 --proto esp
103 To verify it has worked, type:
105 gonzales# cat /proc/net/ipsec-eroute
109 192.168.2.110/32 -> 192.168.2.110/32 => esp0x125@192.168.2.110
111 Last, let's route all the packets destined for magellan through the ipsec0
114 gonzales# route del 192.168.2.100 #(to clear any old routes)
115 gonzales# route add -net 192.168.2.100 \
116 netmask 255.255.255.255 \
121 If you ping magellan from gonzales, and look at the traffic on the wire,
122 you'll see that packets from gonzales to magellan are encrypted (and
123 authenticated), while packets from magellan to gonzales are in the clear.
124 Needless to say, you can set up a symmetric set of transforms on magellan
125 and gonzales, repspectively, so that the reverse traffic is also encrypted.
127 To undo all these commands, work in reverse:
129 gonzales# route del 192.168.2.100
130 gonzales# ipsec eroute --del --src 192.168.2.110/32 \
131 --dst 192.168.2.100/32
132 gonzales# ipsec spi 192.168.2.100 125 del
133 gonzales# ipsec spi --edst 192.168.2.100 --spi 0x125 --proto esp --del
135 magellan# ipsec spi --edst 192.168.2.100 --spi 0x125 --proto esp --del
137 and don't forget to replace any routes that may have been removed by
138 the original 'route del' command.
142 3.1. Set up the tunnel.
144 Now, we want to set up gonzales so that packets from ping4 to ping5 will be
145 tunneled through the (gonzales->magellan) tunnel.
147 We now want to tell the IPSEC code what the processing for packets
148 which have been selected to be processed with DA=192.168.2.100,
149 SPI=0x103 and proto=tun. First, they will be encapsulated in simple
150 IP-in-IP (proto 4) encapsulation, and to enable that we type:
152 gonzales# ipsec spi --edst 192.168.2.100 --spi 0x103 --proto tun \
153 --ip4 --src 192.168.2.110 --dst 192.168.2.100
155 This tells the IPSEC code that packets which have been selected to be
156 processed with DA=192.168.2.100, SPI=0x103 and proto=tun should be run
157 through IP-in-IP, with "outer" (encapsulating packet) source and
158 destination addresses of 192.168.2.110 (gonzales) and 192.168.2.100
159 (magellan) respectively. Type:
161 gonzales# cat /proc/net/ipsec-spi
163 to verify that the SAID has been formed. You should get
165 tun0x103@192.168.2.100 IPIP_proto_: dir=out flags=0x0
166 192.168.2.110 -> 192.168.2.100
168 Now, issue the following command:
170 gonzales# ipsec eroute --add --src 192.168.4.0/24 \
171 --dst 192.168.5.0/24 \
172 --edst 192.168.2.100 --spi 0x103 --proto tun
174 To verify it has worked, type:
176 gonzales# cat /proc/net/ipsec-eroute
180 192.168.4.0/24 -> 192.168.5.0/24 => tun0x103@192.168.4.0
183 This means that packets originating from net 192.168.4.x and destined
184 for net 192.168.5.x should be IPSEC-processed, with a "Destination
185 Address" of 192.168.2.100, a "Security Parameters Index" of 0x103 and
186 a "Protocol" of 'tun'. The Destination Address indicates the other
187 point of the tunnel, whether it is a real tunnel (as in this case), or
188 simply the destination (in what we call "transport mode"). The
189 Security Parameters Index, or SPI, is an opaque value that indicates,
190 along with the DA and the protocol, what processing these packets will
191 receive at our end as well as the remote end. The triple (DA, SPI,
192 Proto) is called a SAID (Security Association IDentifier) in this
195 The last step is to set up a route to net 192.168.4.0 through the ipsec0
198 gonzales# route del 192.168.5.0 (to clear any old routes)
199 gonzales# route add -net 192.168.5.0 \
200 netmask 255.255.255.0 \
204 [ To understand what this does, remember that we "attached" eth0 to
205 ipsec0; the route is set up so that packets will be routed through
206 magellan, but they will first pass through the ipsec0 interface; then, when
207 they have been processed, they will be passed on to the attached
208 interface and delivered to the next-hop specified in the gw parameter
209 in the route command. ]
213 So far so good, but we've simply reproduced already existing
214 functionality. Now, let's add security. First, we'll tell the code to
215 encrypt packets using the ESP-3DES-CBC transform. We'll create another
216 SAID, this time for ESP-3DES-CBC.
218 gonzales# ipsec spi --edst 192.168.2.100 --spi 0x105 --proto esp \
220 --enckey 0x663066306630313663066306630313226630663066303132
222 This tells the IPSEC layer that packets destined to be processed with
223 DA=192.168.2.100, SPI=0x105, proto=esp, should be processed with
224 ESP-DES-CBC, use 0x6630663066306630 as the DES-CBC Initialization Vector,
225 and use 0x663066306630313266306630663031326630663066303132 as the 3DES
226 key (the 3DES parity bits are ignored, so this yields the 168-bit 3DES
229 Next, we also want to authenticate the resulting packet, so we
230 create another SAID, this time for the AH-HMAC-MD5 transform:
232 gonzales# ipsec spi --edst 192.168.2.100 --spi 0x106 --proto ah \
234 --authkey 0x66306630663031326630663066303132
236 To see the picture so far, type:
238 gonzales# cat /proc/net/ipsec-spi
242 tun0x103@192.168.2.100 IPIP_proto_: dir=out flags=0x0
243 192.168.2.110 -> 192.168.2.100
244 ah0x106@192.168.2.100 AH_proto_MD5_auth_: dir=out alen=16 win=0
245 esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=out
246 win=0 seq=0 bit=0x00000000 flags=0x0
248 Now comes the crucial step. What the original eroute add command did was to
249 establish that outgoing packets are to be processed with IP-in-IP
250 encapsulation first. Now, we need to "link" this transform (IPIP) to the ESP
251 transform and then the AH. We do that with the spigrp ("group SPIs")command:
253 gonzales# ipsec spigrp 192.168.2.100 0x103 tun \
254 192.168.2.100 0x105 esp \
255 192.168.2.100 0x106 ah
257 To verify all this worked type:
259 gonzales# cat /proc/net/ipsec-spigrp
263 tun0x103@192.168.2.100 esp0x105@192.168.2.100 ah0x106@192.168.2.100
266 Now, on magellan, to receive and decode these packets, we need:
268 magellan# ipsec spi --edst 192.168.2.100 --spi 0x105 --proto esp \
270 --enckey 0x663066306630313663066306630313226630663066303132
271 magellan# ipsec spi --edst 192.168.2.100 --spi 0x106 --proto ah \
273 --authkey 0x66306630663031326630663066303132
275 since IP-in-IP does not need any special handling. ESP and AH,
276 however, need the SAIDs to be established. We use the same commands we
277 used for the outgoing packets on gonzales.
281 magellan# cat /proc/net/ipsec-spi
285 ah0x106@192.168.2.100 AH_proto_MD5_auth_: dir=out alen=16
286 win=0 seq=0 bit=0x00000000 flags=0x0
287 esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=out
288 win=0 seq=0 bit=0x00000000 flags=0x0
290 On magellan, now, we have to send things up the opposite way. Here are the
295 magellan# ipsec spi --edst 192.168.2.110 --spi 0x113 --proto tun \
296 --ip4 --src 192.168.2.100 --dst 192.168.2.110
297 magellan# ipsec spi --edst 192.168.2.110 --spi 0x115 --proto esp \
299 --enckey 0x663066306630313663066306630313226630663066303132
300 magellan# ipsec spi --edst 192.168.2.110 --spi 0x116 --proto ah \
302 --authkey 0x66306630663031326630663066303132
304 magellan# ipsec spigrp 192.168.2.110 0x113 tun \
305 192.168.2.110 esp 0x115 \
306 192.168.2.110 ah 0x116
307 magellan# ipsec eroute --add --src 192.168.5.0/24 \
308 --dst 192.168.4.0/24 \
309 --edst 192.168.2.110 --spi 0x113 --proto tun
310 magellan# route del 192.168.4.0 #(to clear any old routes)
311 magellan# route add -net 192.168.4.0 netmask 255.255.255.0 dev ipsec0 \
314 Now, we also need to specify what will happen when gonzales receives
317 gonzales# ipsec spi --edst 192.168.2.110 --spi 0x115 --proto esp \
319 --enckey 0x663066306630313663066306630313226630663066303132
320 gonzales# ipsec spi --edst 192.168.2.110 --spi 0x116 --proto ah \
322 --authkey 0x66306630663031326630663066303132
324 To see the whole picture, type:
326 gonzales# cat /proc/net/ipsec-spi
330 tun0x103@192.168.2.100 IPIP_proto_: dir=out
331 192.168.2.110 -> 192.168.2.100
332 ah0x106@192.168.2.100 AH_proto_MD5_auth_: dir=out alen=16
333 win=0 seq=0 bit=0x00000000 flags=0x0
334 esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=out
335 win=0 seq=0 bit=0x00000000 flags=0x0
336 ah0x116@192.168.2.110 AH_proto_MD5_auth_: dir=in alen=16
337 win=0 seq=0 bit=0x00000000 flags=0x0
338 esp0x115@192.168.2.110 ESP_proto_3DES_encrypt_NO_auth_: dir=in
339 win=0 seq=0 bit=0x00000000 flags=0x0
343 magellan# cat /proc/net/ipsec-eroute
347 192.168.5.0/24 -> 192.168.4.0/24 => esp0x113@192.168.4.0
351 magellan# cat /proc/net/ipsec-spi
355 tun0x113@192.168.2.110 IPIP_proto_: dir=out
356 192.168.2.100 -> 192.168.2.110
357 ah0x116@192.168.2.110 AH_proto_MD5_auth_: dir=out alen=16
358 win=0 seq=0 bit=0x00000000 flags=0x0
359 esp0x115@192.168.2.110 ESP_proto_3DES_encrypt_NO_auth_: dir=out
360 win=0 seq=0 bit=0x00000000 flags=0x0
361 ah0x106@192.168.2.100 AH_proto_MD5_auth_: dir=in alen=16
362 win=0 seq=0 bit=0x00000000 flags=0x0
363 esp0x105@192.168.2.100 ESP_proto_3DES_encrypt_NO_auth_: dir=in
364 win=0 seq=0 bit=0x00000000 flags=0x0
368 magellan# cat /proc/net/ipsec-spigrp
372 tun0x113@192.168.2.110 esp0x115@192.168.2.110 ah0x116@192.168.2.110
374 If you ping ping5 from ping4, ICMP packets will leave ping4, reach
375 gonzales, get encapsulated in IPIP, encrypted with DES and authenticated
376 with HMAC-MD5, tunneled to magellan, get decapsulated, and then sent to ping5;
377 the return packets will follow the inverse path.
379 3.3 The whole routing picture.
381 For completeness, let us show part of the routing tables on all four machines:
383 gonzales# netstat -r -n
385 Destination Gateway Genmask Flags Metric Ref Use Iface
386 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 3 eth0
387 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 2 ipsec0
388 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 2 eth1
389 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 4 lo
390 0.0.0.0 <firewall> 0.0.0.0 UG 0 0 0 eth0
392 magellan# netstat -r -n
394 Destination Gateway Genmask Flags Metric Ref Use Iface
395 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 1 eth0
396 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 2 eth1
397 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 1 ipsec0
398 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 1 lo
399 0.0.0.0 207.236.55.1 0.0.0.0 UG 0 0 0 eth2
403 Destination Gateway Genmask Flags Metric Ref Use Iface
404 192.168.5.0 192.168.4.110 255.255.255.0 UG 0 0 1 eth0
405 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 1 eth0
406 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 1 lo
407 0.0.0.0 192.168.4.110 0.0.0.0 UG 0 0 0 eth0
411 Destination Gateway Genmask Flags Metric Ref Use Iface
412 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 1 eth0
413 192.168.4.0 192.168.5.100 255.255.255.0 UG 0 0 1 eth0
414 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 1 lo
415 0.0.0.0 192.168.5.100 0.0.0.0 UG 0 0 0 eth0
420 rgb, February 22, 1999
423 * $Log: rgb_setup.txt,v $
424 * Revision 1.6 1999/04/06 04:54:24 rgb
425 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes