Tunnelconfiguration Cisco IOS / Racoon (FreeBSD) Alexander "ripp" Kinscher Fri Jul 21 19:13:27 CEST 2017 Cryptomap IOS: # crypto map foo 1 ipsec-isakmp # set peer $IPSEC_ENDPOINT$ # set transform-set tester # match address 120 # ! # # interface FastEthernet0/0 # crypto map foo # ! # access-list 120 permit ip host 192.0.2.9 any Racoon (FreeBSD): /usr/local/etc/racoon/racoon.conf # remote anonymous { # ph1id 1; # generate_policy off; # --snip-- # script "/usr/local/etc/racoon/scripts/phase1_up-1.sh" phase1_up; # script "/usr/local/etc/racoon/scripts/phase1_down-1.sh" phase1_down; # --snip-- # } # # sainfo address 0.0.0.0/0 any address 192.0.2.9/32 any { # remoteid 1; # --snip-- # } /usr/local/etc/racoon/scripts/phase1_up-1.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # spdadd 192.0.2.9/32[any] 0.0.0.0/0[any] any -P in ipsec # esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/use; # # spdadd 0.0.0.0/0[any] 192.0.2.9/32[any] any -P out ipsec # esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/use; # # EOF /usr/local/etc/racoon/scripts/phase1_down-1.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # spddelete 192.0.2.9/32[any] 0.0.0.0/0[any] any -P in ipsec # esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/use; # # spddelete 0.0.0.0/0[any] 192.0.2.9/32[any] any -P out ipsec # esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/use; # # deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; # deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; # # EOF IPSec SVTI (Routebased, ProxyID ANY/ANY) IOS: # crypto ipsec profile tunnel0 # set transform-set tester # ! # # interface Tunnel0 # ip address 192.0.2.9 255.255.255.252 # tunnel source XYZ # tunnel mode ipsec ipv4 # tunnel destination $IPSEC_ENDPOINT$ # tunnel protection ipsec profile tunnel0 # end HINT: For IPv6 o/IPv4 transport do (IPv4 over IPv6 transport works aswell) Dualstack is NOT supported on SVTI by IOS, see GRE! # ipv6 address 2001:DB8:1::10/127 # ipv6 enable # tunnel mode ipsec ipv4 v6-overlay Racoon (FreeBSD): /usr/local/etc/racoon/racoon.conf # remote anonymous { # ph1id 1; # generate_policy off; # --snip-- # script "/usr/local/etc/racoon/scripts/phase1_up-svti.sh" phase1_up; # script "/usr/local/etc/racoon/scripts/phase1_down-svti.sh" phase1_down; # --snip-- # } # # sainfo address 0.0.0.0/0 any address 0.0.0.0/0 any { # remoteid 1; # --snip-- # } HINT: For IPv6 over IPv4 transport do # sainfo address ::/0 any address ::/0 any { # remoteid 1; # --snip-- # } /usr/local/etc/racoon/scripts/phase1_up-svti.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # EOF # # /sbin/ifconfig ipsec0 create reqid 1 # /sbin/ifconfig ipsec0 tunnel ${LOCAL_ADDR} ${REMOTE_ADDR} mtu 1500 up # /sbin/ifconfig ipsec0 192.0.2.10 192.0.2.9 netmask 255.255.255.252 HINT: For IPv6 over IPv4 transport do # /sbin/ifconfig ipsec0 inet6 add 2001:db8:1::11/127 /usr/local/etc/racoon/scripts/phase1_down-svti.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; # deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; # # EOF # # /sbin/ifconfig ipsec0 destroy IPSec GRE/IPSEC (GRE over IPSEC Transport) IOS: # crypto ipsec profile tunnel0 # set transform-set tester-transport # ! # # interface Tunnel0 # ip address 192.0.2.9 255.255.255.252 # ip mtu 1500 # ipv6 address 2001:DB8:1::10/127 # ipv6 enable # ipv6 mtu 1500 # tunnel source XYZ # tunnel mode gre ip # tunnel destination $IPSEC_ENDPOINT$ # tunnel protection ipsec profile tunnel0 # end Racoon (FreeBSD): /usr/local/etc/racoon/racoon.conf # remote anonymous { # ph1id 1; # generate_policy off; # --snip-- # script "/usr/local/etc/racoon/scripts/phase1_up-tr_gre.sh" phase1_up; # script "/usr/local/etc/racoon/scripts/phase1_down-tr_gre.sh" phase1_down; # --snip-- # } # # sainfo address $$$PUBLIC_LOCAL_IP$$$/32 47 anonymous { # remoteid 1; # --snip-- # } /usr/local/etc/racoon/scripts/phase1_up-tr_gre.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # spdadd ${REMOTE_ADDR}[any] ${LOCAL_ADDR}[any] 47 -P in ipsec # esp/transport//unique; # # spdadd ${LOCAL_ADDR}[any] ${REMOTE_ADDR}[any] 47 -P out ipsec # esp/transport//unique; # # EOF # # /sbin/ifconfig gre0 create # /sbin/ifconfig gre0 tunnel ${LOCAL_ADDR} ${REMOTE_ADDR} mtu 1500 up # /sbin/ifconfig gre0 192.0.2.10 192.0.2.9 netmask 255.255.255.252 # /sbin/ifconfig gre0 inet6 add 2001:db8:1::11/127 /usr/local/etc/racoon/scripts/phase1_down-tr_gre.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # spddelete ${REMOTE_ADDR}[any] ${LOCAL_ADDR}[any] 47 -P in ipsec # esp/transport//require; # # spddelete ${LOCAL_ADDR}[any] ${REMOTE_ADDR}[any] 47 -P out ipsec # esp/transport//require; # # deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; # deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; # # EOF # # /sbin/ifconfig gre0 destroy IPSec GIF/IPSEC (IP over IPSEC Transport) IOS: # crypto ipsec profile tunnel0 # set transform-set tester-transport # ! # # interface Tunnel0 # ip address 192.0.2.9 255.255.255.252 # ip mtu 1500 # tunnel source XYZ # tunnel mode ipip # tunnel destination $IPSEC_ENDPOINT$ # tunnel protection ipsec profile tunnel0 # end Racoon (FreeBSD): /usr/local/etc/racoon/racoon.conf # remote anonymous { # ph1id 1; # generate_policy off; # --snip-- # script "/usr/local/etc/racoon/scripts/phase1_up-tr_gif.sh" phase1_up; # script "/usr/local/etc/racoon/scripts/phase1_down-tr_gif.sh" phase1_down; # --snip-- # } # # sainfo address $$$PUBLIC_LOCAL_IP$$$/32 4 anonymous { # remoteid 1; # --snip-- # } /usr/local/etc/racoon/scripts/phase1_up-tr_gif.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # spdadd ${REMOTE_ADDR}[any] ${LOCAL_ADDR}[any] 4 -P in ipsec # esp/transport//unique; # # spdadd ${LOCAL_ADDR}[any] ${REMOTE_ADDR}[any] 4 -P out ipsec # esp/transport//unique; # # EOF # # /sbin/ifconfig gif0 create # /sbin/ifconfig gif0 tunnel ${LOCAL_ADDR} ${REMOTE_ADDR} mtu 1500 up # /sbin/ifconfig gif0 192.0.2.10 192.0.2.9 netmask 255.255.255.252 /usr/local/etc/racoon/scripts/phase1_down-tr_gif.sh # #!/bin/sh # # /sbin/setkey -c << EOF # # spddelete ${REMOTE_ADDR}[any] ${LOCAL_ADDR}[any] 4 -P in ipsec # esp/transport//require; # # spddelete ${LOCAL_ADDR}[any] ${REMOTE_ADDR}[any] 4 -P out ipsec # esp/transport//require; # # deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; # deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; # # EOF # # /sbin/ifconfig gif0 destroy