Advice About IPSec Lab Scenarios
Host-to-host security hardly is used anymore today, and the same is true for manual IPSec keying and manual SA setup. IKE dominates the picture with rapid acceptance of X.509v3 certificate integration. The most widespread deployments of IPSec feature gateway-to-gateway and road-warrior-to-gateway configurations. VPN client software is required on the road warrior (PDA, notebook).
Because OpenSWAN and native kernel IPSec for 2.6 kernels is rapidly approaching its final stage of consolidation, we will wait until the dust settles and focus on FreeBSD and OpenBSD IKE here. Dynamically negotiated IPSec requires configuration of the IKE daemons and a policy that defines qualified traffic that triggers SA establishment (for example, network to network via tunnel mode).
Lab 11-8: An IPSec with IKE (racoon/isakmpd) Scenario (Gateway-to-Gateway Tunnel Mode)
In this lab, we require the discussed gif tunnel setup on the FreeBSD side. Example 11-17 demonstrates the setup and output of the IPSec gateway ganymed (OpenBSD), and Example 11-18 shows the configuration of the IPSec peer castor (FreeBSD). FreeBSD has a dedicated configuration file for the IPSec policy, and OpenBSD isakmpd contains everything in a single configuration file. The tunnel operation is verified via extended pings from castor and callisto in combination with sniffer traces. The highlighted text emphasizes successful SA establishment.
Example 11-17. OpenBSD IPSec with ISAKMPD and Preshared Key
[root@ganymed:/etc/isakmpd#] cat isakmpd.policy KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:cisco" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg == "3des" && esp_auth_alg == "hmac-md5" -> "true"; [root@ganymed:/etc/isakmpd#] cat isakmpd.conf # # A configuration sample VPN for the isakmpd ISAKMP/Oakley (a.k.a. IKE) daemon. # "ganymed" and "castor" are the respective security gateways (a.k.a. VPN nodes). # [General] Retransmits= 5 Exchange-max-time= 120 Listen-on= 192.168.2.254 [Phase 1] 192.168.2.7= ISAKMP-peer-castor [Phase 2] Connections= IPsec-ganymed-castor [ISAKMP-peer-castor] Phase= 1 Transport= udp Local-address= 192.168.2.254 Address= 192.168.2.7 Authentication= cisco Configuration= Default-main-mode [IPsec-ganymed-castor] Phase= 2 ISAKMP-peer= ISAKMP-peer-castor Configuration= Default-quick-mode Local-ID= Net-ganymed Remote-ID= Net-castor [Net-ganymed] ID-type= IPV4_ADDR_SUBNET Network= 192.168.45.0 Netmask= 255.255.255.0 [Net-castor] ID-type= IPV4_ADDR_SUBNET Network= 192.168.7.0 Netmask= 255.255.255.0 [Default-main-mode] EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5-GRP2 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-PFS-GRP2-SUITE ### Proof of the two uni-directional SAs ### [root@ganymed:~#] cat /kern/ipsec Hashmask: 31, policy entries: 2 SPI = 0ea713d5, Destination = 192.168.2.7, Sproto = 50 Established 416 seconds ago Source = 192.168.2.254 Flags (00011082) = <tunneling,usedtunnel> Crypto ID: 1 xform = <IPsec ESP> Encryption = <3DES> Authentication = <HMAC-MD5> 3528 bytes processed by this SA Last used 378 seconds ago Expirations: Hard expiration(1) in 784 seconds Soft expiration(1) in 664 seconds SPI = b6297e4e, Destination = 192.168.2.254, Sproto = 50 Established 416 seconds ago Source = 192.168.2.7 Flags (00001082) = <tunneling> Crypto ID: 2 xform = <IPsec ESP> Encryption = <3DES> Authentication = <HMAC-MD5> 3696 bytes processed by this SA Last used 378 seconds ago Expirations: Hard expiration(1) in 784 seconds Soft expiration(1) in 664 seconds ### The encap routing situation as derived from the VPN policy setup (isakmpd.policy) ### [root@ganymed:~#] netstat -f encap -rn Routing tables Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.7/24 0 192.168.45/24 0 0 192.168.2.7/50/use/in 192.168.45/24 0 192.168.7/24 0 0 192.168.2.7/50/require/out ### Detailed Protocol Statistics for ESP/AH ### [root@ganymed:~#] netstat -p esp esp: 42 input ESP packets 42 output ESP packets 0 packets from unsupported protocol families 0 packets shorter than header shows 0 packets dropped due to policy 0 packets for which no TDB was found 0 input packets that failed to be processed 0 packets with bad encryption received 0 packets that failed verification received 0 packets for which no XFORM was set in TDB received 0 packets were dropped due to full output queue 0 packets where counter wrapping was detected 0 possibly replayed packets received 0 packets with bad payload size or padding received 0 packets attempted to use an invalid tdb 0 packets got larger than max IP packet size 0 packets that failed crypto processing 3696 input bytes 3528 output bytes [root@ganymed:~#] netstat -p ah ah: 0 input AH packets 0 output AH packets 0 packets from unsupported protocol families 0 packets shorter than header shows 0 packets dropped due to policy 0 packets for which no TDB was found 0 input packets that failed to be processed 0 packets that failed verification received 0 packets for which no XFORM was set in TDB received 0 packets were dropped due to full output queue 0 packets where counter wrapping was detected 0 possibly replayed packets received 0 packets with bad authenticator length received 0 packets attempted to use an invalid tdb 0 packets got larger than max IP packet size 0 packets that failed crypto processing 0 input bytes 0 output bytes ### And the sniffer traces to prove that we are really encrypting ### [root@castor:~#] ping -S 192.168.7.7 192.168.45.1 PING 192.168.45.1 (192.168.45.1) from 192.168.7.7: 56 data bytes 64 bytes from 192.168.45.1: icmp_seq=0 ttl=63 time=2.412 ms 64 bytes from 192.168.45.1: icmp_seq=1 ttl=63 time=2.382 ms 64 bytes from 192.168.45.1: icmp_seq=2 ttl=63 time=2.320 ms ^C --- 192.168.45.1 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.320/2.371/2.412/0.038 ms [root@callisto:~#] ping -I 192.168.45.1 192.168.7.7 PING 192.168.7.7 (192.168.7.7) from 192.168.45.1 : 56(84) bytes of data. 64 bytes from 192.168.7.7: icmp_seq=1 ttl=63 time=3.84 ms 64 bytes from 192.168.7.7: icmp_seq=2 ttl=63 time=2.64 ms 64 bytes from 192.168.7.7: icmp_seq=3 ttl=63 time=2.51 ms --- 192.168.7.7 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2018ms rtt min/avg/max/mdev = 2.515/3.002/3.846/0.600 ms [root@ganymed:~#] tethereal -i ne4 Capturing on ne4 0.000000 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234) 0.001213 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc) 0.272924 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc) 0.273586 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234) 1.001848 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234) 1.003015 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc) 1.282909 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc) 1.283591 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234) [root@ganymed:~#] tethereal -i enc0 Capturing on enc0 0.000000 -> UNKNOWN WTAP_ENCAP = 0 0.001566 -> UNKNOWN WTAP_ENCAP = 0 0.668721 -> UNKNOWN WTAP_ENCAP = 0 0.669053 -> UNKNOWN WTAP_ENCAP = 0 1.009968 -> UNKNOWN WTAP_ENCAP = 0 1.011561 -> UNKNOWN WTAP_ENCAP = 0 1.670448 -> UNKNOWN WTAP_ENCAP = 0 1.670744 -> UNKNOWN WTAP_ENCAP = 0
Example 11-18. FreeBSD IPSec with racoon and Preshared Key
### gif tunnel setup for routing ### [root@castor:~#] gifconfig gif0 192.168.2.7 192.168.2.254 [root@castor:~#] ifconfig gif0 inet 192.168.7.7 netmask 255.255.255.0 192.168.45.254netmask 255.255.255.0 [root@castor:~#] gifconfig gif0 [gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 inet6 fe80::210:5aff:fec4:2c04%gif0 prefixlen 64 inet 192.168.7.7 --> 192.168.45.254 netmask 0xffffff00 physical address inet 192.168.2.7 --> 192.168.2.254 [root@castor:~#] netstat -rn -f inet Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.2.254 UGSc 3 121 xl0 10.0.0.4 10.0.0.4 UH 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 32 lo0 192.168.2 link#1 UC 2 0 xl0 192.168.2.7 00:10:5a:c4:2c:04 UHLW 3 4 lo0 192.168.2.254 52:54:05:e3:e4:2f UHLW 5 446 xl0 402 192.168.7 link#2 UC 0 0 ed0 192.168.45.254 192.168.7.7 UH 0 0 gif0 192.168.80 link#15 UC 0 0 vlan8 ### IPsec configurations ### [root@castor:~#] cat /etc/ipsec.conf spdadd 192.168.7.0/24 192.168.45.0/24 any -P out ipsec esp/tunnel/192.168.2.7-192.168.2.254/require; spdadd 192.168.45.0/24 192.168.7.0/24 any -P in ipsec esp/tunnel/192.168.2.254-192.168.2.7/require; [root@castor:~#] cat /usr/local/etc/racoon/psk.txt # IPv4/v6 addresses 192.168.2.254 cisco [root@castor:~#] cat /usr/local/etc/racoon/racoon.conf path include "/usr/local/etc/racoon" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify," "debug," # or "debug2." #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 192.168.2.7 [500]; #admin [7002]; # administrative port by kmpstat. strict_address; # all addresses must be bound. } # Specification of various default timers. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } ### gateway-to-gateway ### remote 192.168.2.254 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 192.168.2.7; peers_identifier address 192.168.2.254; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address 192.168.2.7 any address 192.168.2.254 any { pfs_group 2 ; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } [root@castor:~#] cat /var/log/racoon 2004-04-04 13:44:36: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2004-04-04 13:44:36: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30
