How to Encrypt Traffic Over IPv6

[alaric]

Hey everyone. For reasons that can only arise from the combination of a crazy boss and an increasingly bureaucratic corporate environment, I need to create an IPv6 encrypted tunnel between a PC and my FreeBSD 11 box. I can't find much help. Can anyone help me or direct me to a resource?

Thanks in Advance,
Alaric

 

[jem]

OpenVPN may be of assistance to you, and it's fairly simple to set up. It's in ports, security/openvpn.

 

[alaric]

Thank you very much my friend. I'll take a look

 

[alaric]

The tunnel interface is definitely a piece of the puzzle. I can't install new software though. That's one reason why I want to use ipv6 built in ESP. I'll look for documentation on tunnel interfaces. Any other advice would be greatly appreciated.

 

[obsigna]

Are you allowed to use the built-in VPN client of the PC? I guess its's Windows. I yes and yes then, you may want to consider installing a IKEv2 VPN server using security/strongSwan on you FreeBSD machine.

 

[alaric]

OK so I read that BSD can invoke ESP if a check of the "security policy database" suggests it. What is this "security policy database" which is spoken of? Can anyone help me?

 

[alaric]

Are you allowed to use the built-in VPN client of the PC? I guess its's Windows. I yes and yes then, you may want to consider installing a IKEv2 VPN server using security/strongSwan on you FreeBSD machine.

Thank you very much. I need to use the advanced windows firewall connection mechanism. I think I have that part nailed down. All I need to figure out is how to config BSD to use native ESP in IPv6 for my traffic. I know a tunnel interface is needed. So really I just need to figure out how to config a tunnel interface to invoke the ESP in IPv6 and I'm good.

 

[SirDice]

I've been looking around because one of the "selling points" of IPv6 is the built-in IPSec capabilities. But oddly enough I can't find much about how to set this up. Most of the stuff I find refers to spdadd (which would refer to the 'security policy database') but I can't find anything with regards to FreeBSD.

 

[alaric]

Good to know someone is on a similar quest! *nix is not my main gig, I don't know much. I found some stuff on setkey that looked interesting though. Does anyone know if that could be used to tell FreeBSD "when you see traffic from range use these security parameters"? Then we could say ESP, Blah, Blah, Blah.

 

[obsigna]

As a matter of fact, setkey(8) is the tool for manual configuration and inspection of the Security Association Database (SAD) and the Security Policy Database (SPD) in the Kernel. Look at the Examples section of the linked man file, for getting an idea. That said, manually setting up and maintaining the SAD/SPD may be quite cumbersome, and this becomes even worse if it comes to Authentication and Key Exchange.

... we could say ESP, Blah, Blah, Blah.

The 3 trailing Blah's in your recent message are in IPsec terms actually AH, SA, ISAKMP (IKE/IKEv2), and if you really want to set up everything manually, then you need to understand the concepts before, otherwise you will fail.

People, like me, who don't need to work out every nut, bolt and screw for any kind of satisfaction, utilize for establishing IPsec links either of security/ipsec-tools or security/strongSwan, the latter of which is more modern and better maintained.

BTW: I am not a Windows guy, however, a quick review of Windows Firewall with Advanced Security and IPsec reveals to me that said Firewall does neither establish any IPsec, nor takes care of Authentication and Key Exchange. For this you need other facilities of Windows. The document tells me that the WFASI knows to apply its rules also on IPsec traffic, as IPFW knows on FreeBSD, however, no *NIX aware person would expect IPFW to establish IPsec connections.

 

[alaric]

Thanks, haha, and actually. There is a section within the advanced windows firewall where you can define security parameters: http://www.it.cornell.edu/services/managed_servers/howto/ipsec.cfm. It looked to me like there was an option with setkeys to define a range of ips to apply security rules to. I thought maybe we could leverage that. I guess I'll take a look at the tools you mentioned. It looks like I angered you somehow. Apologies and good luck.