FreeBSD talking to an (IPSec) Sonicwall VPN
  Apr 28, 2009
FreeBSD Sonicwall Drawing

This is a basic setup involving a point-to-point IPSec VPN connection between a FreeBSD host and a Sonicwall TZ-170. This guide will probably work for most other versions of FreeBSD as well as other operating systems that use ipsec-tools and racoon.

For this tutorial, the FreeBSD source tree (/usr/src) should be installed. If you do not have it, look on the FTP and download the tree and use the install.sh all script.

File List

FreeBSD IPSec Support

To enable IPSec operability on FreeBSD, you must edit the kernel config file to add the IPSec options.

Options We Will Use

  • IPSEC
  • IPSEC_ESP
  • IPSEC_NAT_T (the nat traversal patch that we will install if necessary)
  • IPSEC_FILTERGIF
  • Read about further explanation and more options at the FreeBSD handbook. You could possibly need FAST_IPSEC.
  • # cd /usr/src/sys/i386
  • # cp GENERIC CUSTOM
  • # echo 'IPSEC'
  • IPSEC_ESP
  • IPSEC_NAT_T
  • IPSEC_FILTERGIF' >> CUSTOM

NAT Traversal (natt) Patch

Here is the wiki on NAT Traversals. "NAT-T is commonly used by IPsec VPN clients in order to have ESP packets go through NAT."

This functionality, as of FreeBSD 6.2-RELEASE-p9 does not have the nat_t function compiled in the kernel, nor is it included when you compile in the other IPSEC options.

Instead, we will use a well known patch that adds in NAT-T config options. The index of files is located here, but you will most likely need patch-natt-freebsd6-2007-05-31.diff.

  • # cd /usr/src/sys
  • # fetch http://vanhu.free.fr/FreeBSD/patch-natt-freebsd6-2007-05-31.diff
  • # patch < patch-natt-freebsd6-2007-05-31.diff
  • # ...............
  • Hunk #1 succeeded at 778 (offset -8 lines).
  • done
  • #

Building the System

Unfortunately, to get all this new stuff working we have to rebuild most of the core system from source. This can take a few hours on a mediocre PC so be warned. It really isn't bad at all.

Since we are going to rebuild, we might as well get the source tree somewhat updated.

  • # freebsd-update fetch install

Now for the run part. I made a script so I can just run it whenever I need to without typing it all out.

  • # vi /root/freebsd_buildworld_script.sh
  • #!/bin/sh
  • make buildworld
  • make buildkernel KERNCONF=CUSTOM
  • make installworld
  • make installkernel KERNCONF=CUSTOM
  • # chmod +x /root/freebsd_buildworld_script.sh
  • # /root/freebsd_buildworld_script.sh
  • # shutdown -r now

Hopefully everything went great! If not, go back and check everything. Try typing in each step of the script manually and seeing where it fails.

ipsec-tools

"IPsec-Tools is a port of KAME's IPsec utilities." We use this package to set up encryption schemes to talk to the other endpoint of our VPN (in this case a Sonicwall TZ170). Racoon is the meat of the package.

This port will tell you about the patch we applied earlier. We already took care of that.

  • # cd /usr/ports/security/ipsec-tools
  • # make rmconfig install clean

ipsec

You can build any module you would like, but make sure you check "NATT" and "NATTF". NATT enables NAT Traversal due to the patch we applied earlier, and NATTF basically checks to make sure the patch we applied took properly.

Everything should install great if the nat_t patch was successfully installed. We ill configure the services in this package later on in this tutorial.

Set Up Interfaces and Routing

We will be using the gif0 interface to do our VPN tunnel. We will also need a route statement defining the internal gateway of the Sonicwall's local network. While we are in here, we should go ahead and throw in the lines that enable the applications in ipsec-tools.

  • # vi /etc/rc.conf
  • ... ... snip ... ... snip ... ...
  • gif_interfaces="gif0"
  • gifconfig_gif0="49.49.49.49 23.23.23.23"
  • ifconfig_gif0="inet 172.16.5.1 192.168.50.1 netmask 0xffffffff"
  • static_routes="vpn"
  • route_vpn="192.168.50.0 192.168.50.1 netmask 255.255.255.0"
  • racoon_enable="YES"
  • racoon_flags="-l /var/log/racoon.log"
  • ipsec_enable="YES"
  • ipsec_file="/etc/ipsec.conf"

Go ahead and test out the a few of the new changes.

  • # /etc/rc.d/netif restart
  • # ifconfig
  • ... ... snip ... ... snip ... ...
  • gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
  •     tunnel inet 49.49.49.49 --> 23.23.23.23
  •     inet 172.16.5.1 --> 192.168.50.1 netmask 0xffffffff

We also need to enable ip forwarding for the multiple interfaces.

  • # echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

ipsec.conf

We use /etc/ipsec.conf in conjunction with setkey (man setkey) to set our security policies for our VPN connection. For further explanation, see the VPN chapter in the FreeBSD Handbook.

  • # vi /etc/ipsec.conf
  • spdadd 172.16.5.0/24 172.16.5.1/32 any -P in none;
  • spdadd 172.16.5.1/32 172.16.5.0/24 any -P out none;
  • spdadd 172.16.5.0/24 192.168.50.0/24 any -P
  • out ipsec esp/tunnel/49.49.49.49.-23.23.23.23/unique;
  • spdadd 192.168.50.0/24 172.16.5.0/24 any -P
  • in ipsec esp/tunnel/49.49.49.49-23.23.23.23/unique;.

Load ipsec.conf up and check for any runtime errors.

  • # /etc/rc.d/ipsec onerestart
  • Clearing ipsec manual keys/policies.
  • Installing ipsec manual keys/policies

Configure Firewall

Installing a firewall is beyond the scope of this document. Please refer to the PF Chapter in the FreeBSD Handbook.

I have noticed 99% of the guides I see use ipfw or ipf. I, personally, use packet filter (pf). Regardless, make sure that you have the necessary ports open so your VPN can communicate.

racoon.conf

As stated earlier, we will use the racoon program to negotiate the IPSec proposals and authentication methods. We aren't doing anything too crazy here, but do make sure that the configuration options in this file match EXACTLY to the paired options on the Sonicwall.

type man racoon.conf at the terminal for more config options and arguments

  • # mkdir /usr/local/etc/racoon
  • # vi /usr/local/etc/racoon/racoon.conf
  • path pre_shared_key "/usr/local/etc/racoon/psk.txt";
  • log notify;
  •  
  • remote 23.23.23.23 {
  •    exchange_mode aggressive;
  •    my_identifier address 49.49.49.49;
  •    nat_traversal on;
  •  
  •    peers_identifier address 23.23.23.23;
  •    initial_contact on;
  •    proposal_check obey;
  •  
  •    proposal {
  •       encryption_algorithm 3des;
  •       hash_algorithm md5;
  •       authentication_method pre_shared_key;
  •       dh_group 2;
  •       lifetime time 28800 secs;
  •    }
  •    lifetime time 28800 secs;
  • }
  •  
  • sainfo address 172.16.5.0/24 any address 192.168.50.0/24 any {
  •    encryption_algorithm 3des;
  •    authentication_algorithm hmac_md5;
  •    compression_algorithm deflate;
  •    lifetime time 28800 secs;
  • }

For more examples of racoon.conf, please visit /usr/local/share/examples/ipsec-tools

We have most of the authentication information configured but we will also be using shared secret keys in lue of SSL certificates. This file is is easy to set up, but must be set up correctly if you will get proposal errors when you try to establish the VPN connection.

Do not forget to chmod the psk.txt file!

  • # echo '23.23.23.23 mysupersecretpass' > /usr/local/etc/racoon/psk.txt
  • # chmod 0600 /usr/local/etc/racoon/psk.txt

To check the settings, start up racoon and check the log.

  • # /usr/local/etc/rc.d/racoon onerestart
  • # tail -f /var/log/racoon.log

Setting up the Sonicwall

In our example, we will be using a Sonicwall TZ-170 with the Enhanced OS. I have done this same setup on a Sonicwall PRO and it was pretty much identical, so I would say this works on most Sonicwall models.

Since most of the Sonicwall configuration is done by the web interface, I have provided screen shots of my personal settings. There will only be a few screens that we deal with due to Sonicwall's wizards.... no fun. ;)

First, log in to the Sonicwall. Click the VPN tab. Click the button that says VPN Policy Wizard....

Sonicwall VPN Wizard
Sonicwall VPN Wizard
Sonicwall VPN Wizard
Sonicwall VPN Wizard

Apply the settings.

Your options can differ, just make sure you make the appropriate changes in racoon.conf on the FreeBSD host.

Testing the Connection

Now that we have configured everything, we need to test it out! We have made a lot of changes along the way, so just to make sure everything is loaded with the recent config files we can take the MUCH easier choice restart or try to restart everything manually,

Your command to load the new firewall rules may differ from the example below.

  • # /etc/rc.d/ipsec onerestart
  • # /usr/local/etc/rc.d/racoon onerestart
  • # pfctl -Fa -f /etc/pf.conf

We need to check if we can see the Sonicwall's interface. Then we will see if we can get to other addresses in the subnet.

  • # ping 192.168.50.1
  • PING 192.168.50.1 (192.168.50.1): 56 data bytes
  • 64 bytes from 192.168.50.1: icmp_seq=0 ttl=32 time=11.321 ms
  • 64 bytes from 192.168.50.1: icmp_seq=1 ttl=32 time=12.542 ms
  • ^C
  • --- 192.168.50.1 ping statistics ---
  • 2 packets transmitted, 2 packets received, 0% packet loss
  • round-trip min/avg/max/stddev = 20.918/24.100723 ms
  • #
  • # ping 192.168.50.100
  • PING 192.168.50.1 (192.168.50.1): 56 data bytes
  • 64 bytes from 192.168.50.100: icmp_seq=0 ttl=32 time=11.321 ms
  • 64 bytes from 192.168.50.100: icmp_seq=1 ttl=32 time=12.542 ms
  • ^C
  • --- 192.168.50.1 ping statistics ---
  • 2 packets transmitted, 2 packets received, 0% packet loss
  • round-trip min/avg/max/stddev = 20.918/24.100723 ms

We can also check the VPN connection status on the Sonicwall. Go to the VPN link on the left and you should see a screen similar to this.

notice the green dot :)

Sonicwall Active VPN Connection

If you, unfortunately, do not see a good connection, go to the Log link on the left and filter the results by the source address (49.49.49.49). You should see some debug information there when you try to ping 192.168.50.1 from the FreeBSD host.

Conclusion

Hopefully everything worked great the first time around. If not, I would recommend restarting FreeBSD completely and let the daemons clean out all the junk. Also, I noticed if you have to reestablishing the VPN link manually and connect but can't ping the private subnets on the other side, issue a /usr/local/etc/rc.d/racoon onerestart and it usually fixes it.

FreeBSD :tags Comments (1)



Post a New Comment

Name

Message

Security
Code
        (case insensitive & space between words)


Posted Comments
anonymous  Aug 05, 2011
how to buy facebook likes buy guaranteed facebook fans buy bulk facebook fans buy facebook likes cheap <a href="http://www.montecristoff.com/apps/profile/77098273/ ">buy targeted facebook likes </a> buy facebook page likes buy facebook fans cheap _________________ buy guaranteed facebook fans <a href=http://forum.nhdflibrary.org/index.php?action=profile;u=14914>buy cheap facebook fans</a> buy bulk facebook fans buy facebook likes cheap