Defcon-1-Logo

           [Home]    [FBSD Articles]    [Scripts Corner]    [Contribute]    [Search]    [FBSD Links]    [Files]

About Us

FreeBSD Articles
  *Hardware
  *Networking
  *Security
  *Software
  *X Windows


Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks


FreeBSD Links

Articles in other
Languages :
  *French Articles
  *Spanish Articles

Want to Help ?
 
   Click Here

Email Users5

Search:
 

 


FreeBSD Search:


 

 

Powered-By-Apache-Logo

VPN working with 2 freebsd hosts that each have dynamic ips.

First setup 2 dynamic ip hostnames from somewhere like www.dynu.com
get the clients for bsd and install them and make sure they are working

next add this ipsec policy to each host

flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require;

This policy unlike most i have seen in the howtos encrypts the outside of the tunnel rather than
the inside by specifying all gif tunnel traffic to be encrypted that is sent and recieved by this
host. It also has the advantage of that it doesnt have to be updated every time a new private
network is added to either of the sites vpn routers.

next cront this script to run every minute on each host


 #!/bin/bash

#
# 1 = host
# 2 = tun number
# 3 = local tunnel end
# 4 = remote tunnel end
# 5 = tunnel netmask
#

me="your host name"

function create_tun ( ) {

  echo -e "Cretating tunnel for $1"

  /sbin/ifconfig gif"$2" destroy

  /sbin/ifconfig gif"$2" create tunnel $6 $1

  /sbin/ifconfig gif"$2" $3 netmask $5 $4 netmask $5

  echo /sbin/ifconfig gif"$2" create tunnel $6 $1

  echo $1 > /tmp/.gif"$2"

  echo $6 > /tmp/.gifme

}

#
# 1 = remote hostname
# 2 = tun number
# 3 = my ip

 function check () {

 if ( ! ifconfig gif"$2" > /dev/null ); then

 return 0 
fi

if [ -e /tmp/.gif$2 ] && [ -e /tmp/.gifme ]; then
 if ( cat /tmp/.gif"$2" | awk '{ if ( $1 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ ) print $1; else print "cre"}' |
     grep $1 > /dev/null ) &&
  ( head -1 /tmp/.gifme | awk '{ if ( $1 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ ) print $1; else print "cre"}' |
     grep $3 > /dev/null )
 then
 echo -e "Gif $2 is ok"
 return 1
 else
 echo ppp
 return 0
 fi
else
 return 0
fi
  }
 
 me=`host $me| awk '{print $4}'`
 cat /usr/local/etc/racoon/giftuns | while read hn tn lip rip nm
do
 h=`host $hn | awk '{print $4}'`
 check $h $tn $me && create_tun $h $tn $lip $rip $nm $me
done

This script basically sets up the tunnels, it can cope with many tunnels and gets its config
from a file called /usr/local/etc/racoon/giftuns

This is of the format

 

<remote_public_hostname> <local_tunnel_endpoint_ip> <remote_tunnel_endpoint_ip> netmask

e.g.

yourhost1.dynu.com 0 192.168.250.2 192.168.250.1 255.255.255.252

thats the tunnel sorted. They should now come up on each box. It may talke a few minutes to
settle down depending on whether the dynu hosts addresses are upto date. I think dynu use
a TTl of 90s on their hosts so thats the max it should take. At this point you wont be able to
ping any tunnel endpoints as key exchange isnt working at present. To fix this install racoon
from ports. use the default config file but modify the the following items under remote
anonymous to something@somethingelse, e.g.

    my_identifier user_fqdn hello@change.me

    peers_identifier user_fqdn hello@change.me

do this on both hosts

edit the psk.txt file and enter the line

hello@change.me somekeyyouthinkof

again do this on both hosts

now restart racoon

if all is well you should be able to ping the tunnel endpoints now

finally we need to get the routing sorted out

install zebra from ports on all the routers

use the config files

zebra.conf

hostname your hostname

password somthing

enable password somthingelse

log syslog

bgpd.conf

hostname your hostname

password somthing

enable password somthingelse

router bgp 65101

 bgp router-id your_host_ip

 network 10.0.0.0/24

 neighbor 192.168.250.1 remote-as 65102

access-list all permit any

ip prefix-list my-networks seq 5 permit 10.210.210.0/24

line vty

log syslog

 

all the routing should now work, and you vpn is up

I need to redo the bgpd config file as i think its incorrect at the moment but it will be
sorted in the full writeup if you think its worth doing

 

hope this was of use, let me know if you want something more comprehnsive doing

 

regards

 Chris Scott

MK NOC

 

0845 6684000

 regards

Chris Scott


MK NOC
0845 6684000

Email Us

ghostrdr@defcon1.org

This site cannot be duplicated without permission

© 1998 - 2010 Defcon1, www.defcon1.org. Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.