|
First setup 2 dynamic ip hostnames from somewhere like www.dynu.com
get the clients for bsd and install them and make sure they are working
next add this ipsec policy to each host
flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 4 -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 4 -P in ipsec esp/transport//require;
This policy unlike most i have seen in the howtos encrypts the outside of the tunnel rather than
the inside by specifying all gif tunnel traffic to be encrypted that is sent and recieved by this
host. It also has the advantage of that it doesnt have to be updated every time a new private
network is added to either of the sites vpn routers.
next cront this script to run every minute on each host
#!/bin/bash
#
# 1 = host
# 2 = tun number
# 3 = local tunnel end
# 4 = remote tunnel end
# 5 = tunnel netmask
#
me="your host name"
function create_tun ( ) {
echo -e "Cretating tunnel for $1"
/sbin/ifconfig gif"$2" destroy
/sbin/ifconfig gif"$2" create tunnel $6 $1
/sbin/ifconfig gif"$2" $3 netmask $5 $4 netmask $5
echo /sbin/ifconfig gif"$2" create tunnel $6 $1
echo $1 > /tmp/.gif"$2"
echo $6 > /tmp/.gifme
}
#
# 1 = remote hostname
# 2 = tun number
# 3 = my ip
function check () {
if ( ! ifconfig gif"$2" > /dev/null ); then
return 0
fi
if [ -e /tmp/.gif$2 ] && [ -e /tmp/.gifme ]; then
if ( cat /tmp/.gif"$2" | awk '{ if ( $1 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ ) print $1; else print "cre"}' |
grep $1 > /dev/null ) &&
( head -1 /tmp/.gifme | awk '{ if ( $1 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ ) print $1; else print "cre"}' |
grep $3 > /dev/null )
then
echo -e "Gif $2 is ok"
return 1
else
echo ppp
return 0
fi
else
return 0
fi
}
me=`host $me| awk '{print $4}'`
cat /usr/local/etc/racoon/giftuns | while read hn tn lip rip nm
do
h=`host $hn | awk '{print $4}'`
check $h $tn $me && create_tun $h $tn $lip $rip $nm $me
done
This script basically sets up the tunnels, it can cope with many tunnels and gets its config
from a file called /usr/local/etc/racoon/giftuns
This is of the format
<remote_public_hostname> <local_tunnel_endpoint_ip> <remote_tunnel_endpoint_ip> netmask
e.g.
yourhost1.dynu.com 0 192.168.250.2 192.168.250.1 255.255.255.252
thats the tunnel sorted. They should now come up on each box. It may talke a few minutes to
settle down depending on whether the dynu hosts addresses are upto date. I think dynu use
a TTl of 90s on their hosts so thats the max it should take. At this point you wont be able to
ping any tunnel endpoints as key exchange isnt working at present. To fix this install racoon
from ports. use the default config file but modify the the following items under remote
anonymous to something@somethingelse, e.g.
my_identifier user_fqdn hello@change.me
peers_identifier user_fqdn hello@change.me
do this on both hosts
edit the psk.txt file and enter the line
hello@change.me somekeyyouthinkof
again do this on both hosts
now restart racoon
if all is well you should be able to ping the tunnel endpoints now
finally we need to get the routing sorted out
install zebra from ports on all the routers
use the config files
zebra.conf
hostname your hostname
password somthing
enable password somthingelse
log syslog
bgpd.conf
hostname your hostname
password somthing
enable password somthingelse
router bgp 65101
bgp router-id your_host_ip
network 10.0.0.0/24
neighbor 192.168.250.1 remote-as 65102
access-list all permit any
ip prefix-list my-networks seq 5 permit 10.210.210.0/24
line vty
log syslog
all the routing should now work, and you vpn is up
I need to redo the bgpd config file as i think its incorrect at the moment but it will be
sorted in the full writeup if you think its worth doing
hope this was of use, let me know if you want something more comprehnsive doing
regards
Chris Scott
MK NOC
0845 6684000
regards
Chris Scott
MK NOC
0845 6684000
|
