FreeBSD VPN
From MediaWiki
Contents |
IPSec VPN Using vpnc
[faith] ~> pkg_info -x vpnc Information for vpnc-0.4.0_1: Comment: Client for Cisco 3000 VPN Concentrator Description: VPNC - Client for Cisco 3000 VPN Concentrator, IOS and PIX Vpnc is a VPN client for the Cisco 3000 VPN Concentrator, creating a IPSec-like connection as a tunneling network device for the local system. The created connection is presented as a tunneling network device to the local system. The daemon runs entirely in userspace.
See http://www.unix-ag.uni-kl.de/~massar/vpnc/
Install
[faith] ~> portinstall security/vpnc [faith] ~> pkg_info -I -x vpnc vpnc-0.4.0_1 Client for Cisco 3000 VPN Concentrator
Configure
[faith] ~> sudo cat /usr/local/etc/vpnc.conf IPSec gateway vpn.xxx.com IPSec ID General IPsec secret foobar Xauth username shanu [faith] ~>
Connect
[faith] ~> sudo vpnc --debug 1 Enter password for shanker@vpn.xxx.com vpnc version 0.4.0 IKE SA selected psk+xauth-3des-md5 NAT status: this end behind NAT? YES -- remote end behind NAT? no Enter Username and Password. got address 10.80.52.25 IPSEC SA selected 3des-md5 add host x.x.x.x: gateway 192.168.44.1 delete net default: gateway 192.168.44.1 add net default: gateway 10.80.52.25 VPNC started in background (pid: 6632)...
Disconnect
[faith] ~> sudo vpnc-disconnect Terminating vpnc daemon (pid: 6632)
Split Routing
Split routing is used to enable routing to the private networks over the VPN without changing the default route. The default route continues to point to your Internet gateway (wifi router, dsl router, ISP) while network routes are added to the tun interface to use the VPN gateway.
This ensure that your Messenger, browser etc use the Internet and only your private traffic goes via the VPN.
- vpnc-custom script. Make it chmod +x.
#!/bin/sh # this effectively disables changes to /etc/resolv.conf INTERNAL_IP4_DNS= # This sets up split networking regardless # of the concentrators specifications. # You can add as many routes as you want, # but you must set the counter $CISCO_SPLIT_INC # accordingly CISCO_SPLIT_INC=1 CISCO_SPLIT_INC_0_ADDR=10.80.0.0 CISCO_SPLIT_INC_0_MASK=255.255.0.0 CISCO_SPLIT_INC_0_MASKLEN=16 CISCO_SPLIT_INC_0_PROTOCOL=0 CISCO_SPLIT_INC_0_SPORT=0 CISCO_SPLIT_INC_0_DPORT=0 . /usr/local/sbin/vpnc-script
- Start vpnc with --script option
$ sudo vpnc --script vpnc-custom
- And the new routing table
[faith] ~> netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.44.1 UGS 0 797 iwi0 10.80.0.0/16 10.80.52.6 UGS 0 1115 tun0 10.80.52.6 10.80.52.6 UH 2 0 tun0 127.0.0.1 127.0.0.1 UH 0 60 lo0 192.168.44.0/24 link#1 UC 0 0 iwi0 192.168.44.1 00:08:5c:5a:bc:c0 UHLW 3 150 iwi0 90 192.168.44.2 00:16:01:4a:d3:38 UHLW 1 0 iwi0 1066 192.168.44.255 ff:ff:ff:ff:ff:ff UHLWb 1 6 iwi0 202.46.19.135 192.168.44.1 UGHS 0 1290 iwi0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#2 UHL lo0 ff01:2::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0
- The default gateway still points to my DSL router. Previously it used to get set to the VPN gateway breaking my sessions
- 10.80 is the internal LAN which is routed via the tun0 device
OpenSSH
Multiple ssh sessions to the same host can be greatly speeded up by reusing the existing network connection. It has brought down the session setup time to the milli second range and makes all the scripts run much quicker.
ControlMaster
- ssh_config(5)
ControlMaster
Enables the sharing of multiple sessions over a single network
connection. When set to ``yes, ssh(1) will listen for connec-
tions on a control socket specified using the ControlPath argu-
ment. Additional sessions can connect to this socket using the
same ControlPath with ControlMaster set to ``no (the default).
These sessions will try to reuse the master instance's network
connection rather than initiating new ones, but will fall back to
connecting normally if the control socket does not exist, or is
not listening.
- Config
### ~/.ssh/config Host * ControlMaster auto ControlPath /tmp/%r@%h:%p
- First Session
[faith] ~> ssh -p 2222 localhost -v
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8d 28 Sep 2006
debug1: Reading configuration data /home/shanu/.ssh/config
debug1: Applying options for localhost
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: auto-mux: Trying existing master
debug1: Control socket "/tmp/shanker@localhost:2222" does not exist
debug1: Connecting to localhost [127.0.0.1] port 2222.
debug1: Connection established.
debug1: identity file /home/shanu/.ssh/id_rsa type 1
debug1: identity file /home/shanu/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5p1 FreeBSD-20061110
debug1: match: OpenSSH_4.5p1 FreeBSD-20061110 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-cbc hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[localhost]:2222' is known and matches the DSA host key.
debug1: Found key in /home/shanu/.ssh/known_hosts:22
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/shanu/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /home/shanu/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (keyboard-interactive).
debug1: setting up multiplex master socket
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Sun Mar 25 14:05:28 2007 from xxxx
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
- Control File
Note that the control file is now created for the dest host. For better security, set the location to be within $HOME.
[faith] ~> ls -l /tmp/shanker@localhost:2222 srw------- 1 shanu wheel 0 Mar 25 14:09 /tmp/shanker@localhost:2222=
- Subsequent Sessions
[faith] ~> ssh -v -p 2222 localhost
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8d 28 Sep 2006
debug1: Reading configuration data /home/shanu/.ssh/config
debug1: Applying options for localhost
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: auto-mux: Trying existing master
Last login: Sun Mar 25 14:09:47 2007 from xxx
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
Tunnels
### ~/.ssh/config Host proxyhost User shanker Protocol 2 LocalForward 5900 buffy.xxx.com:5900 LocalForward 9999 buffy.xxx.com:9999 LocalForward 2222 buffy.xxx.com:22 LocalForward 1080 socks1.xxx.com:1080 LocalForward 2229 envelope9.xxx.com:22 LocalForward 2220 envelope10.xxxcom:22 LocalForward 1430 buffy.xxx:143
