Posts tagged vpn

strongswan ipsec vpn site to site
posted on 2016-12-02 09:42

This guide was written for debian 8.

network layout

local/left       lan: 192.168.0.0/16
local/left   gateway: 10.0.0.2
remote/right gateway: 10.0.0.3
remote/right     lan: 172.16.0.0/16

Our network, expressed differently:

192.168.0.0/16 --- unencrypted --- 10.0.0.2 === vpn === 10.0.0.3 --- unencrypted --- 172.16.0.0/16

In strongswan it doesn't matter which side is defined in either left or right, but this convention helps:

  • local = left
  • rremote = right

ipsec settings for the tunnel

These may be somewhat arbitrarily, but we got to use something:

phase1:
ikev1 / aes256 / sha2 / dh5 / 86400s (24h statt 8h)

phase2:
esp / aes256 / sha2 / dh5 / 3600s

( protocol / encryption / hashing / DH group or PFS if present / lifetime )

install

apt-get install strongswan libcharon-extra-plugins

define PSK

Add to /etc/ipsec.secrets:

10.0.0.2 10.0.0.3 : PSK "thatsmydamnsecretPSKwhichreallyshouldbearandomsting"

setup tunnel

/etc/ipsec.conf:

config setup

conn %default
    keyexchange=ikev1
    keyingtries=%forever
    leftauth=psk
    rightauth=psk
    auto=start

conn myconfig-main
    left=10.0.0.2
    ike=aes256-sha256-modp1536
    ikelifetime=86400s
    esp=aes256-sha256-modp1536
    lifetime=3600s

conn myconfig1
    right=10.0.0.3
    leftsubnet=192.168.0.0/24
    rightsubnet=172.16.0.0/16
    also=myconfig-main

include /var/lib/strongswan/ipsec.conf.inc

That way you can add additional phase2 entries analoguous to conn myconfig1.

%default is valid for everything, myconfig-main is included via auto=myconfig-main into other connection definitions.

test

service ipsec restart

These might help:

tail -f /var/log/syslog
watch -n1 -d ipsec statusall

Ping from withing your lan a host inside the remote lan.

For watching the pings, the ones you want to see will be colored:

tcpdump -D # discern the interface you need to have a look at, usually eth0 / 1
tcpdump -nli 1 icmp | grep -color -e $ -e 192.168.

routing rules are automatically added by strongswan, do service ipsec restart while watching:

watch -n1 -d "ip ru; ip r l t 220"
ssh vpn howto
posted on 2016-05-29 12:38

To create a permanent tunnel via ssh between two hosts, some configuration has to be done on each side of the tunnel, so it gets automatically created once the tunnel interface is gotten up.

This tutorial is debian-specific.

overview

  • a keypair gets created on client side, for the sole purpose of activating the tunnel
  • server network config is extended by an additional tun interface and a routing rule
  • authorized_hosts on the server is modified to activate the tunnel and the tun interface on the server side
  • client network config gets added a tun interface and routing rule
  • once the client tun interface gets brought up, an ssh connection gets established to the server, the servers tun interface is brought up, too, and the tunnel is in place

setup

keygen

ssh-keygen -t rsa -b 4096 -f ~/.ssh/sshvpn

server side

Allow tunnelling in /etc/ssh/sshd_config:

PermitTunnel point-to-point

Save and exit, and service ssh restart.

Make ip forwarding available persistently, so it will be there across reboots:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf

Enable ip forwarding just for the current session:

sysctl net.ipv4.ip_forward=1

Add to /etc/network/interfaces:

manual tun99
iface tun99 inet static
    address 192.168.0.2/30
    pointtopoint 192.168.0.1
    up ip r a 10.0.0.0/24 via 192.168.0.1 dev tun0

client side

manual tun98
iface tun98 inet static
pre-up ssh -i /home/sjas/.ssh/sshvpn -M -S /var/run/sshvpn -f -w 98:99 sjas@10.20.1.14 true
    pre-up sleep 5
    address 192.168.0.1/30
pointtopoint 192.168.0.2
up ip r a 192.168.189.0/24 dev tun0

usage

Starting the tunnel, on client-side:

ifup tun0

Stopping the tunnel, on client-side:

ifdown tun0
cisco ASA: ipsec example
posted on 2016-02-28 14:33:03

I fear I will need something like that soon, so here's a dump I found on google somewhere else: (None of the following is from me! But from here)

Table 1 Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Attribute   Value
Encryption  AES 128-bit
Hashing SHA-1
Authentication method   Preshared keys
DH group    Group 2 1024-bit field
Lifetime    86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

Table 2 Preconfiguration Checklist: IPsec/Phase-2 Attributes

Attribute   Value
Encryption  AES 128-bit
Hashing SHA-1
Lifetime    28,800 seconds4,608,000 kB
Mode    Tunnel
PFS group   None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.

ASA Configuration

! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
crypto ikev1 enable outside

tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 173.199.183.2
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside
pfsense: iphone ipsec roadwarrior configuration
posted on 2015-12-13 16:47:01

Since this took me a while, but this took me a while, here is an incomplete write-up. (...) If the stars are lucky I will eventually get around to finish this properly.

software versions

  • PFSense 2.2.5
  • IOS 9.2

ios settings for phase 1 + 2

This is straight from the pfsense logs:

# phase 1
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

# phase 2
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

which translates to these alternatives for each phase:

# phase 1 (you should choose the second one :))
enc: aes cbc 128bit
hash: sha1
dh: 1024bit / group 2

enc: aes cbc 256bit
hash sha256
dh: 1536bit / group 3

enc: 3des cbc
hash: sha1
dh: 1024bit / group 2


# phase 2 (basically aes 256/128 / aes 128 / 3des with sha1 / md5, no PFS)
enc: aes cbc 256
hash: sha1

enc: aes cbc 256
hash: md5

enc: aes cbc 128
hash: sha1

enc: aes cbc 128
hash: md5

enc: 3des cbc
hash: sha1

enc: 3des cbc
hash: md5

According to apple documentation here PFS is possible, too.

PFSense IPsec VPN problems
posted on 2014-07-03 10:37:51

When running a PFSense as Firewall and VPN Gateway, trouble might arise. (See here.)

From personal experience, using version 2.1.4 and running like a dozen different tunnels, random connection breaks occurred.

It did not matter which interface was used, which hardware the other tunnel endpoint/gateway was on.

Only helpful solution so far was this:

System >> Advanced >> Tab Miscellaneous >> Section IP Security >> Checkbox Prefer older IPsec SAs

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-03, 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas