Use of Proprietary Information and Copyright Notice. This document contains proprietary information that is to be used only by the Sippy Software, Inc. customers. Any unauthorized disclosure, copying, distribution, or use of this information is prohibited. (c) 2006-2019 Sippy Software, Inc. All rights reserved.


This Sippy competency is available for Non-hosted solutions only. Contact sales@sippysoft.com for more information.


Glossary:

IKE_GW_IP - IP address of IKE gateway, should be pingable from the switch even if no tunnel is established. We need to connect this address to establish the tunnel

REMOTE_GW_NET/YY - Remote Gateways subnet for signalling, we should route the traffic to those IPs through the IPSec tunnel.

SIPPY_IP - the IP assigned to the Sippy server that the IPSec provider expects to get the encrypted packets from. On provider's side the SIPPY_IP should be allowed for the IKE_GW_IP

SIPPY_NET/32 - subnet of the Sippy IP addresses Verizon authorize for sending the traffic back. Formerly it used to be the subnet, now it could be the YOUR_IP/32


The IPSec solution has been tested with two major providers - Verizon and BT


To be able to setup the IPSec we require the following information:

  • IKE gateway IP address
  • Remote Gateways subnet
  • SIP signalling IPs that should be reachable after setting up the tunnel
  • pre-shared key per each IKE gateway IP address
  • List of Sippy IPs that are authorized to send the traffic to the tunnel. It could be a subnet or one IP per each IKE_GW_IP

  • proposal configuration for each phase, fully tested combinations are:

OPTION 1: p1 = "pre-g2-3des-md5" # p2 = "g2-3des-md5"
OPTION 2: p1 = "pre-g5-3des-sha1" # p2 = "g5-3des-sha1"

Legend / Glossary: (This legend assumes you have chosen OPTION 1 from the above list.)

p1 = "Phase 1" settings.

pre = The "authentication method" in use. pre stands for 'Pre-Shared'.

g2 = The "Diffy Hillman Group" used. g2 stands for 'Group 2'.

3des = The "encryption method" used. 3des stands for 'Triple Data Encryption Algorithm'.

md5 = The "hash method" used. md5 stands for 'Message-Digest Algorithm 5'.

---------------------------------------

p2 = "Phase 2" settings.

g2 = The "Diffy Hillman Group" used. g2 stands for 'Group 2'.

3des = The "encryption method" used. 3des stands for 'Triple Data Encryption Algorithm'.

md5 = The "hash method" used. md5 stands for 'Message-Digest Algorithm 5'.


1. Install ports/security/ipsec-tools [latest version of Sippy goes with this package installed, so you can skip this step]


2. Create /etc/ipsec.rules:

flush;
spdflush;
spdadd SIPPY_NET/32 REMOTE_GW_NET/YY any -P out ipsec
  esp/tunnel/SIPPY_IP-IKE_GW_IP/require;
spdadd REMOTE_GW_NET/YY SIPPY_NET/32 any -P in ipsec
  esp/tunnel/IKE_GW_IP-SIPPY_IP/require;


# The same part with the different data should be repeated in the same file in case you have 2+ IKE_GW_IP


Explanation for out part:

For outgoing packets of the any protocol from the network SIPPY_NET/32 to the network REMOTE_GW_NET/YY

it's required to use the IPSec transport with the encryption (esp) through the tunnel using the encryption on host SIPPY_IP

and address the encrypted packet to the host IKE_GW_IP

Explanation for in part:

For outgoing packets of the any protocol from the network REMOTE_GW_NET/YY to the network SIPPY_NET/32

it's required to receive the traffic with the encryption (esp) through the tunnel having the encryption on host IKE_GW_IP

and receive the encrypted packet on the host SIPPY_IP


Note1:

There could be multiple rules for different REMOTE_GW_NETs with different corresponding IKE_GW_IPs

Note2:

Pay attention to the spaces, before esp there should be 2 spaces, not 3 or 1.

Note3:

Likely the XX subnet of the SIPPY_NET should be /32, that's how it works in most cases


3. Create /usr/local/etc/racoon/psk.txt:

IKE_GW_IP SHARED_KEY


4. Create /usr/local/etc/racoon/racoon.conf:

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
timer
{
        phase1 28800 sec; # max time for the phase to complete
        phase2 3600 sec; # max time for the phase to complete
        interval 1 min; # the interval to resend
}
listen
{
        isakmp  SIPPY_IP; # Force racoon to listen only on this address, you can specify the port with " [port]"
        strict_address; # Require all addresses to be bound
}

# IKE gateway1 address, phase 1 is defined here

remote IKE_GW_IP # custom port can be set here (default is 500), e.g. "[2500]"
{
        my_identifier address SIPPY_IP; # identifier to be sent to remote host
        peers_identifier address IKE_GW_IP;
        exchange_mode main; # main, aggressive or base
        passive         off; # if you want to initiate the negotiation, set to off
        proposal_check  obey; # the responder will obey the initiator anytime
        lifetime time 15 min; # sec,min,hour, proposal of phase 1 lifetime

        # phase 1 proposal
        proposal
        {
                encryption_algorithm 3des; # encryption for ph1, either des,3des,blowfish,cast128
                hash_algorithm md5; # hash for ph1, either md5,sha1
                authentication_method pre_shared_key; # authentication for ph1
                dh_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5
        }
}

## remote IKE_GW_IP_2 # case you have 2+ IPsec GWs
## {
##        my_identifier address SIPPY_IP; # identifier to be sent to remote host
##        peers_identifier address IKE_GW_IP_2;
##        exchange_mode main; # main, aggressive or base
##        passive         off; # if you want to initiate the negotiation, set to off
##        proposal_check  obey; # the responder will obey the initiator anytime
##        lifetime time 15 min; # sec,min,hour, proposal of phase 1 lifetime
##
##        # phase 1 proposal
##        proposal
##        {
##                encryption_algorithm 3des; # encryption for ph1, either des,3des,blowfish,cast128,aes128
##                hash_algorithm md5; # hash for ph1, either md5,sha1
##                authentication_method pre_shared_key; # authentication for ph1
##                dh_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5
##        }
## }

# Phase2, ISAKMP-SA

sainfo anonymous
{
        pfs_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5
        encryption_algorithm 3des; # encryption for ph2, either des,3des,des_iv64,des_iv32,rc5,rc4,idea,3idea,cast128,blowfish,null_enc,twofish,rijndael,aes128
        authentication_algorithm hmac_md5 ; # authentication for ph2, either des,3des,des_iv64,des_iv32,hmac_md5,hmac_sha1,non_auth
        compression_algorithm deflate;
        lifetime time 15 min; # sec,min,hour, proposal of phase 12 lifetime
}

## sainfo address SIPPY_IP/XX any address REMOTE_GW_NET/YY any # case you have 2+ IPsec GWs
## {
##        pfs_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5
##        encryption_algorithm 3des; # encryption for ph2, either des,3des,des_iv64,des_iv32,rc5,rc4,idea,3idea,cast128,blowfish,null_enc,twofish,rijndael
##        authentication_algorithm hmac_sha1 ; # authentication for ph2, either des,3des,des_iv64,des_iv32,hmac_md5,hmac_sha1,non_auth
##        compression_algorithm deflate;
##        lifetime time 3600 sec; # sec,min,hour, proposal of phase 12 lifetime
## }


# Enable logging if needed. Available options: notify,debug,debug2

#log debug2;

 


5. Add commands to load racoon and ipsec config into rc.conf:

ipsec_enable="YES"
ipsec_file="/etc/ipsec.rules"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"


6. Make sure psk.txt has the correct permissions: 

$ sudo chmod 600 /usr/local/etc/racoon/psk.txt


7. Load ipsec rules - it shouldn't be running in the processes, start racoon - it should be running as a daemon: 

$ sudo /etc/rc.d/ipsec start
$ sudo /usr/local/etc/rc.d/racoon restart
$ sudo /usr/local/etc/rc.d/racoon status

Sometimes it might fail to start with the following error message: 

/usr/local/etc/rc.d/racoon: WARNING: /var/db/racoon is not a directory.

In such case create this directory and try to start it again: 

$ sudo mkdir /var/db/racoon
$ sudo /usr/local/etc/rc.d/racoon start

Image with the example is attached.


8. To check the tunnel you can ping one of the IPs from Verizon net  after establishing the tunnel. SIP IPs are preferable, the target IP you ping  should be located in REMOTE_GW_NET/YY

$ ping -S SIPPY_IP SIP_SIGNALLING_IP



9. Check that the tunnel has been established successfully, expected output:

# setkey -D
SIPPY_IP IKE_GW_IP
esp mode=tunnel spi=1197346408(0x475e0e68) reqid=0(0x00000000)
E: 3des-cbc 1e14930b 24956ab2 9b59f0c5 b9663dbe ddddc15a 12709f72
A: hmac-sha1 f3bcb876 12d33057 55d50c6f 2fb64dbb 38f91d72
seq=0x0000000a replay=4 flags=0x00000000 state=mature
created: Nov 6 17:55:24 2015 current: Nov 6 18:16:18 2015
diff: 1254(s) hard: 28800(s) soft: 23040(s)
last: Nov 6 17:55:34 2015 hard: 0(s) soft: 0(s)
current: 1360(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 10 hard: 0 soft: 0
sadb_seq=1 pid=61849 refcnt=2
IKE_GW_IP SIPPY_IP
esp mode=tunnel spi=54124353(0x0339df41) reqid=0(0x00000000)
E: 3des-cbc d35278ac cb8f9821 944a8b8e 53cc0b67 28fce357 75208117
A: hmac-sha1 22ae0a4d 28cd25bf 7c4b78a9 f19c8153 2f97a2ba
seq=0x0000000a replay=4 flags=0x00000000 state=mature
created: Nov 6 17:55:24 2015 current: Nov 6 18:16:18 2015
diff: 1254(s) hard: 28800(s) soft: 23040(s)
last: Nov 6 17:55:34 2015 hard: 0(s) soft: 0(s)
current: 1040(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 10 hard: 0 soft: 0
 sadb_seq=0 pid=61849 refcnt=1

10. Disable debug in racoon.conf and restart racoon, either comment that option out or set it to notify.



Additional information:

  • it's possible to run racoon in the max debug verbose mode so that the output is placed to the console.

# racoon -v -F -dd -f /usr/local/etc/racoon/racoon.conf

-v for verbose output, more debug level

-f specify the file with the racoon config

-d for the 1st level of debug. Multiple d are used for enhancing the debug

-F run racoon in the foreground.

-l logfile - if needed, print the output to the log


they could be also used as the racoon flags in the rc.conf. For more flags check 

$ man racoon

  • The result of line 18: File exists.

this is caused by the mistakes in /etc/ipsec.rules, like 3 spaces instead of 2 before esp, or two rules leading from the same SIPPY_NET/XX to the same REMOTE_GW_NET/YY

You can also try restarting ipsec to clear it out:

$ sudo /etc/rc.d/ipsec start

  • Racoon's documentation:

http://www.kame.net/racoon/racoon.conf.5

  • Case you need to configure more then one IKE gateway, add the separate remote followed with the sainfo sections in the racoon conf per each IKE gateway

----

Racoon log troubleshooting:

----

1. The incorrect encryption_algorithm on Phase 1 has been chosen, it does not match the server's configuration.

ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.

2. The YOUR_NET/XX is configured with incorrect subnet. Try /32 for it, and restart ipsec and racoon

ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
ERROR: error message: '&. ;x % }- @ SME 4 ( _a8 p C` s 2 PS _ f o 0q `] D5 > ] "R L9 C Z : :\ 4 , v b k I x ^5 h*\ N [0 ;W 8 x @ z e l e f* 3 6 0 | S2 2 & 0 i9 [/r [a %0O > @ '.

3. The misconfiguration of used port for either local of remote address or encryption on phase1:

DEBUG2: CHKPH1THERE: no established ph1 handler found

The following lines should be corrected with either proper port, or the port should be removed in order to use the default one


isakmp YOUR_IP [port] # local IP


remote VERIZON_IP [port] # remote IP

4. The misconfiguration of ipsec.rules or firewall related issue:

ERROR: phase2 negotiation failed due  to time up waiting for phase1. ESP IKE_GW_IP[0]->SIPPY_IP[0]
2015-02-12 06:25:43: INFO: delete phase 2 handler.
2015-02-12 06:26:02: ERROR: phase1 negotiation failed due to time up. b20adad2a567eace:0000000000000000



The IKEv1 process is demonstrated in the following diagram: