VLAN with pipsecd

VLAN with pipsecd

Philip Hallstrom wrote with
this article on setting up a virtual LAN.  It’s also known as a VPN (virtual private
network).

Thank you Philip.

Philip writes:

I’ve had to setup two secure VPN’s between FreeBSD boxes now. The first
time I didn’t document my steps — figuring I’d remember 🙂 — which I didn’t. I just
finished setting up the second one and as it happened I also noticed several posts to
c.u.b.f.m asking about setting up secure VPN’s using FreeBSD so I thought I’d write up
what I did. So, here it is.

A VPN (virtual LAN) allows you to treat two physically
separate networks as though they were on the same network. At least that’s how I
understand it. What’s cool about this is that it allows my home network and my office
network to appear to be one contiguous network allowing me to work from one or the other
without a lot of differences.

I’m going to use the following fictitious networks to illustrate my steps. Below we
have two separate networks whose gateways (or routers, or firewall/natd boxes ,etc.) are
gw1 and gw2. Our goal is to make it appear to the machines on either LAN that it is one
seamless network. Additionally we want any data that is transferred between the two
networks to be secure (encrypted). We do that by setting up a secure tunnel.

(Note: In my case, gw1 is 3.4 and gw2 is 4.0. I believe there are other ways to do this
using an all 4.0 solution, but that doesn’ work for me)

        ___________                                     ___________
        |         |                                     |         |
10.0.0.1-   gw1   -111.111.111.111 <---> 222.222.222.222-   gw2   -10.1.0.1
  (LAN) |         |   (Internet)           (Internet)   |         |  (LAN)
        |_________|                                     |_________| 
             |                                               | 
          10.2.0.1 <------------ encrypted> 10.2.0.2
          (tunnel)                                        (tunnel)

Steps:

  1. Make sure that you have at least one tunnel device compiled into the kernel on both gw1
    and gw2. In particular you want to make sure your kernel config has the following:

    pseudo-device tun 1

    If you’re going to have multiple vlans (perhaps the office server will provide vlans
    for multiple employee’s home networks) then you should increase 1 to something larger.
    Build the new kernel, install it, and make the devices.

  2. Install the pipsecd
    port on both machines. FreeBSD-3.4 will also install OpenSSL, 4.0 won’t since it’s already
    there. Nothing special needs to be done besides a "make install".
  3. On gw1 create /usr/local/etc/rc.d/pipsecd.sh with the following:
    #!/bin/sh
    
    /usr/local/sbin/pipsecd &#
    # For some reason 4.0 complains if we access the tun device
    # to soon after calling pipsecd.  Sleeping for a bit fixes that.
    #
    sleep 3
    /sbin/ifconfig tun0 10.2.0.2 10.2.0.1 netmask 255.255.255.0
    /sbin/route add -net 10.1.0.0 -netmask 255.255.255.0 10.2.0.1
    
  4. On gw2 create /usr/local/etc/rc.d/pipsecd.sh with the following:
    #!/bin/sh
    
    /usr/local/sbin/pipsecd &#
    # For some reason 4.0 complains if we access the tun device
    # to soon after calling pipsecd.  Sleeping for a bit fixes that.
    #
    sleep 3
    /sbin/ifconfig tun0 10.2.0.1 10.2.0.2 netmask 255.255.255.0
    /sbin/route add -net 10.0.0.0 -netmask 255.255.255.0 10.2.0.2
    
  5. On gw1 create /usr/local/etc/ipsec/pipsecd.conf with the
    following. ‘XXXXX’, ‘YYYYY’, ‘AAAAA’, ‘BBBBB’ can be changed to any string of characters
    (as far as I can tell) as long as you change them in both files (these lines have been
    split for readability; there is actually only three lines in this file).

    sa ipesp spi=1000 auth=hmac-md5-96 akey=XXXXX enc=blowfish_cbc 
                                          ekey=AAAAA dest=222.222.222.222
    sa ipesp spi=1000 auth=hmac-md5-96 akey=YYYYY enc=blowfish_cbc 
                                          ekey=BBBBB
    if /dev/tun0 local_spi=1000 remote_spi=1000
  6. On gw2 create /usr/local/etc/ipsec/pipsecd.conf with the following
    (these lines have been split for readability; there is actually only three lines in this
    file):

    sa ipesp spi=1000 auth=hmac-md5-96 akey=XXXXX enc=blowfish_cbc 
                                     ekey=AAAAA
    sa ipesp spi=1000 auth=hmac-md5-96 akey=YYYYY enc=blowfish_cbc 
                                     ekey=BBBBB dest=111.111.111.111
    if /dev/tun0 local_spi=1000 remote_spi=1000
  7. That’s it. Now, on both machines, start pipsecd by typing (as root):
    sh /usr/local/etc/rc.d/pipsecd.sh

At this point machines on either LAN should be able to connect to machines on the other
LAN — that is, host 10.0.0.2 should be able to ping 10.1.0.2 provided that they are both
on.

For some reason the gateways themselves will not be able to talk to each other. When I
setup my first VPN they could, but I must have changed something by accident and now they
can’t. But it’s not that big of a deal because you shouldn’t be connecting from/to your
gateways very much anyway.

Notes:

  • If there are firewalls involved you will need to add some rules. The following example
    is for IPFW running on gw1, whose external interface is ‘ed0’:

    add 8000 allow 50 from 222.222.222.222 to 111.111.111.111 in recv ed0
    add 8000 allow ip from any to any via tun0

  • My specific hardware:
    • Office – FreeBSD 3.4, P120, 64RAM, 512K DSL connection
    • Home 1 – FreeBSD 3.4, P133, 32RAM, 512K DSL connection
    • Home 2 – FreeBSD 4.0, P120, 64RAM, 512K DSL connection

I max out the 512K DSL connection easily transferring b/n these servers (encryption and
all). "Home 1" also runs Apache, Samba, netatalk, mysql, DNS, SMTP, POP,
firewall, natd, and dhcp without problems.

In other words, you *don’t* need beefy hardware.

6 thoughts on “VLAN with pipsecd”

  1. This article is about configuring an VPN, not a VLAN. They have nothing to do with each other.

    I am currently in the process of creating a backend vlan for NFS and firewall management and will try to write an article regarding its config.

  2. I was looking for VPN setup on FreeBSD. I searched the net like anything. Although there are many good documents on VPN setup. But i found this article to be soooooooooooo much helpful. The Author has mentioned everything so clearly and in such a manner that its great. i dropped all docs after getting this doc. This is just great.I am so nuch thankful for providing this information on net. I really dont have words to praise this document. It simply great.

    A lots of thanks again.

    yash

  3. hello! thanks for the article, but i have a problem with the tun device
    When I execute pipsecd as root,
    I get the following error:

    # /usr/local/sbin/pipsecd
    socket(SOCK_RAW): Protocol not supported

    in my kernel conf i have a row

    pseudo-device tun 1

    anyone whit the same problem?

    fabio

Leave a Comment

Scroll to Top