pavel simerda ipsec
TRANSCRIPT
-
7/28/2019 Pavel Simerda Ipsec
1/34
IPsec in Fedora
Pavel [email protected]
Developer Conference 2012, Brno
http://data.pavlix.net/devconf2012/
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
2/34
Contents
IP Security OverviewKernel IPsec implementationComparison of Key Exchange ImplementationsReal World Conguration Examples
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
3/34
IP Security Overview
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
4/34
IPsec
IP Security IPsec
Mandatory part of IPv6 stack, extension to IPv4 stackNetwork-layer packet encryption and authentication
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
5/34
IPsec provides
Security layer for network and transport protocolsData authentication, integrity and condentiality
Mutual host and user authenticationSecurity orthogonal to routing (with public IPv6 or IPv4)End-to-end secure communication (with public IP andDNSSEC)
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
6/34
IPsec essentials
Security policy databaseSecurity association database
Encapsulated security payloadKey exchange and congurationNAT traversal
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
7/34
Kernel IPsec Implementation
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
8/34
What you need to experiment with IPsec
Kernel IPsec support enabledThe iproute packageFirewall setup (for testing just disable rewall)Time and patience (or follow examples)
Pavel imerda [email protected] IPsec in Fedora
http://find/http://goback/ -
7/28/2019 Pavel Simerda Ipsec
9/34
ESP transport channel
Mode: TransportEncapsulation: IPv6ESPDirection: alpha.example.net beta.example.netAddresses:2001:db8::a 2001:db8::bUse the same commands for the reverse channelSuitable for secure end-to-end connectivity
You can always use IPv4 addresses instead of IPv6.
When testing with documentation address space, you may ndyourself separated from some public internet services.
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
10/34
ESP transport channelalpha.example.net
# ip a dd re ss ad d 2 00 1: d b8 : :a /6 4 d ev e th 0# ip xfrm policy add dir out \
s rc 2 00 1: d b 8 :: a d st 2 00 1: d b 8 :: b t mp l p ro to e sp# ip xfrm state add \
s rc 2 00 1: d b8 : :a ds t 2 00 1: d b8 : :b p ro to es p sp i 1 \enc cbc(aes ) 0x3ed0af408cf5dcb f5d5d9a5fa806b224
beta.example.net
# ip a dd re ss ad d 2 00 1: d b8 : :b /6 4 d ev e th 0# ip xfrm policy add dir in \
s rc 2 00 1: d b 8 :: a d st 2 00 1: d b 8 :: b t mp l p ro to e sp
# ip xfrm state add \s rc 2 00 1: d b8 : :a ds t 2 00 1: d b8 : :b p ro to es p sp i 1 \enc cbc(aes ) 0x3ed0af408cf5dcb f5d5d9a5fa806b224
http://data.pavlix.net/devconf2012/
Pavel imerda [email protected] IPsec in Fedora
h l
http://find/http://goback/ -
7/28/2019 Pavel Simerda Ipsec
11/34
ESP transport channel
Quick check on aplha.example.net# ip x fr m s ta te s ho w sr c 2 00 1: d b8 : :a d st 2 00 1: d b8 : :bs rc 2 00 1: d b 8 :: a d st 2 00 1: d b 8 :: b
p ro to es p s pi 0 x 00 00 00 00 r eq id 0 m od e t ra ns po rtreplay -window 0
enc cbc(aes ) 0x3ed0af408cf5dcb f5d5d9a5fa806b224s el sr c : :/ 0 ds t : :/ 0# ip x fr m p ol ic y s ho w sr c 2 00 1: d b8 : :a d st 2 00 1: d b8 : :bs rc 2001 :db8 : : a /128 d st 2001 :db8 : :b /128
d ir ou t p ri or it y 0 p ty pe m ai ntmpl src :: dst ::
p ro to e sp r eq id 0 m od e t ra ns po rt
Pavel imerda [email protected] IPsec in Fedora
ESP h l
http://find/ -
7/28/2019 Pavel Simerda Ipsec
12/34
ESP transport channel
ICMP ping from alpha to beta
# p in g6 2 00 1: d b 8 :: bP IN G 2 00 1: d b 8 :: b ( 2 00 1: d b 8 :: b ) 5 6 d at a b yt es6 4 b yt es f ro m 2 00 1: d b 8 :: b : i cm p_ se q =1 t tl =2 55 t im e =0 .6 30 m s6 4 b yt es f ro m 2 00 1: d b 8 :: b : i cm p_ se q =2 t tl =2 55 t im e =0 .5 04 m s
Network traffic (tcpdump)I P6 2 00 1: d b 8 :: a > 2 00 1: d b 8 :: b :
ESP(sp i=0x00000001 ,seq=0x1) , leng th 104I P6 2 00 1: d b 8 :: b > 2 00 1: d b 8 :: a :
ICMP6 , e ch o r eply , se q 1 , l en gt h 64
I P6 2 00 1: d b 8 :: a > 2 00 1: d b 8 :: b :ESP(sp i=0x00000001 ,seq=0x2) , leng th 104I P6 2 00 1: d b 8 :: b > 2 00 1: d b 8 :: a :
ICMP6 , e ch o r eply , se q 2 , l en gt h 64
Pavel imerda [email protected] IPsec in Fedora
ESP l
http://find/ -
7/28/2019 Pavel Simerda Ipsec
13/34
ESP tunnel
Mode: TunnelEncapsulation: IPv6ESPIPv6Routers:2001:db8::a 2001:db8::b
Networks:2001:db8:a:a::/64 2001:db8:b:b::/64Use the same commands for the other directionSuitable for secure links between two networks
You can use IPv4 addresses instead of IPv6.
Pavel imerda [email protected] IPsec in Fedora
E l O ESP i t l d
http://find/ -
7/28/2019 Pavel Simerda Ipsec
14/34
Example: One-way ESP in tunnel mode
alpha.example.net# ip a dd res s a dd 2 00 1:d b 8 :: a /64 d ev e th 0
# ip a dd res s a dd 2 00 1:d b 8 :a : a : :1 /6 4 d ev e th 1# ip x frm p ol ic y ad d d ir ou t \s rc 2001:db8: :a :a : : /64 dst 2001:db8:b :b : :/64 \tmp l s rc 2 00 1:d b 8 :: a /12 8 d st 2 00 1:d b 8 ::b /12 8 \p ro to e sp mod e tun n el
# ip x frm s ta te add \s rc 2 00 1: d b8 : :a d st 2 00 1: d b8 : :b p ro to e sp s pi 1 m od e t un ne l \enc cbc(aes) 0x3ed0af408cf5dcbf5d5d9a5fa806b224
b.example.net# ip a dd res s a dd 2 00 1:d b 8 ::b /64 d ev e th 0# ip a dd res s a dd 2 00 1:d b 8 :b :b : :1 /6 4 d ev e th 1# ip x frm p ol ic y ad d d ir in \
s rc 2 00 1 :db 8 :: a d st 2 00 1:d b 8 ::b tmp l p roto e sp# ip x frm s ta te add \
s rc 2 00 1: d b8 : :a d st 2 00 1: d b8 : :b p ro to e sp s pi 1 \enc cbc(aes) 0x3ed0af408cf5dcbf5d5d9a5fa806b224
http://data.pavlix.net/devconf2012/
Pavel imerda [email protected] IPsec in Fedora
H b id IP 6/IP 4 ESP t l
http://find/ -
7/28/2019 Pavel Simerda Ipsec
15/34
Hybrid IPv6/IPv4 ESP tunnels
Mode: TunnelEncapsulation: IPv4ESPIPv6 or IPv6ESPIPv4
Use the same commands as for IPv6ESPIPv6 tunnelsUse IPv4 network or host addresses where appropriateSuitable for secure IPv4 links between IPv6 networks and viceversa
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
16/34
Comparison of
Key Exchange Implementations
Pavel imerda [email protected] IPsec in Fedora
The IKE protocol
http://find/ -
7/28/2019 Pavel Simerda Ipsec
17/34
The IKE protocol
Dynamic security policies and associations (including keys)On-demand associationsMutual authentication using PSK, PKI or other mechanisms
IKEv1Multiple initial exchange modesCryptographic weaknesses
IKEv2Fusion of previous specications
Single initial exchange mechanismImproved cryptography and unied with ESPImproved remote network congurationImproved NAT-T support
Pavel imerda [email protected] IPsec in Fedora
IKE implementations in Fedora/EPEL
http://find/ -
7/28/2019 Pavel Simerda Ipsec
18/34
IKE implementations in Fedora/EPEL
RacoonOpenswanRacoon2Strongswan
There may be others. For example vpnc seems to be a specializedIPsec implementation used as a client to Cisco EasyVPN.
Pavel imerda [email protected] IPsec in Fedora
Racoon (ipsec tools)
http://find/http://goback/ -
7/28/2019 Pavel Simerda Ipsec
19/34
Racoon (ipsec-tools)
Included in Fedora as ipsec-toolsNot in EPEL6Limited to obsolete IKEv1Very hard to congure for advanced scenariosEven road warrior scenario requires shell scriptingIt seems to support IPv6 except hybrid tunnels
Pavel imerda [email protected] IPsec in Fedora
Openswan
http://find/http://goback/ -
7/28/2019 Pavel Simerda Ipsec
20/34
Openswan
Included in Fedora and RHELIKEv2 doesnt work with NAT traversalIKEv2 doesnt work in road warrior setupIPv6 doesnt work in road warrior setupIPv6 conguration and errors are confusingHybrid tunnels arent supportedOpenswan gets confused by multiple IPs per interface
Disclaimer: I may have missed some tricks or new development.Tested with openswan-2.6.33-1.fc15.x86_64.
Pavel imerda [email protected] IPsec in Fedora
Racoon2
http://find/http://goback/ -
7/28/2019 Pavel Simerda Ipsec
21/34
Racoon2
Newly added to Fedora 16 and EPEL 6, please testLatest version from May 2010Bad upstream makeles (patched)
No starter daemon, separate spmd, iked (patched)KINK support disabled (dependency problems)Rather complicated conguration, butvery exibleReady-to-use conguration examples
Reportedly decent IKEv2, IKEv1 and IPv6 support
Pavel imerda [email protected] IPsec in Fedora
Strongswan
http://find/http://goback/ -
7/28/2019 Pavel Simerda Ipsec
22/34
Strongswan
Newly added to Fedora 16 and EPEL 6, please testActive upstream, new release every few monthsBuilds without change, systemd unit les included
Renaming required to avoid conicts with OpenswanIKEv2, IKEv1 and IPv6 supportNAT-T, Mediation, MOBIKE and virtual IP supportVarious authentication mechanisms
Easy and almost at conguration, similar to Openswan
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
23/34
Real World Conguration Examples
Pavel imerda [email protected] IPsec in Fedora
Choosing from implementations
http://find/ -
7/28/2019 Pavel Simerda Ipsec
24/34
Choosing from implementations
We need to choose one key exchange implementation for
IKEv2 and IKEv1 support
IPv6 and IPv4 supportRoad warrior setupIPv4 NAT traversalAll of the above working together
Pavel imerda [email protected] IPsec in Fedora
Evaluation
http://find/ -
7/28/2019 Pavel Simerda Ipsec
25/34
Evaluation
Racoon not suitable, lacks IKEv2Openswan not suitable, broken IKEv2 as well as IPv6
Racoon2 suitable, but rather passiveStrongswan suitable, actively developed
The winner is Strongswan!
Pavel imerda [email protected] IPsec in Fedora
Symmetric on-demand ESP transport channel
http://find/ -
7/28/2019 Pavel Simerda Ipsec
26/34
y p
Mode: TransportEncapsulation: IPv6ESP
Direction: alpha.example.net
beta.example.netAddresses:2001:db8::a 2001:db8::b
Strongswan supports IPv6 and IPv4 addresses.
Pavel imerda [email protected] IPsec in Fedora
Symmetric on-demand ESP transport channel
http://find/ -
7/28/2019 Pavel Simerda Ipsec
27/34
y p
ipsec.conf conn t es t
auto=routetype=t ranspor tlef t=2001:db8: :a
r igh t=2001:db8: :bauthby=psk mobike =no
http://data.pavlix.net/devconf2012/
Pavel imerda [email protected] IPsec in Fedora
Symmetric on-demand ESP transport channel
http://find/ -
7/28/2019 Pavel Simerda Ipsec
28/34
y p
ICMP ping from alpha to beta
# p in g6 2 00 1: d b 8 :: bP IN G 2 00 1: d b 8 :: b ( 2 00 1: d b 8 :: b ) 5 6 d at a b yt es6 4 b yt es f ro m 2 00 1: d b 8 :: b : i cm p_ se q =2 t tl =6 4 t im e =83 .7 m s6 4 b yt es f ro m 2 00 1: d b 8 :: b : i cm p_ se q =3 t tl =6 4 t im e =4. 08 m s
Network traffic (tcpdump)19:44 :59 .334377 IP6 2001:db8: :a . i sakmp > 2001:db8: :b . i sakmp:
isakmp: parent_sa ikev2_in i t [ I ]19 :44 :59 .375153 IP6 2001:db8: :b . i sakmp > 2001:db8: :a . i sakmp:
isakmp: parent_sa ikev2_in i t [R]19 :44 :59 .478870 IP6 2001:db8: :a . i sakmp > 2001:db8: :b . i sakmp:
i s ak mp : c h i ld _ sa i k ev 2 _a u th [ I ]19 :44 :59 .484953 IP6 2001:db8: :b . i sakmp > 2001:db8: :a . i sakmp:
i s ak mp : c h i ld _ sa i k ev 2 _a u th [R ]19 :45 :00 .196900 IP6 2001:db8: :a > 2001:db8: :b : ESP(spi=0xcc21c264 , seq=0x1) , . ..19 :45 :00 .280492 IP6 2001:db8: :b > 2001:db8: :a : ESP(spi=0xc2779c7b , seq=0x1) , . ..19 :45 :01 .198069 IP6 2001:db8: :a > 2001:db8: :b : ESP(spi=0xcc21c264 , seq=0x2) , . ..19 :45 :01 .202001 IP6 2001:db8: :b > 2001:db8: :a : ESP(spi=0xc2779c7b , seq=0x2) , . ..
Pavel imerda [email protected] IPsec in Fedora
Road warrior: VPN server/concentrator
http://find/ -
7/28/2019 Pavel Simerda Ipsec
29/34
ipsec.conf
conn t es tauto=addtype=t ranspor t
lef t=%anyr igh t=2001:db8: :bauthby=psk mobike =no
Pavel imerda [email protected] IPsec in Fedora
Road warrior: VPN client
http://find/ -
7/28/2019 Pavel Simerda Ipsec
30/34
ipsec.conf
conn t es tauto=addtype=t ranspor t
lef t=%defau l t rou telef t [email protected] .netr igh t=2001:db8: :bauthby=psk mobike =no
Pavel imerda [email protected] IPsec in Fedora
Symmetric on-demand ESP transport channel
http://find/ -
7/28/2019 Pavel Simerda Ipsec
31/34
Mode: TunnelEncapsulation: IPv6ESPIPv6Routers:2001:db8::a 2001:db8::bNetworks:2001:db8:a:a::/64 2001:db8:b:b::/64
You can use IPv4 addresses for routers and networks. Strongswansupports hybrid IPv4/IPv6 tunnels.
Pavel imerda [email protected] IPsec in Fedora
Symmetric on-demand ESP tunnel
http://find/ -
7/28/2019 Pavel Simerda Ipsec
32/34
ipsec.conf conn t es t
auto=routetype=tunnellef t=2001:db8: :alef t subnet=2001:db8:a :a : : /64r igh t=2001:db8: :blef t subnet=2001:db8:b :b : : /64authby=psk mobike =no
http://data.pavlix.net/devconf2012/
Pavel imerda [email protected] IPsec in Fedora
Notes
http://find/ -
7/28/2019 Pavel Simerda Ipsec
33/34
Authentication
Please test Racoon2 and Strongswan!
Pavel imerda [email protected] IPsec in Fedora
http://find/ -
7/28/2019 Pavel Simerda Ipsec
34/34
Questions?
http://data.pavlix.net/devconf2012/
Pavel imerda [email protected] IPsec in Fedora
http://find/