SoftElegance has successfully created a VPN (Virtual Private Network) between two networks, separated by the internet, using FreeBSD gateways and over IPsec protocol.

IPsec (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

The goal is to set up IPsec using FreeBDS gateways.

The Problem:

IPsec can should used to directly encrypt the traffic between two hosts (known as Transport Mode); or to build “virtual tunnels” between two subnets, which could be used for secure communication between two corporate networks (known as Tunnel Mode)

There is no standard for what constitutes a VPN. VPNs can be implemented using a number of different technologies, each of them have their own strengths and weaknesses.

The Scenario:

Two corporate networks, one based at office A and another at office B; different locations, towns, or countries. Both are connected to the Internet, and expected, via this VPN to behave as one.

Please, be sure in following:

  • Both network’s sites are using IP internally;
  • Both sites are connected to the Internet, through a gateway that is running FreeBSD;
  • The gateway on each network has at least one public IP address;
  • The internal addresses of the two networks can be public or private IP addresses, it does not matter. They just may not collide; e.g.: may not both use 192.168.1.x.

The Solution:

First you should read the Tom Rhodes’s post “Configuring IPsec on FreeBSD“. This is great guide and it’s almost all you need.

Also you could find the information about two IPsec’s sub-protocols:

  • Encapsulating Security Payload (ESP), protects the IP packet data from third party interference, by encrypting the contents using symmetric cryptography algorithms (like Blowfish, 3DES).
  • Authentication Header (AH), protects the IP packet header from third party interference and spoofing, by computing a cryptographic checksum and hashing the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the information in the packet to be authenticated.

ESP and AH can either be used together or separately, depending on the environment.

We’ve used only the ESP to create VPN over IPsec. It was not necessary to use AH in out case.

The information about ESP should be used for better understanding IPsec.

And the last one Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite.

Conclusion:

SoftElegance has successfully set up VPN with IPsec using FreeBDS gateways for two networks, separated by the internet.