首頁 » 好用的 Router System » pfsense

pfsense - IPSec

由 datahunter 在 二, 02/10/2018 - 12:17 發表

 

 

 

IKEv2

built-in support for mobile clients and NAT

 

Disable Rekey

Selecting this option will instruct pfSense to not initiate a rekey event on the tunnel.

Some clients (Especially Windows clients behind NAT) will misbehave when they receive a rekey request,

so it is safer in these cases to allow the client to initiate the rekey by disabling the option on the server.

Disable Reauth (IKEv2 Only)

This option only appears for IKEv2 tunnels, IKEv1 will always re-authenticate.

If this option is checked, then when a tunnel rekeys it does not re-authenticate the peer.

When unchecked, the SA is removed and negotiated in full rather than only rekeying.

Margintime (Seconds):

Leave blank. Defines an alternate time frame in which a rekey attempt should be made.

MOBIKE: (IKEv2 Only)

When enabled, allows a roaming or multi-homed peer to change IP addresses.

Leave set to Disable unless this scenario is required.

Responder Only

If Responder Only is selected, then pfSense will not attempt to initiate the tunnel when traffic attempts to cross.

The tunnel will only be established when the far side initiates the connection.

Also, if DPD detects that the tunnel has failed, the tunnel will be left down rather than restarted, leaving it up to the far side to reconnect.

Dead Peer Detection (DPD)

Dead Peer Detection (DPD) is a periodic check that the host on the other end of the IPsec tunnel is still alive.

If a DPD check fails, the tunnel is torn down by removing its associated SAD entries and renegotiation is attempted.

Delay:            Time between DPD probe attempts. The default of 10 is best.

Max Failures:    Number of failures before the peer is considered down. The default of 5 is best.

Automatically ping host:

An IP address in the remote Phase 2 network to ping to keep the tunnel alive.

Any IP address within the Remote Network of this phase 2 definition may be used.
It does not have to reply or even exist, simply triggering traffic destined to that network periodically will keep the IPsec connection up and running.

 

FreeBSD - setkey

 

功能: manually manipulate the IPsec SA/SP database

-D         # Dump the SAD entries. 

             # If with -P, the SPD entries are dumped.

  • SAD: Security Association Database
  • SPD: Security Policy Database

setkey -D

x.x.x.x y.y.y.y
        esp mode=tunnel spi=3762831556(0xe04840c4) reqid=2(0x00000002)
        E: rijndael-cbc  ?
        A: hmac-sha2-256  ?
        seq=0x0000ace4 replay=0 flags=0x00000000 state=mature
        created: Oct  2 00:48:45 2018   current: Oct  2 11:32:23 2018
        diff: 38618(s)  hard: 0(s)      soft: 0(s)
        last: Oct  2 00:48:45 2018      hard: 0(s)      soft: 0(s)
        current: 7592896(bytes) hard: 0(bytes)  soft: 0(bytes)
        allocated: 44260        hard: 0 soft: 0
        sadb_seq=1 pid=7698 refcnt=1
y.y.y.y x.x.x.x
        esp mode=tunnel spi=3265298573(0xc2a0808d) reqid=2(0x00000002)
        E: rijndael-cbc  ?
        A: hmac-sha2-256  ?
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Oct  2 00:48:35 2018   current: Oct  2 11:32:23 2018
        diff: 38628(s)  hard: 0(s)      soft: 0(s)
        last: Oct  2 00:50:02 2018      hard: 0(s)      soft: 0(s)
        current: 1469428(bytes) hard: 0(bytes)  soft: 0(bytes)
        allocated: 5144 hard: 0 soft: 0
        sadb_seq=0 pid=7698 refcnt=1

setkey -D -P

192.168.0.0/16[any] 10.10.10.0/24[any] any
        in ipsec
        esp/tunnel/y.y.y.y-x.x.x.x/unique:2
        created: Oct  2 00:48:35 2018  lastused: Oct  2 11:30:02 2018
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=39 seq=2 pid=7836 scope=global
        refcnt=1
        
10.10.10.0/24[any] 192.168.0.0/16[any] any
        out ipsec
        esp/tunnel/x.x.x.x-y.y.y.y/unique:2
        created: Oct  2 00:48:45 2018  lastused: Oct  2 11:32:37 2018
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=40 seq=0 pid=7836 scope=global
        refcnt=1

....

 

SPDs

 

Site A

wan: x.x.x.x

lan: 10.10.10.0/24

Site B

wan: y.y.y.y

lan: 192.168.0.0/16

SPD 是指

Source (10.10.10.0/24)

Destination (192.168.0.0/16)

Protocol (ESP ...)

Tunnel endpoints (x.x.x.x -> y.y.y.y)

 * 即使 ipsec connection 未起都有此資料

 

SADs (P2)

 

 * 要 ipsec connection 建立了才有此資料

Menu: Status / IPsec

Source

x.x.x.x

Destination

y.y.y.y

Enc. alg.

rijndael-cbc

The Advanced Encryption Standard (AES), also known by its original name Rijndael

Auth. alg.

hmac-sha2-256

hmac:

  • Hash-based message authentication code

sha (Secure Hashing Algorithm)

  • SHA-1 is a 160-bit hash.
  • SHA-2 is actually a “family” of hashes and comes in a variety of lengths, the most popular being 256-bit.
  • SHA-3 is internally quite different from the MD5-like structure of SHA-1 and SHA-2.

 

More P2

 

IPComp: none

"IPComp: none" in the IPSec status phase two "Algo" column.

IPsec->advanced settings to enable IPcomp on IPsec

 

 

 

»
  • 瀏覽次數: 985