Here is more description:
network_schema.PNG
FreeBSD 10.0 Stable has racoon onboard. Firewall is done in that way:
[root@secure1 ~]# ipfw sh
ipfw: DEPRECATED: 'sh' matched 'show' as a sub-string
00001 28412 55074783 allow ip from any to any via lo0
00002 0 0 deny ip from any to 127.0.0.0/8
00003 0 0 deny ip from 127.0.0.0/8 to any
00100 1645387589 562874159666 nat 10 ip from table(5) to any out via igb0
00100 4880618847 2932077446487 nat 10 ip from any to me in via igb0
00110 5318721439 1413564586341 queue 10 ip from 10.10.8.0/22 to 10.10.14.0/24 dst-port 22 via igb3
00111 5903342605 1197663552363 queue 10 ip from 10.10.14.0/24 22 to 10.10.8.0/22 via igb3
65534 35013576281 17170455764741 allow ip from any to any
65535 8076 827781 allow ip from any to any
.....
gateway_enable="YES"
.....
cloned_interfaces="tap0"
ifconfig_tap0="inet 169.254.30.18 netmask 255.255.255.252 mtu 1246 up" # Tunnel to Remote Office
......
# IPSEC
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
# BGP
# Quagga
quagga_enable="YES"
quagga_daemons="zebra bgpd"
quagga_flags="-d -A 127.0.0.1"
log info;
path pre_shared_key "/usr/local/etc/racoon/preshared.txt";
path certificate "/usr/local/etc/racoon/certs";
path include "/usr/local/etc/racoon/include.d";
listen {
isakmp 204.15.a.b [500];
isakmp_natt 204.15.a.b [4500];
adminsock "/var/db/racoon/racoon.sock";
}
remote 192.162.c.d {
#exchange_mode main,aggressive;
exchange_mode aggressive;
lifetime time 28800 seconds;
initial_contact off;
passive off;
proposal_check strict;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp2048;
lifetime time 3600 seconds;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp2048;
lifetime time 3600 seconds;
}
proposal {
encryption_algorithm aes128;
hash_algorithm sha256;
authentication_method pre_shared_key;
dh_group modp2048;
lifetime time 3600 seconds;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha256;
authentication_method pre_shared_key;
dh_group modp2048;
lifetime time 3600 seconds;
}
generate_policy off;
nat_traversal off;
my_identifier address 204.15.a.b;
}
sainfo address 169.254.30.18/30 any address 169.254.30.17/30 any {
pfs_group modp2048;
lifetime time 3600 seconds;
encryption_algorithm 3des,aes128;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
file
flush;
spdflush;
spdadd 169.254.30.18/30 169.254.30.17/30 any -P out ipsec esp/tunnel/204.15.a.b-192.162.c.d/require;
spdadd 169.254.30.17/30 169.254.30.18/30 any -P in ipsec esp/tunnel/192.162.c.d-204.15.a.b/require;
spdadd 169.254.30.18/30 172.16.30.0/24 any -P out ipsec esp/tunnel/204.15.a.b-192.162.c.d/require;
spdadd 172.16.30.0/24 169.254.30.18/30 any -P in ipsec esp/tunnel/192.162.c.d-204.15.a.b/require;
spdadd 204.15.a.b/32 192.162.c.d/32 ipencap -P out ipsec esp/tunnel/204.15.a.b-192.162.c.d/require;
spdadd 192.162.c.d/32 204.15.a.b/32 ipencap -P in ipsec esp/tunnel/192.162.c.d-204.15.a.b/require;
## Remote office -> Main Office
spdadd 10.10.8.0/21 172.16.30.0/24 any -P out ipsec esp/tunnel/204.15.a.b-192.162.c.d/require;
spdadd 172.16.30.0/24 10.10.8.0/21 any -P in ipsec esp/tunnel/192.162.c.d-204.15.a.b/require;
## Remote office -> PROD
spdadd 172.30.0.0/16 172.16.30.0/24 any -P out ipsec esp/tunnel/204.15.a.b-192.162.c.d/require;
spdadd 172.16.30.0/24 172.30.0.0/16 any -P in ipsec esp/tunnel/192.162.c.d-204.15.a.b/require;
## Remote office DEV
spdadd 172.31.0.0/16 172.16.30.0/24 any -P out ipsec esp/tunnel/204.15.a.b-192.162.c.d/require;
spdadd 172.16.30.0/24 172.31.0.0/16 any -P in ipsec esp/tunnel/192.162.c.d-204.15.a.b/require;
After everything is done - here what I see on FreeBSD:
[root@secure1 ~]# racoonctl show-sa ipsec
204.15.a.b 192.162.c.d
esp mode=tunnel spi=222745012(0x0d46d1b4) reqid=0(0x00000000)
E: 3des-cbc 4eaf9d8b 52b7ef50 6390fa26 a9134c4e 9d580fe9 10a9edc1
A: hmac-sha1 5c0fa328 7230fd72 687e681d deeb2f80 a10fff3a
seq=0x000008d5 replay=4 flags=0x00000000 state=mature
created: Jul 15 05:16:53 2014 current: Jul 15 05:53:28 2014
diff: 2195(s) hard: 3600(s) soft: 2880(s)
last: Jul 15 05:53:27 2014 hard: 0(s) soft: 0(s)
current: 305792(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2261 hard: 0 soft: 0
sadb_seq=3 pid=31014 refcnt=3
192.162.c.d 204.15.a.b
esp mode=tunnel spi=75685033(0x0482dca9) reqid=0(0x00000000)
E: 3des-cbc bf17b75c 3fef25e2 db0492c6 c51ebc1a ca6260dd 8e9b068e
A: hmac-sha1 b21347bb e9cb4031 80346fc1 4a4afb34 9ba7edd9
seq=0x00000050 replay=4 flags=0x00000000 state=mature
created: Jul 15 05:16:53 2014 current: Jul 15 05:53:28 2014
diff: 2195(s) hard: 3600(s) soft: 2880(s)
last: Jul 15 05:53:06 2014 hard: 0(s) soft: 0(s)
current: 6596(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 80 hard: 0 soft: 0
sadb_seq=2 pid=31014 refcnt=1
My Miktotik shows:
ros code
[admin@office-gw] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x482DCA9 src-address=192.162.c.d dst-address=204.15.a.b auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature auth-key="b21347bbe9cb403180346fc14a4afb349ba7edd9"
enc-key="bf17b75c3fef25e2db0492c6c51ebc1aca6260dd8e9b068e" addtime=jul/15/2014 15:16:54 expires-in=21m37s add-lifetime=48m/1h current-bytes=5313
1 E spi=0xD46D1B4 src-address=204.15.a.b dst-address=192.162.c.d auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature auth-key="5c0fa3287230fd72687e681ddeeb2f80a10fff3a"
enc-key="4eaf9d8b52b7ef506390fa26a9134c4e9d580fe910a9edc1" addtime=jul/15/2014 15:16:54 expires-in=21m37s add-lifetime=48m/1h current-bytes=197269
So seems like it is able to negotiate the keys.
BGP Peering between these 2 routers works well.
Mikrotik shows:
ros code
[admin@office-gw] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.55.100.4 1
1 X S 0.0.0.0/0 10.55.73.1 1
2 ADb 10.10.8.0/21 169.254.30.18 20
3 X S 10.10.8.0/21 pptp-ig-out 1
4 ADC 10.55.100.4/32 192.162.c.d pppoe-out1 0
5 ADC 169.254.30.16/30 169.254.30.17 pppoe-out1 0
6 ADC 172.16.30.0/24 172.16.30.1 bridge-local 0
7 ADb 172.30.0.0/16 169.254.30.18 20
8 X S 172.30.0.0/16 pptp-ig-out 1
9 ADb 172.31.0.0/16 169.254.30.18 20
10 X S 172.31.0.0/16 pptp-ig-out 1
[admin@office-gw] > /routing bgp peer print
Flags: X - disabled, E - established
# INSTANCE REMOTE-ADDRESS REMOTE-AS
0 E default 169.254.30.18 65000
...Mikrotik setup is the next:
ros code
[admin@office-gw] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1-gateway ether 1500 1598 4074 D4:CA:6D:CC:2E:78
1 RS ether2-master-local ether 1500 1598 4074 D4:CA:6D:CC:2E:79
2 S ether3-slave-local ether 1500 1598 4074 D4:CA:6D:CC:2E:7A
3 S ether4-slave-local ether 1500 1598 4074 D4:CA:6D:CC:2E:7B
4 S ether5-slave-local ether 1500 1598 4074 D4:CA:6D:CC:2E:7C
5 RS wlan1 wlan 1500 2290 D4:CA:6D:CC:2E:7D
6 R bridge-local bridge 1500 1598 D4:CA:6D:CC:2E:79
7 R pppoe-out1 pppoe-out 1480
8 X pptp-ig-out pptp-out
[admin@office-gw] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
172.16.30.1/24 172.16.30.0 ether2-master-local
1 ;;; Virtual IP for IG IPSec
169.254.30.17/30 169.254.30.16 pppoe-out1
2 D 192.162.c.d/32 10.55.100.4 pppoe-out1
[admin@office-gw] > /ip ipsec peer print
Flags: X - disabled
0 ;;; Main Office Level3 Peer
;;; Unsafe configuration, suggestion to use certificates
address=204.15.a.b/32 local-address=192.162.c.d passive=no port=500 auth-method=pre-shared-key secret="zxcvbn" generate-policy=port-strict exchange-mode=aggressive
send-initial-contact=yes nat-traversal=no proposal-check=strict hash-algorithm=sha256 enc-algorithm=3des dh-group=modp2048 lifetime=1h lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=6
[admin@office-gw] > /ip ipsec remote-peers print
0 local-address=192.162.c.d remote-address=204.15.a.b state=established side=initiator established=43m59s
[admin@office-gw] > /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp2048
1 name="ig-level3-prop" auth-algorithms=sha1 enc-algorithms=3des,aes-128-cbc lifetime=1h pfs-group=modp2048
[admin@office-gw] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 ;;; 0
src-address=169.254.30.17/32 src-port=any dst-address=169.254.30.18/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.162.c.d
sa-dst-address=204.15.a.b proposal=ig-level3-prop priority=0
1 ;;; 1
src-address=169.254.30.18/32 src-port=any dst-address=169.254.30.17/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.15.a.b
sa-dst-address=192.162.c.d proposal=ig-level3-prop priority=0
2 ;;; 2
src-address=169.254.30.18/32 src-port=any dst-address=172.16.30.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.15.a.b
sa-dst-address=192.162.c.d proposal=ig-level3-prop priority=0
3 ;;; 3
src-address=172.16.30.0/24 src-port=any dst-address=169.254.30.18/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.162.c.d
sa-dst-address=204.15.a.b proposal=ig-level3-prop priority=0
4 ;;; 4
src-address=204.15.a.b/32 src-port=any dst-address=192.162.c.d/32 dst-port=any protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.15.a.b
sa-dst-address=192.162.c.d proposal=ig-level3-prop priority=0
5 ;;; 5
src-address=192.162.c.d/32 src-port=any dst-address=204.15.a.b/32 dst-port=any protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.162.c.d
sa-dst-address=204.15.a.b proposal=ig-level3-prop priority=0
6 ;;; 6
src-address=10.10.8.0/21 src-port=any dst-address=172.16.30.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.15.a.b
sa-dst-address=192.162.c.d proposal=ig-level3-prop priority=0
7 ;;; 7
src-address=172.16.30.0/24 src-port=any dst-address=10.10.8.0/21 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.162.c.d
sa-dst-address=204.15.a.b proposal=ig-level3-prop priority=0
8 ;;; 8
src-address=172.30.0.0/16 src-port=any dst-address=172.16.30.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.15.a.b
sa-dst-address=192.162.c.d proposal=ig-level3-prop priority=0
9 ;;; 9
src-address=172.16.30.0/24 src-port=any dst-address=172.30.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.162.c.d
sa-dst-address=204.15.a.b proposal=ig-level3-prop priority=0
10 ;;; 10
src-address=172.31.0.0/16 src-port=any dst-address=172.16.30.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.15.a.b
sa-dst-address=192.162.c.d proposal=ig-level3-prop priority=0
11 ;;; 11
src-address=172.16.30.0/24 src-port=any dst-address=172.31.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.162.c.d
sa-dst-address=204.15.a.b proposal=ig-level3-prop priority=0
[admin@office-gw] /ip ipsec statistics> print
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 0
in-state-protocol-errors: 0
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 5
in-template-mismatches: 168
in-no-policies: 499
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 33839
out-bundle-check-errors: 0
out-no-states: 306
out-state-protocol-errors: 51
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 51
out-policy-blocked: 0
out-policy-dead: 0
out-policy-errors: 0
[admin@office-gw] /ip ipsec statistics> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration (Allow ICMP)
chain=input action=accept protocol=icmp
1 ;;; -A INPUT -m state --state ESTABLISHED -j ACCEPT
chain=input action=accept connection-state=established
2 ;;; -A INPUT -m state --state RELATED -j ACCEPT
chain=input action=accept connection-state=related
3 chain=input action=accept protocol=ipencap
4 chain=output action=accept protocol=ipencap
5 chain=input action=accept protocol=ipsec-esp
6 chain=output action=accept protocol=ipsec-esp
7 chain=input action=accept protocol=ipsec-ah
8 chain=output action=accept protocol=ipsec-ah
9 chain=input action=accept src-address=204.15.a.b
10 chain=output action=accept dst-address=204.15.a.b
11 chain=input action=accept protocol=tcp src-address=169.254.30.18 dst-port=179
12 chain=output action=accept protocol=tcp dst-address=169.254.30.18 src-port=179
13 X chain=forward action=accept src-address=172.16.30.0/24 out-interface=pptp-ig-out
14 X chain=forward action=accept dst-address=172.16.30.0/24 in-interface=pptp-ig-out
15 chain=input action=accept src-address=169.254.30.16/30
16 chain=input action=accept src-address=10.10.8.0/21
17 chain=input action=accept protocol=tcp src-address=194.126.x.y
18 chain=forward action=accept src-address=172.16.30.0/24 dst-address=10.10.8.0/21
19 chain=forward action=accept src-address=10.10.8.0/21 dst-address=172.16.30.0/24
20 ;;; default configuration
chain=input action=reject reject-with=icmp-network-unreachable in-interface=ether1-gateway
21 chain=input action=reject reject-with=icmp-admin-prohibited in-interface=pppoe-out1
22 ;;; -A FORWARD -m state --state ESTABLISHED -j ACCEPT
chain=forward action=accept connection-state=established
23 ;;; -A forward -m state --state RELATED -j ACCEPT
chain=forward action=accept connection-state=related
24 ;;; default configuration (--state invalid)
chain=forward action=drop connection-state=invalid
25 chain=forward action=accept
26 ;;; -A OUTPUT -m state --state NEW -j ACCEPT
chain=output action=accept connection-state=new
27 ;;; -A OUTPUT -m state --state RELATED -j ACCEPT
chain=output action=accept connection-state=related
28 ;;; -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
chain=output action=accept connection-state=established
[admin@office-gw] /ip ipsec statistics> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; IG DNS Forwarding
chain=dstnat action=dst-nat to-addresses=10.10.14.26 connection-mark=ig-dns
1 X ;;; IG DNS Forwarding (disabled due to errors)
chain=srcnat action=src-nat to-addresses=172.16.30.1 connection-mark=ig-dns
2 ;;; IPSec Tun <-> Tun
chain=srcnat action=accept src-address=169.254.30.16/30 dst-address=169.254.30.16/30
3 ;;; Remote - IG Main Office
chain=srcnat action=accept src-address=172.16.30.0/24 dst-address=10.10.8.0/21
4 ;;; IG Main Office - Remote
chain=srcnat action=accept src-address=10.10.8.0/21 dst-address=172.16.30.0/24
5 ;;; Remote - EDPROD
chain=srcnat action=accept src-address=172.16.30.0/24 dst-address=172.30.0.0/16
6 ;;; EDPROD - Remote
chain=srcnat action=accept src-address=172.30.0.0/16 dst-address=172.16.30.0/24
7 ;;; Remote - EDDEV
chain=srcnat action=accept src-address=172.16.30.0/24 dst-address=172.31.0.0/16
8 X chain=srcnat action=masquerade out-interface=pptp-ig-out
9 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=pppoe-out1You do not have the required permissions to view the files attached to this post.
