Site-to-site IPsec on VMM
This guide is designed to help you simulate an IPsec gateway using the IPsec site-to-site guide. If you lack real hardware to test with, you can simulate the setup inside vmm.
This guide assumes you have read the IPsec site-to-site guide. It only covers parts that are specific to the setup on VMM.
192.0.2.1 198.51.100.1
<--IPsec veb12-->
initlan <-veb11-> init resp <-veb22-> resplan
10.0.1.2 10.0.1.1 10.0.2.1 10.0.2.2
Configuring the host
First, we set up the host's interfaces:
host# cat /etc/hostname.veb11 up host# cat /etc/hostname.veb12 add vport11 up host# cat /etc/hostname.veb22 up host# cat /etc/hostname.vport11 inet 192.0.0.1 0xffffff00 !route add -inet 192.0.2.1 -cloning -link -iface vport11 !route add -inet 192.0.2/24 192.0.2.1 !route add -inet 198.51.100.1 -cloning -link -iface vport11 !route add -inet 198.51.100/24 198.51.100.1 up
Next we configure vm.conf:
socket owner :vmdusers
switch "switch11" {
locked lladdr
interface veb11
}
switch "switch12" {
locked lladdr
interface veb12
}
switch "switch22" {
locked lladdr
interface veb22
}
bsdiso="/home/iso/install75.iso"
vm "initlan" {
owner $USER
memory 1G
cdrom $bsdiso
disk /home/$USER/initlan.qcow2 format qcow2
interface tap10 {
locked lladdr e8:8b:10:00:01:02
switch "switch11"
}
}
vm "init" {
owner $USER
memory 1G
cdrom $bsdiso
disk /home/$USER/init.qcow2 format qcow2
interface tap11 {
locked lladdr e8:8b:11:11:11:11
switch "switch12"
}
interface tap12 {
locked lladdr e8:8b:10:00:01:01
switch "switch11"
}
}
vm "resplan" {
owner $USER
memory 1G
cdrom $bsdiso
disk /home/$USER/resplan.qcow2 format qcow2
interface tap20 {
locked lladdr e8:8b:10:00:02:02
switch "switch22"
}
}
vm "resp" {
owner $USER
memory 1G
cdrom $bsdiso
disk /home/$USER/resp.qcow2 format qcow2
interface tap21 {
locked lladdr e8:8b:22:22:22:22
switch "switch12"
}
interface tap22 {
locked lladdr e8:8b:10:00:02:01
switch "switch22"
}
}
Make sure to create each of the qcow2 images and install OpenBSD.
Next, configure the interfaces in each of the virtual machines:
initlan# cat /etc/hostname.vio0 inet 10.0.1.2 0xffffff00 initlan# cat /etc/mygate 10.0.1.1 init# cat /etc/hostname.vio0 inet 192.0.2.1 0xffffff00 up !route add -inet 192.0.0.1 -cloning -link -iface vio0 !route add -inet default 192.0.0.1 init# cat /etc/hostname.vio1 inet 10.0.1.1 0xffffff00 up !route add -inet 10/8 10.0.1.1 resplan# cat /etc/hostname.vio0 inet 10.0.2.2 0xffffff00 resplan# cat /etc/mygate 10.0.2.1 resp# cat /etc/hostname.vio0 inet 198.51.100.1 0xffffff00 up !route add -inet 192.0.0.1 -cloning -link -iface vio0 !route add -inet default 192.0.0.1 resp# cat /etc/hostname.vio1 inet 10.0.2.1 0xffffff00 up !route add -inet 10/8 10.0.2.1
Make sure to configure iked(8) as mentioned in the site-to-site IPsec guide.
Exchange public keys. From init to resp:
init$ cat /etc/iked/local.pub | ssh 198.51.100.1 'doas tee /etc/iked/pubkeys/fqdn/init.example.com'
From resp to init:
resp$ cat /etc/iked/local.pub | ssh 192.0.2.1 'doas tee /etc/iked/pubkeys/fqdn/resp.example.com'
Configure iked.conf(5) for both
resp and init:
init# cat /etc/iked.conf
init="192.0.2.1"
resp="198.51.100.1"
initlan="10.0.1.0/24"
resplan="10.0.2.0/24"
ikev2 'init' active esp \
from $initlan to $resplan \
from $initlan to $resp \
local $init peer $resp \
srcid init.example.com
resp# cat /etc/iked.conf
init="192.0.2.1"
resp="198.51.100.1"
initlan="10.0.1.0/24"
resplan="10.0.2.0/24"
ikev2 'resp' passive esp \
from $resplan to $initlan \
from $resplan to $init \
local $resp peer $init \
srcid resp.example.com
Tighten permissions for iked(8):
init# chmod 0600 /etc/iked.conf resp# chmod 0600 /etc/iked.conf
Appropriate sysctls should be enabled:
init# cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.esp.enable=1 net.inet.ah.enable=1 resp# cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.esp.enable=1 net.inet.ah.enable=1
Adjust /etc/pf.conf? for resp:
init="192.0.2.1"
resp="198.51.100.1"
pass in log on $ext_if proto udp from $init to $resp port {isakmp, ipsec-nat-t} tag IKED
pass in log on $ext_if proto esp from $init to $resp tag IKED
Reload packet filter:
resp# pfctl -f /etc/pf.conf
Start iked:
init# rcctl enable iked init# rcctl start iked iked(ok) resp# rcctl enable iked resp# rcctl start iked iked(ok)
Confirm IPsec flows with ipsecctl and verify security associations with ikectl:
init# ipsecctl -sa ... resp# ikectl show sa ...
Testing
Test the tunnel works by pinging resplan (10.0.2.2) from initlan (10.0.1.2):
initlan$ ping -I 10.0.1.2 10.0.2.2 PING 10.0.2.2 (10.0.2.2): 56 data bytes 64 bytes from 10.0.2.2: icmp_seq=0 ttl=108 time=45.523 ms 64 bytes from 10.0.2.2: icmp_seq=1 ttl=108 time=45.304 ms
Run tcpdump? on an enc(4) interface to see packets prior to encapsulation and after decapsulation:
init# tcpdump -ne -i enc0 tcpdump: listening on enc0, link-type ENC 23:05:45.520270 (authentic,confidential): SPI 0xf997b9a0: 10.0.2.2 > 10.0.1.2: icmp: echo request (encap) 23:05:45.520825 (authentic,confidential): SPI 0xa484d765: 10.0.1.2 > 10.0.2.2: icmp: echo reply (encap)
IPsec Statistics
init# netstat -s -p esp
esp:
144 input ESP packets
150 output ESP packets
0 packets from unsupported protocol families
....
0 raw ESP packets for encapsulating TDB received
19976 input bytes
20406 output bytes
init# netstat -s -p ah
ah:
0 input AH packets
0 output AH packets
0 packets from unsupported protocol families
...
0 output packets could not be sent
0 input bytes
0 output bytes
As expected, there are no AH packets being sent because the IPsec gateways are using ESP for confidentiality. For more information, see ipsec(4).