Scenarios (IPv6 and IP Security) Part 1

In this section, we describe some practical scenarios and configuration examples using racoon. As we have seen, racoon has many configuration knobs. However, in most cases, using the default values suffices.

Creating a VPN between 3 Networks

It is very common to create a VPN using IPsec. Figure 6-27 shows the network described in this example. There are three organizations. Organization A has 2 0 01 :db8 : 100 ::/48 as its IPv6 address block and the security gateway SG A. Organization B has 2001:db8:200::/48 and the security gateway SG B. Organization C has 2001:db8:300::/48 and the security gateway SG C.

Setting Up Security Policies

To connect the three organizations described in Figure 6-27 using IP security, we need the following policies.

• All traffic from organization A to organization B must be tunneled from SG A to SG B.

• All traffic from organization A to organization C must be tunneled from SG A to SG C.

• All traffic from organization B to organization A must be tunneled from SG B to SG A.

All traffic from organization B to organization C must be tunneled from SG B to SG C.

• All traffic from organization C to organization A must be tunneled from SG C to SG A.

• All traffic from organization C to organization B must be tunneled from SG C to SG B.


These policies can be written in a setkey form as in Figure 6-28.

Setting Up racoon

SA entries are configured by racoon. We use the following configuration.

FIGURE 6-27

FIGURE 6-27

FIGURE 5-28

FIGURE 5-28

• Phase-I parameters

— lifetime of ISAKMP SA entries is 24 hours

— pre-shared key for authentication

— 3des algorithm for encryption

— sha1 algorithm for integrity

— mpdp1024 group for Diffie-Hellman exponentiation

— always obey an initiator

• Phase-II parameters

— lifetime of IPsec SA entries is 12 hours

— possible encryption algorithms are: 3des, cast128, blowfish with a 448-bit key, des, rijndael

— possible authentication algorithms are: hmac_sha1, hmac_md5

— mpdp1024 group for Diffie-Hellman exponentiation

Figure 6-29 shows the actual configuration file of racoon in this scenario. We need a file which contains pre-shared keys of each security gateway. Figure 6-30 shows the content of the file which should be placed as /usr/local/etc/psk.txt on each security gateway.

FIGURE 6-29

FIGURE 6-29

 

 

 

 

FIGURE 6-29

 

 

 

 

 

FIGURE 6-29

Next post:

Previous post: