Use of Proprietary Information and Copyright Notice. This document contains proprietary information that is to be used only by the Sippy Software, Inc. customers. Any unauthorized disclosure, copying, distribution, or use of this information is prohibited. (c) 2006-2019 Sippy Software, Inc. All rights reserved.
The capability for IPSec Configuration is available for Non-hosted solutions only. Contact [email protected] for more information.
The IPSec solution has been tested with two major providers - Verizon and BT
Glossary:
IKE_GW_IP - IP address of IKE gateway, should be pingable from the switch even if no tunnel is established. We need to connect this address to establish the tunnel
REMOTE_GW_NET/YY - Remote Gateway's subnet for signalling, traffic should be routed to the IPs named through the IPSec tunnel.
SIPPY_IP - the IP assigned to the Sippy server that the IPSec provider expects to get the encrypted packets from. On the provider's side the SIPPY_IP should be allowed for the IKE_GW_IP
SIPPY_NET/32 - subnet of the Sippy IP addresses that Verizon authorized for sending traffic back.
Formerly it used to be the subnet, now it could be the YOUR_IP/32
Which platforms support IPSEC and tested by us:
- Standard bare-metal servers
- AWS based instances
To be able to setup IPSec we require the following information:
- IKE gateway IP address
- Remote Gateway's subnet
- SIP signalling IPs that should be reachable after setting up the tunnel
- pre-shared key for each IKE gateway IP address
List of Sippy IPs that are authorized to send traffic to the tunnel - this could be a subnet or one IP for each IKE_GW_IP
proposed configuration for each phase, fully tested combinations are:
OPTION 1: p1 = "pre-g2-3des-md5" # p2 = "g2-3des-md5"
OPTION 2: p1 = "pre-g5-3des-sha1" # p2 = "g5-3des-sha1"
Legend / Glossary: (This legend assumes you have chosen OPTION 1 from the above list.)
p1 = "Phase 1" settings.
pre = The "authentication method" in use. pre stands for 'Pre-Shared'.
g2 = The "Diffy Hillman Group" used. g2 stands for 'Group 2'.
3des = The "encryption method" used. 3des stands for 'Triple Data Encryption Algorithm'.
md5 = The "hash method" used. md5 stands for 'Message-Digest Algorithm 5'.
---------------------------------------
p2 = "Phase 2" settings.
g2 = The "Diffy Hillman Group" used. g2 stands for 'Group 2'.
3des = The "encryption method" used. 3des stands for 'Triple Data Encryption Algorithm'.
md5 = The "hash method" used. md5 stands for 'Message-Digest Algorithm 5'.
1. Install ports/security/ipsec-tools [latest version of Sippy goes with this package installed, so you can skip this step]
2. Create /etc/ipsec.rules:
flush; spdflush; spdadd SIPPY_NET/32 REMOTE_GW_NET/YY any -P out ipsec esp/tunnel/SIPPY_IP-IKE_GW_IP/require; spdadd REMOTE_GW_NET/YY SIPPY_NET/32 any -P in ipsec esp/tunnel/IKE_GW_IP-SIPPY_IP/require;
# If you have 2+ IKE_GW_IP then the step should be repeated with the distinctive data in the same file
Explanation for outgoing part:
For outgoing packets of any protocol from the SIPPY_NET/32 network to the REMOTE_GW_NET/YY network
it is required to use (esp) encryption through the tunnel, using the encryption on host SIPPY_IP
and addressing the encrypted packet to the host IKE_GW_IP
Explanation for incoming part:
For outgoing packets of any protocol from the REMOTE_GW_NET/YY network to the SIPPY_NET/32
network, it is required that the traffic be (esp) encrypted through the tunnel, having been encrypted on host IKE_GW_IP
and received encrypted on SIPPY_IP
Note1:
There could be multiple rules for different REMOTE_GW_NETs with different corresponding IKE_GW_IP
Note2:
Pay attention to spaces, there should be 2 spaces before esp, no more, no less
Note3:
Likely the XX subnet of the SIPPY_NET should be /32, that's how it works in most cases
3. Create /usr/local/etc/racoon/psk.txt:
IKE_GW_IP SHARED_KEY
4. Create /usr/local/etc/racoon/racoon.conf:
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; timer { phase1 28800 sec; # max time for the phase to complete phase2 3600 sec; # max time for the phase to complete interval 1 min; # the interval to resend } listen { isakmp SIPPY_IP; # Force racoon to listen only on this address, you can specify the port with " [port]" strict_address; # Require all addresses to be bound } ## IKE gateway1 address, phase 1 is defined here remote IKE_GW_IP # custom port can be set here (default is 500), e.g. "[2500]" { my_identifier address SIPPY_IP; # identifier to be sent to remote host peers_identifier address IKE_GW_IP; exchange_mode main; # main, aggressive or base passive off; # if you want to initiate the negotiation, set to off proposal_check obey; # the responder will obey the initiator anytime lifetime time 15 min; # sec,min,hour, proposal of phase 1 lifetime # phase 1 proposal proposal { encryption_algorithm aes256; # encryption for ph1, either 3des, aes256, aes128 hash_algorithm sha256; # hash for ph1, either md5,sha256 authentication_method pre_shared_key; # authentication for ph1 dh_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5 } } ## remote IKE_GW_IP_2 # case you have 2+ IPsec GWs ## { ## my_identifier address SIPPY_IP; # identifier to be sent to remote host ## peers_identifier address IKE_GW_IP_2; ## exchange_mode main; # main, aggressive or base ## passive off; # if you want to initiate the negotiation, set to off ## proposal_check obey; # the responder will obey the initiator anytime ## lifetime time 15 min; # sec,min,hour, proposal of phase 1 lifetime ## ## # phase 1 proposal ## proposal ## { ## encryption_algorithm 3des; # encryption for ph1, either 3des, aes256, aes128 ## hash_algorithm md5; # hash for ph1, either md5,sha256 ## authentication_method pre_shared_key; # authentication for ph1 ## dh_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5 ## } ## } ## Phase2, ISAKMP-SA sainfo anonymous { pfs_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5 encryption_algorithm aes256; # encryption for ph2, either des,3des,des_iv64,des_iv32,rc5,rc4,idea,3idea,cast128,blowfish,null_enc,twofish,rijndael,aes128 authentication_algorithm hmac_sha1 ; # authentication for ph2, either des,3des,des_iv64,des_iv32,hmac_md5,hmac_sha1,non_auth compression_algorithm deflate; lifetime time 15 min; # sec,min,hour, proposal of phase 12 lifetime } ## sainfo address SIPPY_IP/XX any address REMOTE_GW_NET/YY any # case you have 2+ IPsec GWs ## { ## pfs_group 2; # Diffie-Hellman exp, either modp768=1, modp1024=2,modp1536=5 ## encryption_algorithm 3des; # encryption for ph2, either des,3des,des_iv64,des_iv32,rc5,rc4,idea,3idea,cast128,blowfish,null_enc,twofish,rijndael ## authentication_algorithm hmac_sha1 ; # authentication for ph2, either des,3des,des_iv64,des_iv32,hmac_md5,hmac_sha1,non_auth ## compression_algorithm deflate; ## lifetime time 3600 sec; # sec,min,hour, proposal of phase 12 lifetime ## } ## Enable logging if needed. Available options: notify,debug,debug2 ## log debug2;
Here are three commonly used and secure combinations for Phase 1 (IKE) in an IPsec configuration:
# The #1 one is the preferable and more secure than #2 or #3
1. AES-256 with SHA-256
Encryption Algorithm: aes256
Hash Algorithm: sha256
DH Group: 14 (2048-bit, secure and commonly supported)
or
DH Group: 2 (supported but less secure)
2. AES-128 with SHA-1
Encryption Algorithm: aes128
Hash Algorithm: sha1
DH Group: 2 (1024-bit, widely supported but not as strong as 2048-bit)
3. 3DES with MD5
Encryption Algorithm: 3des
Hash Algorithm: md5
DH Group: 2 (1024-bit, widely supported but not as strong as 2048-bit)
For phase 2 you may use the following algorithms:
1. AES-266 with HMAC-SHA1
2. 3DES with MD5 HMAC-SHA1
5. Add commands to load racoon and ipsec config into rc.conf:
ipsec_enable="YES"
ipsec_file="/etc/ipsec.rules"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
6. Make sure psk.txt has the correct permissions:
$ sudo chmod 600 /usr/local/etc/racoon/psk.txt
7. Load ipsec rules - it shouldn't be running in the processes, start racoon - it should be running as a daemon:
$ sudo /etc/rc.d/ipsec start
$ sudo /usr/local/etc/rc.d/racoon restart
$ sudo /usr/local/etc/rc.d/racoon status
Sometimes it might fail to start with the following error message:
/usr/local/etc/rc.d/racoon: WARNING: /var/db/racoon is not a directory.
In such case create this directory and try to start it again:
$ sudo mkdir /var/db/racoon
$ sudo /usr/local/etc/rc.d/racoon start
Image with the example is attached.
8. To check the tunnel you can ping one of the IPs from Verizon net after establishing the tunnel. SIP IPs are preferable, the target IP you ping should be located in REMOTE_GW_NET/YY
$ ping -S SIPPY_IP SIP_SIGNALLING_IP(vendors IP)
To check if SIPPY_IP receives traffic from vendor you may activate the tcpdump on Sippy Softswitch and wait for the ESP packets from vendor:
$ sudo tcpdump -n -i vtnet0 esp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes 13:00:54.135612 IP 3.126.6.140 > 178.62.220.215: ESP(spi=0x02c0d613,seq=0x1), length 132 13:00:54.135710 IP 178.62.220.215 > 3.126.6.140: ESP(spi=0x0b96b11f,seq=0x1), length 132 13:00:55.144359 IP 3.126.6.140 > 178.62.220.215: ESP(spi=0x02c0d613,seq=0x2), length 132 13:00:55.144474 IP 178.62.220.215 > 3.126.6.140: ESP(spi=0x0b96b11f,seq=0x2), length 132 13:00:56.151809 IP 3.126.6.140 > 178.62.220.215: ESP(spi=0x02c0d613,seq=0x3), length 132 13:00:56.151967 IP 178.62.220.215 > 3.126.6.140: ESP(spi=0x0b96b11f,seq=0x3), length 132
9. Check that the tunnel has been established successfully, expected output:
# setkey -D
SIPPY_IP IKE_GW_IP
esp mode=tunnel spi=1197346408(0x475e0e68) reqid=0(0x00000000)
E: 3des-cbc 1e14930b 24956ab2 9b59f0c5 b9663dbe ddddc15a 12709f72
A: hmac-sha1 f3bcb876 12d33057 55d50c6f 2fb64dbb 38f91d72
seq=0x0000000a replay=4 flags=0x00000000 state=mature
created: Nov 6 17:55:24 2015 current: Nov 6 18:16:18 2015
diff: 1254(s) hard: 28800(s) soft: 23040(s)
last: Nov 6 17:55:34 2015 hard: 0(s) soft: 0(s)
current: 1360(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 10 hard: 0 soft: 0
sadb_seq=1 pid=61849 refcnt=2
IKE_GW_IP SIPPY_IP
esp mode=tunnel spi=54124353(0x0339df41) reqid=0(0x00000000)
E: 3des-cbc d35278ac cb8f9821 944a8b8e 53cc0b67 28fce357 75208117
A: hmac-sha1 22ae0a4d 28cd25bf 7c4b78a9 f19c8153 2f97a2ba
seq=0x0000000a replay=4 flags=0x00000000 state=mature
created: Nov 6 17:55:24 2015 current: Nov 6 18:16:18 2015
diff: 1254(s) hard: 28800(s) soft: 23040(s)
last: Nov 6 17:55:34 2015 hard: 0(s) soft: 0(s)
current: 1040(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 10 hard: 0 soft: 0
sadb_seq=0 pid=61849 refcnt=1
10. Disable debug in racoon.conf and restart racoon, either comment that option out or set it to notify.
Additional information:
- it's possible to run racoon in the max debug verbose mode so that the output is placed to the console.
# racoon -v -F -dd -f /usr/local/etc/racoon/racoon.conf
-v for verbose output, more debug level
-f specify the file with the racoon config
-d for the 1st level of debug. Multiple d are used for enhancing the debug
-F run racoon in the foreground.
-l logfile - if needed, print the output to the log
they could be also used as the racoon flags in the rc.conf. For more flags check
$ man racoon
- The result of line 18: File exists.
this is caused by mistakes in /etc/ipsec.rules, like 3 spaces instead of 2 before esp, or two rules leading from the same SIPPY_NET/XX to the same REMOTE_GW_NET/YY
You can also try restarting ipsec to clear it out:
$ sudo /etc/rc.d/ipsec start
- Racoon's documentation:
http://www.kame.net/racoon/racoon.conf.5
- If you need to configure more then one IKE gateway, add the separate remote followed with the sainfo sections in the racoon conf per each IKE gateway
----
Racoon log troubleshooting:
----
1. The incorrect encryption_algorithm on Phase 1 has been chosen, it does not match the server's configuration.
ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
2. The YOUR_NET/XX is configured with incorrect subnet. Try /32 for it, and restart ipsec and racoon
ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
ERROR: error message: '&. ;x % }- @ SME 4 ( _a8 p C` s 2 PS _ f o 0q `] D5 > ] "R L9 C Z : :\ 4 , v b k I x ^5 h*\ N [0 ;W 8 x @ z e l e f* 3 6 0 | S2 2 & 0 i9 [/r [a %0O > @ '.
3. The misconfiguration of used port for either local of remote address or encryption on phase1:
DEBUG2: CHKPH1THERE: no established ph1 handler found
The following lines should be corrected with either aproper port, or the port should be removed in order to use the default one
isakmp YOUR_IP [port] # local IPremote VERIZON_IP [port] # remote IP
4. The misconfiguration of ipsec.rules or firewall related issue:
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP IKE_GW_IP[0]->SIPPY_IP[0]
2015-02-12 06:25:43: INFO: delete phase 2 handler.
2015-02-12 06:26:02: ERROR: phase1 negotiation failed due to time up. b20adad2a567eace:0000000000000000
The IKEv1 process is demonstrated in the following diagram: