Secure IPv6 over IPv4 Tunnels with racoon2
This document is a step by step tutorial for establishing an IPv4 tunnel secured with IPSec for encapsulating IPv6 traffic. The tunnel allows a host to connect to a router, establish a secure IPSec tunnel, then use that tunnel to receive router advertisements and configure a global IPv6 address and from there, connect the the IPv6 Internet.
Objective
This represents the goal that we want to achieve here, we have some IPv6 router that serves the subnet 2001:322:141:4320::/64, our IPv6 gateway (cyclone.domain.com) is in this same subnet and serves the prefix 2001:322:141:4320:1::/80. We want to connect a PC in a home network to the IPv6 network through the IPv6 gateway. Between the PC and the gateway there is a multi-hop IPv4 network.
+-------------+--------------+
| SOME ipv6 router |
+-------------+--------------+
fxp0 | 2001:322:141:4320::1/64
|
|
| 2001:322:141:4320::/64
------------------------------+---------------+---------------------------
|
|
| 144.22.117.119 (fxp0)
+------------+--------------+
| cyclone.domain.com |
+----+ +--------------------+
gif0 | | 2001:322:141:4320:1::1/80
| | 188.66.109.55 (fxp1)
| |
| |
| | 2001:322:141:4320:1::/80
| |
| |
---------------------------------
IPv4 Network
_________________________________
| |
| |
| |
Tunnel ------>| |
| |
| | 144.22.41.X (em0)
gif0 | | 2001:322:141:4320:1::X/80
+-----------+ +---------+
| PC at home |
+-----------------------+
Configure the Kernels
Recompile a new kernel with the following options These options are not needed for the tunnel, they are just needed for securing the link using IPSec.
options IPSEC options IPSEC_ESP options IPSEC_DEBUG
Configure the ipv6 router
The router (cyclone.domain.com) serves the prefix 2001:322:141:4320:1::/80, its ipv6 address is manually setup to 2001:322:141:4320:1::1. SOME IPv6 router must forward packets destinated to the subnet 2001:322:141:4320:1::/80 to this router (which is located in the same link).
Make the system to act as a router
sysctl net.inet6.ip6.accept_rtadv=0 sysctl net.inet6.ip6.forwarding=1
Setup the gif tunneling interface
- Create the interface
$ifconfig gif create
- Configure the outer addresses of the tunnel
$ifconfig gif0 tunnel 188.66.109.55 144.22.41.X
- Configure the ipv6 address of the gif interface
$ifconfig gif0 2001:322:141:4320:1::1
Add route to the client
route add -inet6 2001:322:141:4320:1::X -interface gif0
Setup router advertisements
This is an optional setep that can be useful to allow clients to auticonfigure their IP addresses automatically from the router advertisements.
- Setup the configuration of the rtadvd daemon
fxp1:\
:addrs#1:addr="2001:322:141:4320:2001:2002::":prefixlen#96:tc=ether:
- Start the rtadvd program manually :
rtadvd -D -f -c /etc/rtadvd.conf fxp1
-D -f : for debugging
- At startup : Add the following in /etc/rc.conf
rtadvd=YES
rtadvd_flags="fxp1"
Configure the client
Setup the tunnel interface
- Create the interface
$ifconfig gif create
- Configure the outer addresses of the tunnel
$ifconfig gif0 tunnel 144.22.41.X 188.66.109.55
- Configure the ipv6 address of the gif interface
$ifconfig gif0 2001:322:141:4320:1::X
Add ipv6 default route
$route add -inet6 default 2001:322:141:4320:1::1
Use a DNS host that supports IPv6 resolution
I just added
nameserver 144.22.32.65
to the /etc/resolv.conf
Testing IPv6 connectivity
Test the tunnel
From the client do :
ping6 2001:322:141:4320:1::1
From the router do :
ping6 2001:322:141:4320:1::X
You should be able to see replies in both commands, this means that the tunnel works fine.
Test the routing
From the client do :
ping6 www.kame.net
At least, the packets must be forwarded by the router cyclone, if you do :
tcpdump -i fxp0 ip proto and host 2001:322:141:4320:1::X
You must at least see the icmp packets forwarded to www.kame.net If the icmp packets do not come back, it means that your subnet is not connected.
The routing table of the upper level router (SOME IPv6 router) must be updated as follows :
route add -inet6 2001:322:141:4320:1::/80 -interface fxp0
Securing the tunnel using IPSec and racoon2
racoon2 contains daemons that maintain SAs between hosts, we will use IKE with pre-shared keys (psk) to authenticate both ends of the tunnel and encrypt the communications.
Install racoon2
racoon2 can be installed using pkg_add -vr racoon2 you can also compile it your self after downloading it from ftp://ftp.kame.net/pub/racoon2/
In this tutorial, we use the racoon2-20051102a.tgz snapshot.
Refer to the files USAGE.iked and USAKE.spmd for detailed configuration instructions. for more informations about IKEv2 and IPSec :
IKE2 : draft-ietf-ipsec-ikev2-17.txt PF_KEY Key Management API, Version 2 : RFC2367
In the following, we suppose that the installation directory of racoon2 is /usr/local/racoon2.
On the router
Setup raccon2.conf
Below is the configuration file of the router. /usr/local/racoonn2/etc/racoon2.conf.
setval {
PSKDIR "/usr/local/racoon2/etc/psk";
CERTDIR "/usr/local/racoon2/etc/cert";
};
# interface info
interface
{
ike {
188.66.109.55;
};
kink {
188.66.109.55 port 4174;
};
spmd {
unix "/var/run/racoon/spmif";
};
spmd_password "/usr/local/racoon2/etc/spmd.pwd";
};
# resolver info
resolver
{
resolver off;
};
#
# default section
#
default
{
remote {
ikev2 {
logmode normal;
kmp_sa_lifetime_time infinite;
kmp_sa_lifetime_byte infinite;
max_retry_to_send 3;
interval_to_send 10 sec;
times_per_send 1;
kmp_sa_nego_time_limit 60 sec;
ipsec_sa_nego_time_limit 40 sec;
kmp_enc_alg { aes256_cbc; 3des_cbc; };
kmp_hash_alg { hmac_sha1; hmac_md5; };
kmp_auth_method { dss; };
kmp_dh_group { 1; 2; 5; 14; 15; };
random_pad_content on;
random_padlen on;
max_padlen 50 bytes;
};
kink {
my_principal "kink/shoichi.tanu.org";
nonce_size 16 B;
};
};
policy {
ipsec_mode transport;
ipsec_level unique; # Not Yet Implemented, always 'require'
};
ipsec {
ipsec_sa_lifetime_time infinite;
ipsec_sa_lifetime_byte infinite;
};
sa {
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
};
ipsec ipsec_ah_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index { ah_01; esp_01; };
};
ipsec ipsec_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index esp_01;
};
sa ah_01 {
sa_protocol ah;
ah_auth_alg { hmac_sha1; hmac_md5; };
};
sa esp_01 {
sa_protocol esp;
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
# racoon2 configuration router side
# Node #2 (n)
remote Node2 {
acceptable_kmp { ikev2; kink; };
ikev2 {
my_id fqdn "cyclone.domain.com";
peers_id ipaddr "144.22.41.238";
peers_ipaddr "144.22.41.238" port 500;
kmp_enc_alg { aes192_cbc; aes192_cbc; 3des_cbc; };
kmp_prf_alg { hmac_md5; hmac_sha1; aes128_cbc; };
kmp_hash_alg { hmac_sha1; };
kmp_dh_group { 5; };
kmp_auth_method { psk; };
pre_shared_key "${PSKDIR}/Node2.psk";
};
selector_index 5; # 2n+1
};
selector 4 { #(2xn)
direction outbound;
src 188.66.109.55;
dst 144.22.41.238;
upper_layer_protocol "tcp";
policy_index TUNNEL;
};
selector 5 { #(2xn +1)
direction inbound;
src 144.22.41.238;
dst 188.66.109.55;
upper_layer_protocol "tcp";
policy_index TUNNEL;
};
policy TUNNEL {
action auto_ipsec;
remote_index Node2;
ipsec_mode transport;
ipsec_index { ipsec_esp; };
ipsec_level unique;
peers_sa_ipaddr 144.22.41.238;
my_sa_ipaddr 188.66.109.55;
};
Create a Key file for the client
Edit a new file : “${PSKDIR}/Node2.psk or (/usr/local/racoon2/etc/psk) and put a secret word inside. The file name that contains the pre-shared key with the client Node2 is specified by the variable : pre_shared_key in the configuration file.
Allow isakmp traffic
The racoon2 daemons use udp port isakmp to commnicate and establish SAs. If a firewall is deployed on the server, then rules must be added to allow the isakmp traffic between the two hosts.
ipfw add 1 allow udp from 144.22.41.238 to 188.66.109.55 isakmp ipfw add 1 allow udp from 188.66.109.55 to 144.22.41.238 isakmp
Run the racoon daemon
/usr/local/racoon2/sbin/spmd -F /usr/local/racoon2/sbin/iked -F
On the client
Setup raccon2.conf
Below is the configuration file of the client. /usr/local/racoonn2/etc/racoon2.conf.
setval {
PSKDIR "/usr/local/racoon2/etc/psk";
CERTDIR "/usr/local/racoon2/etc/cert";
};
# interface info
interface
{
ike {
144.22.41.238;
};
kink {
144.22.41.238 port 4174;
};
spmd {
unix "/var/run/racoon/spmif";
};
spmd_password "/usr/local/racoon2/etc/spmd.pwd";
};
# resolver info
resolver
{
resolver off;
};
#
# default section
default
{
remote {
ikev2 {
logmode normal;
kmp_sa_lifetime_time infinite;
kmp_sa_lifetime_byte infinite;
max_retry_to_send 3;
interval_to_send 10 sec;
times_per_send 1;
kmp_sa_nego_time_limit 60 sec;
ipsec_sa_nego_time_limit 40 sec;
kmp_enc_alg { aes256_cbc; 3des_cbc; };
kmp_hash_alg { hmac_sha1; hmac_md5; };
kmp_auth_method { dss; };
kmp_dh_group { 1; 2; 5; 14; 15; };
random_pad_content on;
random_padlen on;
max_padlen 50 bytes;
};
kink {
my_principal "kink/shoichi.tanu.org";
nonce_size 16 B;
};
};
policy {
ipsec_mode transport;
ipsec_level unique; # Not Yet Implemented, always 'require'
};
ipsec {
ipsec_sa_lifetime_time infinite;
ipsec_sa_lifetime_byte infinite;
};
sa {
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
};
ipsec ipsec_ah_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index { ah_01; esp_01; };
};
ipsec ipsec_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index esp_01;
};
sa ah_01 {
sa_protocol ah;
ah_auth_alg { hmac_sha1; hmac_md5; };
};
sa esp_01 {
sa_protocol esp;
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
# Racoon2 configuration client side
remote cyclone.domain.com {
acceptable_kmp { ikev2; kink; };
ikev2 {
my_id ipaddr "144.22.41.238";
peers_id fqdn "cyclone.domain.com";
peers_ipaddr "188.66.109.55" port 500;
kmp_enc_alg { aes192_cbc; aes192_cbc; 3des_cbc; };
kmp_prf_alg { hmac_md5; hmac_sha1; aes128_cbc; };
kmp_hash_alg { hmac_sha1; };
kmp_dh_group { 5; };
kmp_auth_method { psk; };
pre_shared_key "${PSKDIR}/cyclone.domain.com.psk";
};
selector_index 12;
};
selector 11 {
direction outbound;
src 144.22.41.238;
dst 188.66.109.55;
upper_layer_protocol "tcp";
policy_index cyclone.domain.com;
};
selector 12 {
direction inbound;
src 188.66.109.55;
dst 144.22.41.238;
upper_layer_protocol "tcp";
policy_index cyclone.domain.com;
};
policy cyclone.domain.com {
action auto_ipsec;
remote_index cyclone.domain.com;
ipsec_mode transport;
ipsec_index { ipsec_esp; };
ipsec_level unique;
peers_sa_ipaddr 188.66.109.55;
my_sa_ipaddr 144.22.41.238;
};
Create a Key file for the server
Edit a new file : “${PSKDIR}/cyclone.domain.com.psk and put a secret word inside.
Allow isakmp traffic
The racoon2 daemons use udp port isakmp to commnicate and establish SAs. If a firewall is deployed on the client machine, then rules must be added to allow the isakmp traffic between the two hosts.
ipfw add 1 allow udp from 144.22.41.238 to 188.66.109.55 isakmp ipfw add 1 allow udp from 188.66.109.55 to 144.22.41.238 isakmp
Run the racoon daemon
/usr/local/racoon2/sbin/spmd -F /usr/local/racoon2/sbin/iked -F
