FreeBSD 10: IPv4 VPN Relay (IPsec entry/OpenVPN middle/OpenVPN exit node) mit Jails für Roadwarrior

In diesem (Blog) Post wird beispielhaft beschrieben, wie man ein komplexeres VPN Setup, mit Hilfe von 3 Jails, realisieren kann. Unterteilt wird dabei in „entry“ Jail (IPsec Verbindung zum Roadwarrior), „middle“ relay Jail (OpenVPN Verbindung innerhalb von IPsec zum Roadwarrior) und „exit“ Node Jail (zum weiterleiten des Traffics zu einem externen OpenVPN Anbieter).

Voraussetzung ist ein FreeBSD 10 HOST mit Custom-Kernel, ein verfügbarer OpenVPN Provider (in diesem Beispiel ipredator.se) und ein Grundverständnis im Umgang mit OpenVPN, IPsec, Unbound, Jails, ezjail, VIMAGE und komplexen Bridge Zones, siehe dazu auch:

FreeBSD 10: VIMAGE OpenVPN Routing mit iPredator (ipv4)
FreeBSD 10: IPv4 IPsec Net-to-Net VPN in der Jail
FreeBSD 9: Unbound als validating, recursive und caching DNS Resolver
FreeBSD 10: VIMAGE (virtualized network stack) mit if_bridge & epair
FreeBSD 10: robuster Betrieb von VIMAGE Jails
FreeBSD 10: LACP failover, Multiple Bridge, in-Kernel IPFW NAT und CARP in der Jail
FreeBSD 10: komplexe Bridge Zones (mit lacp uplink)

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net

Die IPv6 Einrichtung folgt in einem separaten (Blog) Post, da derzeit ipredator.se nur eine einzige 128 bit global scope Adresse vergibt, ipfw kann derzeit jedoch kein NAT66, nat on wäre mit pf möglich, da jedoch aktuell pf (in Kombination mit einem VIMAGE Kernel ) zu einem Crash führt und das IPsec Routing nicht direkt auf dem FreeBSD HOST durchgeführt werden soll, warten wir einfach mal ab…

Vermutlich könnte man pf neben ipfw auf dem FreeBSD HOST betreiben und mit Source Based Routing With FreeBSD Using Multiple Routing Tables die VPN Provider Anbindung auf das Jail epair Interface routen lassen, die Nutzung mehrer ROUTETABLES kann zumindest, innerhalb einer VIMAGE Jail, zu unerwarteten FreeBSD HOST Systemabstürzen führen!

Auf dem FreeBSD HOST ist zumindest die Forwarding Information Base (FIB) recht praktisch um mehrere „default gateways“ pro interface definieren zu können.

Die IPsec Filterung gestaltet sich derzeit unter FreeBSD 10 (Release), innerhalb der Jail, etwas problematisch.

-> Zum einen funktionierte nur die IPsec Trafficbeobachtung (innerhalb der Jail) mit tcpdump erst nach dem vnet import von enc0 (Encapsulating Interface)!

-> Zum anderen war mit ipfw kein filtern des IPsec Traffics überhaupt möglich.
–> IPsec filtertunnel broken on FreeBSD 10
=> Bug 185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec

Im kommenden FreeBSD 10.1 Release ist der Patch schon enthalten, svn/base/release/10.1.0
– sys/sys/mbuf.h
– netinet/ip_var.h
– netinet6/ip6_var.h
– netipsec/xform_ipip.c

bei FreeBSD 10.0 (stable):
Revision 263091
Revision 263307

Wer das derzeit noch aktuelle FreeBSD 10.0 patchen möchte, kann dies hiermit tun.

Eines vorweg, bei eventueller „Routing“-Fehlkonfiguration sollte präventiv in den Bridge Zones, auf der jeweiligen Jail Bridge, eine unmittelbare Bindung zwischen Public IP-Adresse, MAC-Adresse vom epair und Jail Interface (Type B auf HOST Seite) erzwungen werden.
Ebenso kann direkt auf dem FreeBSD HOST Uplink Interface sämtlicher RFC1918 Traffic unterbunden werden (zur Unterdrückung von falsch weitergeleiteten IPsec Traffic), siehe dazu später mehr.

Die IPsec Authentifizierung erfolgt mit einem global, einheitlichen Pre-Shared Key.
Dazu wird später der „Racoon“ Sourcecode etwas angepasst.
Über Sinn oder Unsinnigkeit dieser Methode muss an dieser Stelle nicht weiter diskutiert werden.
Die OpenVPN Authentifizierung erfolgt dann mit Client-basierten Zertifikaten.
In der Jail 1, welche die OpenVPN Provider Verbindung forwarded, wird später ein Unbound (caching DNS resolver) eingerichtet.

Die IPsec Verbindung soll zum Schluss mit einem FreeBSD (Desktop) sowie Mac OS Client und zusätzlicher OpenVPN Verbindung möglich werden

Bevor es los geht noch eine kleine Anmerkung zu IPsec unter MacOS.

VPN Tracker sieht schick aus, unterstützt aber nur SHA1 in Phase1 und HMAC_SHA1 in Phase2 was mir nicht mehr zeitgemäß erscheint
IPSecuritas aktuelle Version 4.0rc hat kein signiertes Kernelmodul
Man kann zwar auf Kosten der Sicherheit das laden von unsignierten kernel extensions (KEXTs) erlauben…

$
sudo nvram boot-args="kext-dev-mode=1"
$

…was bei mir aber dennoch nicht zu einer erfolgreichen NAT-T IPsec Verbindung führte.

=> stattdessen kann man sich auch gleich den built-in Racoon und die IPsec Policy Regeln zurecht konfigurieren!

Miniskript: github.com/plitc/easy_ipsec


Funktionen/Netzwerk-Topologie:

Jail 1 – vpn1
– epair66a (Public IPv4/v6)
– Unbound (Service)
– epair100a (172.31.255.1/24, fd00:a::1/56)
– tun1 (externer OpenVPN Anbieter Anbindung mit IPv4/v6)
– gif28 (unbenutzt)

Jail 2 – vpn1fw
– epair101a (172.31.255.254/24, fd00:a::254/56)
– OpenVPN Server
– epair101a (172.31.254.1/24, fd00:b::1/56)
– tun2 (inet 172.31.253.1 –> 172.31.253.2)

Jail 3 – vpn1gw
– epair67a (Public IPv4/v6)
– IPsec (NAT_T) Gateway
– epair103a (172.31.254.254/24, fd00:b::254/56)
– gif29 (unbenutzt)

FreeBSD Beastie IPv4 VPN Relay Setup

Punkt 1: zusätzlich benötigte Kernelmodule im Bridge Zones Custom-Kernel

$
options         IPSEC                           # IP security (requires device crypto)
options         IPSEC_NAT_T                     # NAT-T support, UDP encap of ESP
options         IPSEC_FILTERTUNNEL              # ipsec packet filtering
### // options         IPSEC_DEBUG                     # debug for IP security
device          enc                             # Encapsulating Interface
device          crypto                          # core crypto support
device          cryptodev                       # /dev/crypto for access to h/w
device          aesni                           # AES-NI support
$

Punkt 2: !!! HOST !!! ipfw „Bridge Zones“ Regeln

$
vi /etc/firewall.rules

### stage1 - Uplink Filter // ###
# Throw away RFC 1918 networks
add 00010 drop all from 10.0.0.0/8 to any via igb0
add 00011 drop all from 172.16.0.0/12 to any via igb0
add 00012 drop all from 192.168.0.0/16 to any via igb0
#
add 00040 allow esp from any to any
add 00041 allow ah from any to any
add 00042 allow ipencap from any to any
add 00043 allow udp from any 500 to any
add 00044 allow udp from any 4500 to any
### // stage1 - Uplink Filter ###
$

Als nächstes folgen auf dem !!! HOST !!! ipfw „Bridge Zones“ Regeln zur Filterung des jeweiligen vSwitch der VPN Jail1/2/3

Punkt 3: Public Ein-/Ausgangsfilterung zur Jail, Beispiel für die Jail1

$
# filter for vswitch17 (JAIL: vpn1 - public ipv4/v6)
# / ipv4
add 22001 allow ip4 from 46.XXX.XXX.XXX to any layer2 MAC any 02:FF:FF:FF:FF:FF via epair23b
add 22002 allow ip4 from 46.XXX.XXX.XXX to any layer2 MAC any 02:FF:FF:FF:FF:FF via vswitch17
add 22003 allow ip4 from 46.XXX.XXX.XXX to any layer2 MAC any 02:FF:FF:FF:FF:FF via epair66b
add 22011 allow ip4 from any to 46.XXX.XXX.XXX layer2 MAC 02:FF:FF:FF:FF:FF any via epair23b
add 22012 allow ip4 from any to 46.XXX.XXX.XXX layer2 MAC 02:FF:FF:FF:FF:FF any via vswitch17
add 22013 allow ip4 from any to 46.XXX.XXX.XXX layer2 MAC 02:FF:FF:FF:FF:FF any via epair66b
add 22097 deny ip4 from any to any layer2 MAC any any via epair23b
add 22098 deny ip4 from any to any layer2 MAC any any via vswitch17
add 22099 deny ip4 from any to any layer2 MAC any any via epair66b
# / ipv6
add 22101 allow ip6 from 2a01:AAAA:AAAA:AAAA::AA to any layer2 MAC any 02:FF:FF:FF:FF:FF via epair23b
add 22102 allow ip6 from 2a01:AAAA:AAAA:AAAA::AA to any layer2 MAC any 02:FF:FF:FF:FF:FF via vswitch17
add 22103 allow ip6 from 2a01:AAAA:AAAA:AAAA::AA to any layer2 MAC any 02:FF:FF:FF:FF:FF via epair66b
add 22111 allow ip6 from any to 2a01:AAAA:AAAA:AAAA::AA layer2 MAC 02:FF:FF:FF:FF:FF any via epair23b
add 22112 allow ip6 from any to 2a01:AAAA:AAAA:AAAA::AA layer2 MAC 02:FF:FF:FF:FF:FF any via vswitch17
add 22113 allow ip6 from any to 2a01:AAAA:AAAA:AAAA::AA layer2 MAC 02:FF:FF:FF:FF:FF any via epair66b
add 22141 allow ip6 from fe80::EE:EE:EEEE:660a to any layer2 MAC any 02:FF:FF:FF:FF:FF via epair23b
add 22142 allow ip6 from fe80::EE:EE:EEEE:660a to any layer2 MAC any 02:FF:FF:FF:FF:FF via vswitch17
add 22143 allow ip6 from fe80::EE:EE:EEEE:660a to any layer2 MAC any 02:FF:FF:FF:FF:FF via epair66b
add 22151 allow ip6 from any to fe80::EE:EE:EEEE:660a layer2 MAC 02:FF:FF:FF:FF:FF any via epair23b
add 22152 allow ip6 from any to fe80::EE:EE:EEEE:660a layer2 MAC 02:FF:FF:FF:FF:FF any via vswitch17
add 22153 allow ip6 from any to fe80::EE:EE:EEEE:660a layer2 MAC 02:FF:FF:FF:FF:FF any via epair66b
# / block
add 22197 deny ip6 from any to any layer2 MAC any any via epair23b
add 22198 deny ip6 from any to any layer2 MAC any any via vswitch17
add 22199 deny ip6 from any to any layer2 MAC any any via epair66b
###
$

Punkt 4: ungefilterte Verbindung bei der internen Bridge zwischen Jail1 zur Jail2 und zur Jail3, Beispiel für die Jail1/2 Bridge

$
# filter for vswitch18 (ROUTING: vpn1 / vpn1fw)
# / icmp4
add 23001 allow icmp from any to any layer2 MAC any any via epair100b
add 23002 allow icmp from any to any layer2 MAC any any via vswitch18
add 23003 allow icmp from any to any layer2 MAC any any via epair101b
# / ipv4
add 23051 allow ip4 from any to any layer2 MAC any any via epair100b
add 23052 allow ip4 from any to any layer2 MAC any any via vswitch18
add 23053 allow ip4 from any to any layer2 MAC any any via epair101b
# / ipv6
add 23097 allow ip6 from fd00:a::/56 to fd00:a::/56 layer2 MAC any any via epair100b
add 23098 allow ip6 from fd00:a::/56 to fd00:a::/56 layer2 MAC any any via vswitch18
add 23099 allow ip6 from fd00:a::/56 to fd00:a::/56 layer2 MAC any any via epair101b
###
$

Punkt 5: Jails mit ezjail-admin erstellen

In den 3 ezjailconfigs und der etc/devfs.rules sollte unbedingt der sicherheitsbedenkliche Zugriff auf mem/kmen vorübergehend freigeschaltet werden, dies ermöglicht die Verwendung von „netstat“ und erleichert die Betrachtung der Routingtabelle ungemein

$
ezjail-admin create vpn1 0.0.0.0
ezjail-admin create vpn1fw 0.0.0.0
ezjail-admin create vpn1gw 0.0.0.0
$

Punkt 6: ezjail config der Jail1 (vpn1)

/usr/local/etc/ezjail/vpn1

$
export jail_vpn1_hostname="vpn1"
### VIMAGE ### export jail_vpn1_ip="0.0.0.0"
export jail_vpn1_rootdir="/usr/jails/vpn1"
export jail_vpn1_exec_start="/bin/sh /etc/rc"
# / export jail_vpn1_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_vpn1_exec_stop=""
export jail_vpn1_mount_enable="YES"
export jail_vpn1_devfs_enable="YES"
export jail_vpn1_devfs_ruleset="35"
export jail_vpn1_procfs_enable="YES"
export jail_vpn1_fdescfs_enable="YES"
export jail_vpn1_image=""
export jail_vpn1_imagetype="zfs"
export jail_vpn1_attachparams=""
export jail_vpn1_attachblocking=""
export jail_vpn1_forceblocking=""
export jail_vpn1_zfs_datasets=""
export jail_vpn1_cpuset="10"
export jail_vpn1_fib="0"
export jail_vpn1_parentzfs="zroot/root/ezjail"
export jail_vpn1_parameters="allow.raw_sockets=1 allow.sysvipc=1"
export jail_vpn1_post_start_script=""
export jail_vpn1_retention_policy=""

### VIMAGE // ###
export jail_vpn1_exec_poststart0="ifconfig epair66a vnet vpn1"
export jail_vpn1_exec_poststart1="ifconfig epair100a vnet vpn1"
export jail_vpn1_exec_poststart2="ifconfig tun1 vnet vpn1"
# / export jail_vpn1_exec_poststart__="ifconfig tun2 vnet vpn1"
export jail_vpn1_exec_poststart3="ifconfig gif28 vnet vpn1"
export jail_vpn1_exec_poststart4="jexec vpn1 /sbin/ifconfig epair66a 46.XXX.XXX.XXX/27"
export jail_vpn1_exec_poststart5="jexec vpn1 /sbin/route add default 46.XXX.XXX.XXX"
export jail_vpn1_exec_poststart6="jexec vpn1 /sbin/ifconfig epair66a inet6 2a01:AAAA:AAAA:AAAA::AA prefixlen 64"
export jail_vpn1_exec_poststart7="jexec vpn1 /sbin/route add -inet6 default fe80::1%epair66a"
export jail_vpn1_exec_poststart8="jexec vpn1 /sbin/ifconfig epair100a 172.31.255.1/24"
# / export jail_vpn1_exec_poststart__="jexec vpn1 /sbin/ifconfig tun1 up"
### // VIMAGE ###

### IPSec Routing // ###
#
#/ ROUTING: vpn1 / vpn1fw / vpn1gw
export jail_vpn1_exec_poststart9="jexec vpn1 /sbin/route add -inet 172.31.254.0/24 172.31.255.254"
#
#/ OpenVPN Routing
export jail_vpn1_exec_poststart10="jexec vpn1 /sbin/route add -inet 172.31.253.0/24 172.31.255.254"
#
#/ Class A Networks
export jail_vpn1_exec_poststart11="jexec vpn1 /sbin/route add -inet 10.0.0.0/8 172.31.255.254"
#
#/ Part of Class B Networks (172.16.0.1-172.23.255.254)
export jail_vpn1_exec_poststart12="jexec vpn1 /sbin/route add -inet 172.16.0.0/13 172.31.255.254"
#
#/ Class C Networks
export jail_vpn1_exec_poststart13="jexec vpn1 /sbin/route add -inet 192.168.0.0/16 172.31.255.254"
#
### // IPSec Routing ###

### Unique Local IPv6 Address //
#
export jail_vpn1_exec_poststart14="jexec vpn1 /sbin/ifconfig epair100a inet6 fd00:a::1/56 alias"
#
### // Unique Local IPv6 Address
$

Punkt 7: ezjail config der Jail2 (vpn1fw)

/usr/local/etc/ezjail/vpn1fw

$
export jail_vpn1fw_hostname="vpn1fw"
### VIMAGE ### export jail_vpn1fw_ip="0.0.0.0"
export jail_vpn1fw_rootdir="/usr/jails/vpn1fw"
export jail_vpn1fw_exec_start="/bin/sh /etc/rc"
# / export jail_vpn1fw_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_vpn1fw_exec_stop=""
export jail_vpn1fw_mount_enable="YES"
export jail_vpn1fw_devfs_enable="YES"
export jail_vpn1fw_devfs_ruleset="35"
export jail_vpn1fw_procfs_enable="YES"
export jail_vpn1fw_fdescfs_enable="YES"
export jail_vpn1fw_image=""
export jail_vpn1fw_imagetype="zfs"
export jail_vpn1fw_attachparams=""
export jail_vpn1fw_attachblocking=""
export jail_vpn1fw_forceblocking=""
export jail_vpn1fw_zfs_datasets=""
export jail_vpn1fw_cpuset="11"
export jail_vpn1fw_fib="0"
export jail_vpn1fw_parentzfs="zroot/root/ezjail"
export jail_vpn1fw_parameters="allow.raw_sockets=1 allow.sysvipc=1"
export jail_vpn1fw_post_start_script=""
export jail_vpn1fw_retention_policy=""

### VIMAGE // ###
export jail_vpn1fw_exec_poststart0="ifconfig epair101a vnet vpn1fw"
export jail_vpn1fw_exec_poststart1="ifconfig epair102a vnet vpn1fw"
export jail_vpn1fw_exec_poststart2="ifconfig tun2 vnet vpn1fw"
export jail_vpn1fw_exec_poststart3="jexec vpn1fw /sbin/ifconfig epair101a 172.31.255.254/24"
export jail_vpn1fw_exec_poststart4="jexec vpn1fw /sbin/route add default 172.31.255.1"
export jail_vpn1fw_exec_poststart5="jexec vpn1fw /sbin/ifconfig epair101a inet6 fd00:a::254 prefixlen 56"
export jail_vpn1fw_exec_poststart6="jexec vpn1fw /sbin/route add -inet6 default fe80::1%epair101a"
export jail_vpn1fw_exec_poststart7="jexec vpn1fw /sbin/ifconfig epair102a 172.31.254.1/24"
export jail_vpn1fw_exec_poststart8="jexec vpn1fw /sbin/ifconfig epair102a inet6 fd00:b::1 prefixlen 56"
### // VIMAGE ###

### IPSec Routing // ###
#
#/ Class A Networks
export jail_vpn1fw_exec_poststart9="jexec vpn1fw /sbin/route add -inet 10.0.0.0/8 172.31.254.254"
#
#/ Part of Class B Networks (172.16.0.1-172.23.255.254)
export jail_vpn1fw_exec_poststart10="jexec vpn1fw /sbin/route add -inet 172.16.0.0/13 172.31.254.254"
#
#/ Class C Networks
export jail_vpn1fw_exec_poststart11="jexec vpn1fw /sbin/route add -inet 192.168.0.0/16 172.31.254.254"
#
### // IPSec Routing ###

### Unique Local IPv6 Address //
#
# / export jail_vpn1fw_exec_poststart__="jexec vpn1fw /sbin/ifconfig epair102a inet6 ::2/56 alias"
#
### // Unique Local IPv6 Address
$

Punkt 8: ezjail config der Jail3 (vpn1gw)

/usr/local/etc/ezjail/vpn1gw

$
export jail_vpn1gw_hostname="vpn1gw"
### VIMAGE ### export jail_vpn1gw_ip="0.0.0.0"
export jail_vpn1gw_rootdir="/usr/jails/vpn1gw"
export jail_vpn1gw_exec_start="/bin/sh /etc/rc"
# / export jail_vpn1gw_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_vpn1gw_exec_stop=""
export jail_vpn1gw_mount_enable="YES"
export jail_vpn1gw_devfs_enable="YES"
export jail_vpn1gw_devfs_ruleset="35"
export jail_vpn1gw_procfs_enable="YES"
export jail_vpn1gw_fdescfs_enable="YES"
export jail_vpn1gw_image=""
export jail_vpn1gw_imagetype="zfs"
export jail_vpn1gw_attachparams=""
export jail_vpn1gw_attachblocking=""
export jail_vpn1gw_forceblocking=""
export jail_vpn1gw_zfs_datasets=""
export jail_vpn1gw_cpuset="12"
export jail_vpn1gw_fib="0"
export jail_vpn1gw_parentzfs="zroot/root/ezjail"
export jail_vpn1gw_parameters="allow.raw_sockets=1 allow.sysvipc=1"
export jail_vpn1gw_post_start_script=""
export jail_vpn1gw_retention_policy=""

### VIMAGE // ###
export jail_vpn1gw_exec_poststart0="ifconfig epair67a vnet vpn1gw"
export jail_vpn1gw_exec_poststart1="ifconfig epair103a vnet vpn1gw"
export jail_vpn1gw_exec_poststart2="ifconfig gif29 vnet vpn1gw"
export jail_vpn1gw_exec_poststart3="jexec vpn1gw /sbin/ifconfig epair67a 46.XXX.XXX.XXX/27"
export jail_vpn1gw_exec_poststart4="jexec vpn1gw /sbin/route add default 46.XXX.XXX.XXX"
export jail_vpn1gw_exec_poststart5="jexec vpn1gw /sbin/ifconfig epair67a inet6 2a01:AAAA:AAAA:AAAA::A prefixlen 64"
export jail_vpn1gw_exec_poststart6="jexec vpn1gw /sbin/route add -inet6 default fe80::1%epair67a"
export jail_vpn1gw_exec_poststart7="jexec vpn1gw /sbin/ifconfig epair103a 172.31.254.254/24"
### // VIMAGE ###

### IPSec Routing // ###
#
#/ ROUTING: vpn1 / vpn1fw / vpn1gw
export jail_vpn1gw_exec_poststart8="jexec vpn1gw /sbin/route add -inet 172.31.255.0/24 172.31.254.1"
#
### // IPSec Routing ###

### Unique Local IPv6 Address //
#
export jail_vpn1gw_exec_poststart9="jexec vpn1gw /sbin/ifconfig epair103a inet6 fd00:b::254/56 alias"
#
### // Unique Local IPv6 Address
$

Punkt 9: Jail1 ipredator.se als externen OpenVPN Anbieter einrichten

siehe dazu: FreeBSD 10: VIMAGE OpenVPN Routing mit iPredator (ipv4)

Punkt 10: Jail1 IPredator mit UDP Transfer und IPv6 Support

$
vi /usr/local/etc/openvpn/IPredator-CLI-Password.conf

#### #### ####
dev tun1
proto udp
tun-ipv6
remote ipv6.openvpn.ipredator.se 1194
remote ipv6.openvpn.ipredator.me 1194
remote ipv6.openvpn.ipredator.es 1194
#### #### ####
$

Punkt 11: Jail1 ipfw Regeln mit in-Kernel NAT Funktion

$
vi /etc/firewall.rules

### ### ### PLITC // ### ### ###

### stage0 // ###
add 00001 check-state
#
### statefull // ###
add 00002 deny all from any to any frag in via epair66a
# ! add 00003 deny tcp from any to any established in via epair66a
### // statefull ###
#
### // stage0 ###

### stage1 - Uplink Filter // ###
# Throw away RFC 1918 networks
add 10 drop all from 10.0.0.0/8 to any via epair66a
add 11 drop all from 172.16.0.0/12 to any via epair66a
add 12 drop all from 192.168.0.0/16 to any via epair66a
#
add 00040 count esp from any to any
add 00041 count ah from any to any
add 00042 count ipencap from any to any
add 00043 count udp from any 500 to any
add 00044 count udp from any 4500 to any
#
add 00045 count icmp from any to any via epair66a
add 00046 count icmp from any to any via epair100a
### // stage1 - Uplink Filter ###

### stage2 // ###
add 00050 allow ip4 from me to any
add 00051 allow ip6 from me6 to any
### // stage2 ###

### stage3 - Admin SSH // ###
add 05100 allow tcp from 80.XXX.XXX.XXX to 46.XXX.XXX.XXX 22 in via epair66a limit src-addr 2
add 05101 allow tcp from 2a01:AAAA:AAAA:AAAA::/56 to 2a01:AAAA:AAAA:AAAA::A 22 in via epair66a limit src-addr 2
#
add 05198 deny tcp from any to 46.XXX.XXX.XXX 22 in via epair66a
add 05199 deny tcp from any to 2a01:AAAA:AAAA:AAAA::A 22 in via epair66a
#
add 05201 deny tcp from any to any dst-port 22 in via tun1
### // stage3 - Admin SSH ###

### stage4 // ###
#
nat 1 config if tun1 reset
add 10001 nat 1 ip4 from any to any via tun1
#
add 10005 deny tcp from any to any dst-port 22 in via tun1
#
add 10010 allow ip4 from any to any via epair100a
add 10011 allow ip6 from fd00:a::/56 to fd00:a::/56 via epair100a
#
### // stage4 ###

### stage9 // ###
add 60100 allow ip from any to any via lo0
add 60200 deny ip from any to 127.0.0.0/8
add 60300 deny ip from 127.0.0.0/8 to any
add 60400 deny ip from any to ::1
add 60500 deny ip from ::1 to any
add 60600 allow ipv6-icmp from :: to ff02::/16
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
### // stage9 ###

### stage10 // ###
add 65001 allow ip4 from any to any
add 65002 allow ip6 from any to any
### // stage10 ###

### ### ### // PLITC ### ### ###
# EOF
$

Punkt 12: Jail1 Unbound installieren/einrichten

siehe dazu: FreeBSD 9: Unbound als validating, recursive und caching DNS Resolver

Punkt 13: Jail1 Zugriff anpassen

$
vi /usr/local/etc/unbound/unbound.conf

### < --- access-control // --- > ###
#
# localhost
# //
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
# //
# PLITC
# //
# // vpn1 / vpn1fw / vpn1gw
access-control: 172.31.255.0/24 allow
access-control: 172.31.254.0/24 allow
access-control: 172.31.253.0/24 allow
access-control: fd00:a::/56 allow
access-control: fd00:b::/56 allow
# //
# // ROUTING: vpn1 / vpn1fw / vpn1gw
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow
#
### < --- // access-control --- > ###
$

Punkt 14: Jail1 openvpn start script & routing pfade

$
vi /admin/ipredator.sh

#!/bin/sh
### ### ### PLITC ### ### ###

echo "ipv6.openvpn.ipredator.se/me/es"
route del default
route add -host 46.246.49.2 46.XXX.XXX.XXX
route add -host 46.246.49.130 46.XXX.XXX.XXX

echo ""
service openvpn restart
echo ""

sleep 10
route add default 46.246.49.XXX
route add 0.0.0.0/1 46.246.49.XXX -ifp tun1

echo ""
echo "ROUTING: Services in anderen Jails auf dem selben FreeBSD Jail HOST"
route add -host 46.XXX.XXX.XXX 46.246.49.XXX

exit 0
### ### ### PLITC ### ### ###
# EOF

chmod 0755 /admin/ipredator.sh
$

Punkt 15: Jail1 ipv6.openvpn.ipredator Auflösung

Da die /etc/hosts keinerlei round robin oder load balancing Möglichkeit bietet, wird bei .me die Reihenfolge vertauscht

$
vi /etc/hosts

### ### ### PLITC ### ### ###
#
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
#
# pseudo round robin
46.246.49.2   ipv6.openvpn.ipredator.se
46.246.49.130 ipv6.openvpn.ipredator.se
#
46.246.49.130 ipv6.openvpn.ipredator.me
46.246.49.2   ipv6.openvpn.ipredator.me
#
46.246.49.2   ipv6.openvpn.ipredator.es
46.246.49.130 ipv6.openvpn.ipredator.es
#
### ### ### PLITC ### ### ###
# EOF
$

Punkt 16: Jail1 sysctls

$
vi /etc/sysctl.conf

### ### ### PLITC ### ### ###
net.inet.ip.stealth=1
net.inet6.ip6.stealth=1

net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=0
net.inet6.ip6.forwarding=1
net.inet.ip.fw.one_pass=1
### ### ### PLITC ### ### ###
# EOF
$

Punkt 17: Jail1 rc.conf anpassen

$
vi /etc/rc.conf

### OpenVPN //
openvpn_enable="YES"
# / openvpn_fib="0"
openvpn_configfile="/usr/local/etc/openvpn/IPredator-CLI-Password.conf"
#
unbound_enable="YES"
# / unbound_fib="0"
### // OpenVPN
$

Punkt 18: Jail2 OpenSSL und OpenVPN installieren

$
cd /usr/ports/security/openssl/ && make install clean
cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf
echo "WITH_OPENSSL_PORT=YES" >> /etc/make.conf

cd /usr/ports/security/openvpn/ && make install clean
mkdir /usr/local/etc/openvpn
touch /usr/local/etc/openvpn/ipp.txt
$

Punkt 19: Jail2 OpenVPN Server Config

$
vi /usr/local/etc/openvpn/server.conf

### ### ### PLITC ### ### ###
daemon
port 1194

proto udp

dev tun2

ca      /usr/local/etc/ssl-admin/active/ca.crt
cert    /usr/local/etc/ssl-admin/active/vpn1fw.domain.tld.crt
key     /usr/local/etc/ssl-admin/active/vpn1fw.domain.tld.key
dh      /usr/local/etc/ssl-admin/active/dh1024.pem

# this is necessary for clients to reach 
# clients behind the openvpn gateways
client-to-client

keepalive 10 120

## allow multiple access from the same client
#/ duplicate-cn

user uucp
group dialer

persist-key
persist-tun

status                  /var/openvpn/openvpn-status.log
log-append              /var/log/openvpn.log
verb 1

#crl-verify              /usr/local/etc/ssl-admin/prog/crl.pem

# IP des Servers
local 172.31.254.1

#/ tun-mtu 1468
#/ fragment 1436
#/ mssfix 1436

##/ fragment 1300
##/ mssfix 1200

tls-server

# Hier wird der Adressbereich und die Netzwerkmaske für das virtuelle Netzwerk übergeben.
# Der Server wird automatisch auf der ersten IP lauschen, hier 172.31.253.1
server 172.31.253.0 255.255.255.0

# Hier können wir einen Adress-Pool für die Virtuellen Adressen angeben. Falls ein Client die
# Verbindung beendet, wird ihm bei der nächsten Verbindung automatisch die selbe IP zugewiesen.
ifconfig-pool-persist ipp.txt

# Mit push veranlassen die Clients die Route in den Adressbereich 172.31.255.0 automatisch
# über vpn zu routen
push "route 172.31.255.0 255.255.255.0"

# ROUTING
#/ push "route 0.0.0.0/2 172.31.253.1"

auth sha512
cipher CAMELLIA-256-CBC
comp-lzo

### ### ### PLITC ### ### ###
# EOF
$

Punkt 20: Jail2 SSL-Admin installieren

$
cd /usr/ports/security/ssl-admin && make install
cp /usr/local/etc/ssl-admin/ssl-admin.conf.sample /usr/local/etc/ssl-admin/ssl-admin.conf
$

Punkt 21: Jail2 SSL-Admin config (Auszug)

$
vi /usr/local/etc/ssl-admin/ssl-admin.conf

## Set default values here.  
#
# The following values can be changed without affecting
# your CA key.

$ENV{'KEY_SIZE'} = "4096";
$ENV{'KEY_DAYS'} = "3650";
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:http://crl.ipsec.domain.tld";

## WARNING!!! ##
# 
# Changing the following values has vast consequences. 
# These values must match what's in your root CA certificate.

$ENV{'KEY_COUNTRY'} = "DE";
$ENV{'KEY_PROVINCE'} = "Sachsen";
$ENV{'KEY_CITY'} = "Dresden";
$ENV{'KEY_ORG'} = "Meine Firma";
$ENV{'KEY_EMAIL'} = 'ipsec@domain.tld';
# EOF
$

Punkt 22: Jail2 Zertifikate mit ssl-admin erstellen

$
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Tue Dec 16 09:39:57 CST 2008
I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn

=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Common Name: 
     Key Duration (days): 3650
     Current Serial #: 01
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item:
$

Anmerkung: Das Root CA Zertifikat und das OpenVPN Server Zertifikat sollte ohne Passwortschutz erstellt werden, ssl-admin bricht sonst mit einem Fehler ab

Die erstellten Zertifikate könnten diese beispielhaften Namen besitzen:

ca.crt
ca.key
dh1024.pem
macbook1.domain.tld.crt
macbook1.domain.tld.key
macbook1.domain.tld.pem
vpn1fw.domain.tld.crt
vpn1fw.domain.tld.key
vpn1fw.domain.tld.pem

Punkt 23: Jail2 Diffie-Hellman Key erstellen & Permissions setzen

$
cd /usr/local/etc/ssl-admin/active
openssl dhparam -out dh1024.pem 1024
chmod 0600 /usr/local/etc/ssl-admin/active/*
$

Nun könnte man schon einmal die erstellten Zertifikate, für die MacOS X und FreeBSD Clients, mit scp distributen

Punkt 24: Jail2 Firewall Rules

$
vi /etc/firewall.rules

### ### ### PLITC // ### ### ###

### stage0 // ###
add 00001 check-state
#
### statefull // ###
add 00002 deny all from any to any frag in via epair101a
add 00003 deny all from any to any frag in via epair102a
# ! add 00004 deny tcp from any to any established in via epair101a
# ! add 00005 deny tcp from any to any established in via epair102a
### // statefull ###
#
### // stage0 ###

### stage1 - Uplink Filter // ###
# Throw away RFC 1918 networks
#/ add 00010 drop all from 10.0.0.0/8 to any via epair101a
#/ add 00011 drop all from 10.0.0.0/8 to any via epair102a
#/ add 00012 drop all from 172.16.0.0/12 to any via epair101a
#/ add 00013 drop all from 172.16.0.0/12 to any via epair102a
#/ add 00014 drop all from 192.168.0.0/16 to any via epair101a
#/ add 00015 drop all from 192.168.0.0/16 to any via epair102a
#
add 00040 count esp from any to any
add 00041 count ah from any to any
add 00042 count ipencap from any to any
add 00043 count ip4 from any to any src-port 500
add 00044 count ip4 from any to any src-port 4500
add 00045 count ip6 from any to any src-port 500
add 00046 count ip6 from any to any src-port 4500
add 00047 count udp from any 1701 to any
add 00048 count ip4 from any to any src-port 1194
add 00049 count ip6 from any to any src-port 1194
### // stage1 - Uplink Filter ###

### stage2 // ###
add 00050 allow ip4 from me to any
add 00051 allow ip6 from me6 to any
#
add 00060 count icmp from any to any via epair101a
add 00061 count icmp from any to any via epair102a
### // stage2 ###

### stage3 - Admin SSH // ###
#/ add 05100 allow tcp from 80.XXX.XXX.XXX to 46.XXX.XXX.XXX 22 in via epair101a limit src-addr 2
#/ add 05101 allow tcp from 2a01:AAAA:AAAA:AAAA::/56 to 2a01:AAAA:AAAA:AAAA::A 22 in via epair101a limit src-addr 2
#
#/ add 05198 deny tcp from any to 46.XXX.XXX.XXX 22 in via epair101a
#/ add 05199 deny tcp from any to 2a01:AAAA:AAAA:AAAA::A 22 in via epair101a
#
#/add 05201 deny tcp from any to any dst-port 22 in via tun1
### // stage3 - Admin SSH ###

### stage4 // ###
#
#nat 1 config if tun2 reset
#add 10001 nat 1 all from any to any via tun2
#
### // stage4 ###

### stage5 // ###
#
### // stage5 ###

### stage9 // ###
add 60100 allow ip from any to any via lo0
add 60200 deny ip from any to 127.0.0.0/8
add 60300 deny ip from 127.0.0.0/8 to any
add 60400 deny ip from any to ::1
add 60500 deny ip from ::1 to any
add 60600 allow ipv6-icmp from :: to ff02::/16
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
### // stage9 ###

### stage10 // ###
add 65001 allow ip4 from any to any
add 65002 allow ip6 from any to any
### // stage10 ###

### ### ### // PLITC ### ### ###
# EOF
$

Punkt 25: Jail2 rc.conf anpassen (Auszug)

$
vi /etc/rc.conf

### ### ### PLITC ### ### ###
gateway_enable="YES"

ipv6_gateway_enable="YES"
rtadvd_enable="NO"
rtadvd_interfaces="epair101a"

firewall_enable="YES"
#firewall_type="open"
firewall_logging="YES"
firewall_type="/etc/firewall.rules"
firewall_script="/etc/rc.firewall.local"

openvpn_enable="YES"
#/ openvpn_fib="0"
#/ openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_dir="/usr/local/etc/openvpn"
### ### ### PLITC ### ### ###
# EOF
$

Punkt 26: Jail3 IPsec einrichten, als Vorlage kann die Net-to-Net Anleitung verwendet werden, siehe:

FreeBSD 10: IPv4 IPsec Net-to-Net VPN in der Jail



Der folgende Punkt kann übersprungen werden. (Racoon mit Wildcard-PSK)

Punkt 27: Jail3 Racoon patchen

$
cd /usr/ports/security/ipsec-tools
make fetch extract
cd /var/ports/basejail/usr/ports/security/ipsec-tools/work/ipsec-tools-0.8.1/src/racoon
vi localconf.c
$

Patch:

$
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c      2008-12-23 12:04:42.000000000 -0200
+++ src/racoon/localconf.c      2014-11-15 00:10:54.000000000 -0300
@@ -207,7 +207,8 @@ getpsk(str, len)
                if (*p == '\0')
                        continue;       /* no 2nd parameter */
                p--;
-               if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+               if (strcmp(buf, "*") == 0 ||
+                   (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
                        p++;
                        keylen = 0;
                        for (q = p; *q != '\0' && *q != '\n'; q++)
$
$
cd /usr/ports/security/ipsec-tools
make install clean
$


Punkt 28: Jail3 racoon.conf anpassen

$
vi /usr/local/etc/racoon/racoon.conf

### ### ### ### ### ### ### ### ###
#
path    include "/usr/local/etc/racoon";
path    certificate "/usr/local/etc/racoon/certs"; #location of cert files
path    pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log     debug;  #log verbosity setting: set to 'notify' when testing and debugging is complete
 
padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}
 
timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
        natt_keepalive  20 sec;
        phase1          120 sec;
        phase2          60 sec;
}
 
listen  # address [port] that racoon will listening on
{
        isakmp          46.XXX.XXX.XXX [500];
        isakmp_natt     46.XXX.XXX.XXX [4500];
        isakmp          2a01:AAAA:AAAA:AAAA::A [500];
        isakmp          2a01:AAAA:AAAA:AAAA::A [4500];
        strict_address;
}

remote anonymous
{
        # ph1id 1;
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;

	my_identifier address 46.XXX.XXX.XXX;
	verify_identifier on;
	verify_cert off;
	weak_phase1_check on;

        passive         on;
        proposal_check  strict;

        ike_frag on;
        nonce_size 16;
        support_proxy on;
        generate_policy on;

        nat_traversal   on;
	dpd_delay 30;
	dpd_retry 10;
	dpd_maxfail 10;

                        proposal {
                                dh_group                16;
                                lifetime time           600 sec;
                                encryption_algorithm    aes 256;
                                hash_algorithm          sha512;
                                authentication_method   pre_shared_key;
                        }
}

# mode_cfg {
#         network4 10.0.0.1;
#         netmask4 255.255.255.0;
#         pool_size 200;
#         dns4 172.31.255.1;
#         banner "/usr/local/etc/racoon/motd";
#         pfs_group 16;
# }

sainfo anonymous
{
        # remoteid 1;
        pfs_group       16;
        lifetime        time       300 sec;
        encryption_algorithm       aes 256;
        authentication_algorithm   hmac_sha512;
        compression_algorithm      deflate;
}
#
### ### ### ### ### ### ### ### ###
# EOF
$

Punkt 29: Jail3 IPsec mit Wildcard Pre-Shared Key

$
vi /usr/local/etc/racoon/psk.txt

### ### ### PLITC ### ### ###
#
* 140849A540928CE175C1811979BE1B27
#
### ### ### PLITC ### ### ###
# EOF
$

Punkt 30: Jail3 IPsec setkey.conf anpassen

$
vi /usr/local/etc/racoon/setkey.conf

#!/sbin/setkey -f
### ### ### ### ### ### ### ### ###

flush;

### IPv4 //
#
# HOST to HOST
spdadd 46.XXX.XXX.XXX 0.0.0.0 any -P out ipsec
   esp/tunnel/46.XXX.XXX.XXX-0.0.0.0/require;
spdadd 0.0.0.0 46.XXX.XXX.XXX any -P in ipsec
   esp/tunnel/0.0.0.0-46.XXX.XXX.XXX/require;
#
### // IPv4

### IPv6 //
#
# c3d2.de HOST to HOST
spdadd fd00:a::2/56 fd00:a::/64 any -P out ipsec
   esp/transport//require;
spdadd fd00:a::/64 fd00:a::2/56 any -P in ipsec
   esp/transport//require;
#
### // IPv6

spdflush;

### IPv4 //
#
### RFC1918 Networks //
#
# Class A Networks
spdadd 10.0.0.0/8 0.0.0.0 any -P out ipsec
   esp/tunnel/46.4.163.54-0.0.0.0/require;
spdadd 0.0.0.0 10.0.0.0/8 any -P in ipsec
   esp/tunnel/0.0.0.0-46.4.163.54/require;
#
# Part of Class B Networks (172.16.0.1-172.23.255.254)
spdadd 172.16.0.0/13 0.0.0.0 any -P out ipsec
   esp/tunnel/46.4.163.54-0.0.0.0/require;
spdadd 0.0.0.0 172.16.0.0/13 any -P in ipsec
   esp/tunnel/0.0.0.0-46.4.163.54/require;
#
# Class C Networks
spdadd 192.168.0.0/16 0.0.0.0 any -P out ipsec
   esp/tunnel/46.4.163.54-0.0.0.0/require;
spdadd 0.0.0.0 192.168.0.0/16 any -P in ipsec
   esp/tunnel/0.0.0.0-46.4.163.54/require;
#
### // RFC1918 Networks
#
### // IPv4

### ### ### ### ### ### ### ### ###
# EOF
$

Punkt 31: Jail3 rc.conf anpassen (Auszug)

$
vi /etc/rc.conf

### ### ### PLITC ### ### ###
gateway_enable="YES"

ipv6_gateway_enable="YES"
rtadvd_enable="NO"
rtadvd_interfaces="epair67a"

firewall_enable="YES"
#firewall_type="open"
firewall_logging="YES"
firewall_type="/etc/firewall.rules"
firewall_script="/etc/rc.firewall.local"

### IPSec /
#
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="NO"
#
### / IPSec

### ### ### PLITC ### ### ###
# EOF
$

Punkt 32: Jail3 firewall.rules

$
vi /etc/firewall.rules

### ### ### PLITC // ### ### ###

### stage0 // ###
add 00001 check-state
#
### statefull // ###
add 00002 deny all from any to any frag in via epair67a
# ! add 00003 deny tcp from any to any established in via epair67a
### // statefull ###
#
### // stage0 ###

### stage1 - Uplink Filter // ###
# Throw away RFC 1918 networks
add 00010 drop all from 10.0.0.0/8 to any via epair67a
add 00011 drop all from 172.16.0.0/12 to any via epair67a
add 00012 drop all from 192.168.0.0/16 to any via epair67a
#
add 00040 count esp from any to any
add 00041 count ah from any to any
add 00042 count ipencap from any to any
add 00043 count ip4 from any to any src-port 500
add 00044 count ip4 from any to any src-port 4500
add 00045 count ip6 from any to any src-port 500
add 00046 count ip6 from any to any src-port 4500
add 00047 count udp from any 1701 to any
### // stage1 - Uplink Filter ###

### stage2 // ###
add 00050 allow ip4 from me to any
add 00051 allow ip6 from me6 to any
#
add 00060 count icmp from any to any via epair67a
# / add 00061 count icmp from any to any via epair67a
### // stage2 ###

### stage3 - Admin SSH // ###
add 05100 allow tcp from 80.XXX.XXX.XXX to 46.XXX.XXX.XXX 22 in via epair67a limit src-addr 2
add 05101 allow tcp from 2a01:AAAA:AAAA:AAAA::/56 to 2a01:AAAA:AAAA:AAAA::A 22 in via epair67a limit src-addr 2
#
add 05198 deny tcp from any to 46.XXX.XXX.XXX 22 in via epair67a
add 05199 deny tcp from any to 2a01:AAAA:AAAA:AAAA::A 22 in via epair67a
#
#/add 05201 deny tcp from any to any dst-port 22 in via tun1
### // stage3 - Admin SSH ###

### stage5 // ###
#
### IPSec //
add 10001 allow ip4 from any to any via epair103a
add 10002 allow ip6 from fd00:a::/56 to fd00:a::/56 via epair103a
add 10003 allow ip6 from fd00:b::/56 to fd00:b::/56 via epair103a
### // IPSec
#
### // stage5 ###

### stage9 // ###
add 60100 allow ip from any to any via lo0
add 60200 deny ip from any to 127.0.0.0/8
add 60300 deny ip from 127.0.0.0/8 to any
add 60400 deny ip from any to ::1
add 60500 deny ip from ::1 to any
add 60600 allow ipv6-icmp from :: to ff02::/16
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
### // stage9 ###

### stage10 // ###
add 65001 allow ip4 from any to any
add 65002 allow ip6 from any to any
### // stage10 ###

### ### ### // PLITC ### ### ###
# EOF
$

Punkt 33: Jail3 Racoon starten & cmdwatch

$
echo "" > /var/log/racoon.log
service ipsec stop; service racoon stop; /root/cleanlogs.csh; service ipsec start; service racoon start; sleep 1; sockstat -4 -6
chmod 0600 /usr/local/etc/racoon
mkdir /usr/local/etc/racoon/certs
chmod 0700 /usr/local/etc/racoon/certs
cmdwatch 'tail -n 50 /var/log/racoon.log'
$



Sofern ich jetzt nichts kritisches vergessen habe kann es mit Mac OS weitergehen


Punkt 35.1: Jail3 IPsec unter MacOS (Yosemite)

Der MacOS Client hat eine funktionierende IPv4 Verbindung (hinter einem NAT), er soll sämtlichen Traffic nur noch durch das VPN Relay weiterleiten und den internen DNS Resolver benutzen

Systemeinstellungen -> Sicherheit -> Firewall

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net_macos1

Punkt 35.2 internen DNS Resolver verwenden

Systemeinstellungen -> Netzwerk -> Weitere Optionen … -> DNS

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net_macos2

Punkt 35.3 Racoon einrichten

$
sudo vi /etc/racoon/psk.txt

### ### ### PLITC ### ### ###
#
46.XXX.XXX.XXX 140849A540928CE175C1811979BE1B27
#
### ### ### PLITC ### ### ###
# EOF
$
$
sudo vi /etc/racoon/racoon.conf

### ### ### ### ### ### ### ### ###
#
# $KAME: racoon.conf.in,v 1.17 2001/08/14 12:10:22 sakane Exp $

# "path" must be placed before it is used.
# You can overwrite what you defined, but it should not be used due to confusion.
path include "/etc/racoon" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug;

# by including all files matching /var/run/racoon/*.conf
# This line should be added at the end of the racoon.conf file
# so that settings such as timer values will be appropriately applied.
#include "/var/run/racoon/*.conf" ;

### ### ### ### ### ### ### ### ###
#

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}
 
timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
        natt_keepalive  20 sec;
        phase1          120 sec;
        phase2          60 sec;
}
 
listen  # address [port] that racoon will listening on
{
#
### CHANGEME // ###
        isakmp          172.XXX.XXX.XXX [500];
        isakmp_natt     172.XXX.XXX.XXX [4500];
### // CHANGEME ###
#
}

remote 46.4.163.54
{
        # ph1id 1;
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;

        peers_identifier address 46.XXX.XXX.XXX;
        verify_identifier on;
        verify_cert off;
        weak_phase1_check on;

        passive         off;
        proposal_check  strict;

        ike_frag on;
        nonce_size 16;
        support_proxy on;
        generate_policy off;

        nat_traversal   force;
	dpd_delay 30;
	dpd_retry 10;
	dpd_maxfail 10;

                        proposal {
                                dh_group                16;
                                lifetime time           600 sec;
                                encryption_algorithm    aes 256;
                                hash_algorithm          sha512;
                                authentication_method   pre_shared_key;
                        }
}

sainfo (address 10.0.0.10/32 any address 172.31.254.0/24 any)
{
        # remoteid 1;
        pfs_group       16;
        lifetime        time       300 sec;
        encryption_algorithm       aes 256;
        authentication_algorithm   hmac_sha512;
        compression_algorithm      deflate;
}

#
### ### ### ### ### ### ### ### ###
# EOF
$
$
sudo vi /etc/racoon/setkey.conf

### ### ### PLITC // ### ### ###
#
flush;

spdflush;

spdadd 10.0.0.10/32 172.31.254.0/24 any -P out ipsec
   esp/tunnel/172.XXX.XXX.XXX-46.XXX.XXX.XXX/require;

spdadd 172.31.254.0/24 10.0.0.10/32 any -P in ipsec
   esp/tunnel/46.XXX.XXX.XXX-172.XXX.XXX.XXX/require;
#
### ### ### // PLITC ### ### ###
# EOF
$
$
sudo mkdir /etc/racoon/certs
sudo chmod 0700 /etc/racoon/certs
sudo chmod 0600 /etc/raccon/*
$

Punkt 35.4 Routen setzen & etc/hosts (Teil 1)

$
sudo su
route delete default
route add 46.XXX.XXX.XXX 172.XXX(IP des aktuellen Gateways)

vi /etc/hosts

### ### ### PLITC ### ### ###
#
46.XXX.XXX.XXX vpn1gw.domain.tld
172.31.254.1 vpn1fw.domain.tld
#
### ### ### PLITC ### ### ###
# EOF
$

Punkt 35.5 IPsec starten

$
sudo su
setkey -f /etc/racoon/setkey.conf
launchctl stop com.apple.racoon; launchctl start com.apple.racoon; tail -n 50 /var/log/system.log
$

Punkt 35.6 Ping Test

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net_macos3

Punkt 35.7 Tunnelblick (OpenVPN Client) einrichten

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net_macos4

Das Verzeichnis beinhaltet die Zertifikate und das Config file

Punkt 35.8 config.ovpn

$
### ### ### PLITC ### ### ###

client
remote vpn1fw.domain.tld 1194

dev tun
# tun-ipv6
proto udp

resolv-retry infinite
nobind

ca ca.crt
cert client.pem
key client.key

keepalive 10 30
persist-key
persist-tun
management-query-passwords

auth sha512
cipher CAMELLIA-256-CBC
comp-lzo

# client side throttling
#/ tun-mtu 1350
link-mtu 1380

verb 1

### ### ### PLITC ### ### ###
# EOF
$

Punkt 35.9 OpenVPN Config importieren

Zu guter Letzt wird dem Verzeichnis das Suffix .tblk angehängt und ausgeführt (import)

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net_macos5

Punkt 35.10 Tunnelblick Verbindungsaufbau & Routen setzen (Teil 2)

$
sudo su
route add -net 0.0.0.0/1 172.31.253.1
route add -net 128.0.0.0/1 172.31.253.1
$

Punkt 35.11 DNS Resolver & Traceroute Test zu einem externen Server

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net_macos6

Punkt 35.12 Beispiel einer Routingtabelle

plitc_freebsd_ipsec_openvpn_relay_ipv4_rw2net_macos7




Eine ausführliche Beschreibung, zur Einrichtung eines FreeBSD Clients, erspare ich mir an dieser Stelle, da abgesehen vom erzeugen eines gif (generic tunnel interface) alles andere aus den vorherigen Infos abgeleitet werden kann.


Ergänzungen:

29.11.2014: beim NAT muss ip4 angegeben werden, da all sich ebenso auf ip6 bezieht und durch fehlende nat66 Unterstützung dann ip6 kaputt geht

$
add 10001 nat 1 ip4 from any to any via tun1
$

Unter FreeBSD 10.1 funktioniert die IPsec Filtertunnel, Regeln könnten wie folgt aussehen:

$
### stage1 - Uplink Filter // ###
# Throw away RFC 1918 networks
add 00017 drop all from 10.0.0.0/8 to any via epair67a
add 00018 drop all from 172.16.0.0/12 to any via epair67a
add 00019 drop all from 192.168.0.0/16 to any via epair67a
add 00010 allow all from 10.0.0.0/8 to 172.31.254.0/24
add 00011 allow all from 172.31.254.0/24 to 10.0.0.0/8
add 00012 allow all from 172.16.0.0/12 to 172.31.254.0/24
add 00013 allow all from 172.31.254.0/24 to 172.16.0.0/12
add 00014 allow all from 192.168.0.0/16 to 172.31.254.0/24
add 00015 allow all from 172.31.254.0/24 to 192.168.0.0/16
#
$

03.03.2015: da ein tun-mtu Wechsel schnell mal zu einem FreeBSD Host VIMAGE Crash führen kann, sollte man lieber die default MTU von 1500 belassen
optional kann man auch die MTU,Route statisch in der ezjail config, der jeweiligen jail, mit angeben und in der OpenVPN-Server Konfig die Optionen:

$
ifconfig-noexec
route-noexec
$

setzen.

13.06.2015: IPsec_NAT Router (OpenWRT) UDP TimeOut Probleme
Lösung:

$
vi /etc/sysctl.conf

#/ net.netfilter.nf_conntrack_udp_timeout=60           
#// for IPsec                                          
net.netfilter.nf_conntrack_udp_timeout=120
#/ net.netfilter.nf_conntrack_udp_timeout_stream=180   
#// for IPsec                                          
net.netfilter.nf_conntrack_udp_timeout_stream=300
$

That’s FreeBSD!

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Time limit is exhausted. Please reload the CAPTCHA.