Because OpenSWAN and native kernel IPSec for 2.6 kernels is rapidly approaching its final stage of consolidation, we will wait until the dust settles and focus on FreeBSD and OpenBSD IKE here. Dynamically negotiated IPSec requires configuration of the IKE daemons and a policy that defines qualified traffic that triggers SA establishment (for example, network to network via tunnel mode).
Lab 11-8: An IPSec with IKE (racoon/isakmpd) Scenario (Gateway-to-Gateway Tunnel Mode)
In this lab, we require the discussed gif tunnel setup on the FreeBSD side. Example 11-17 demonstrates the setup and output of the IPSec gateway ganymed (OpenBSD), and Example 11-18 shows the configuration of the IPSec peer castor (FreeBSD). FreeBSD has a dedicated configuration file for the IPSec policy, and OpenBSD isakmpd contains everything in a single configuration file. The tunnel operation is verified via extended pings from castor and callisto in combination with sniffer traces. The highlighted text emphasizes successful SA establishment.
Example 11-17. OpenBSD IPSec with ISAKMPD and Preshared Key
[root@ganymed:/etc/isakmpd#] cat isakmpd.policy
KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:cisco"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-md5" -> "true";
[root@ganymed:/etc/isakmpd#] cat isakmpd.conf
#
# A configuration sample VPN for the isakmpd ISAKMP/Oakley (a.k.a. IKE) daemon.
# "ganymed" and "castor" are the respective security gateways (a.k.a. VPN nodes).
#
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 192.168.2.254
[Phase 1]
192.168.2.7= ISAKMP-peer-castor
[Phase 2]
Connections= IPsec-ganymed-castor
[ISAKMP-peer-castor]
Phase= 1
Transport= udp
Local-address= 192.168.2.254
Address= 192.168.2.7
Authentication= cisco
Configuration= Default-main-mode
[IPsec-ganymed-castor]
Phase= 2
ISAKMP-peer= ISAKMP-peer-castor
Configuration= Default-quick-mode
Local-ID= Net-ganymed
Remote-ID= Net-castor
[Net-ganymed]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.45.0
Netmask= 255.255.255.0
[Net-castor]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.7.0
Netmask= 255.255.255.0
[Default-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5-GRP2
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-PFS-GRP2-SUITE
### Proof of the two uni-directional SAs ###
[root@ganymed:~#] cat /kern/ipsec
Hashmask: 31, policy entries: 2
SPI = 0ea713d5, Destination = 192.168.2.7, Sproto = 50
Established 416 seconds ago
Source = 192.168.2.254
Flags (00011082) =
Crypto ID: 1
xform =
Encryption = <3DES>
Authentication =
3528 bytes processed by this SA
Last used 378 seconds ago
Expirations:
Hard expiration(1) in 784 seconds
Soft expiration(1) in 664 seconds
SPI = b6297e4e, Destination = 192.168.2.254, Sproto = 50
Established 416 seconds ago
Source = 192.168.2.7
Flags (00001082) =
Crypto ID: 2
xform =
Encryption = <3DES>
Authentication =
3696 bytes processed by this SA
Last used 378 seconds ago
Expirations:
Hard expiration(1) in 784 seconds
Soft expiration(1) in 664 seconds
### The encap routing situation as derived from the VPN policy setup
(isakmpd.policy) ###
[root@ganymed:~#] netstat -f encap -rn
Routing tables
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
192.168.7/24 0 192.168.45/24 0 0 192.168.2.7/50/use/in
192.168.45/24 0 192.168.7/24 0 0 192.168.2.7/50/require/out
### Detailed Protocol Statistics for ESP/AH ###
[root@ganymed:~#] netstat -p esp
esp:
42 input ESP packets
42 output ESP packets
0 packets from unsupported protocol families
0 packets shorter than header shows
0 packets dropped due to policy
0 packets for which no TDB was found
0 input packets that failed to be processed
0 packets with bad encryption received
0 packets that failed verification received
0 packets for which no XFORM was set in TDB received
0 packets were dropped due to full output queue
0 packets where counter wrapping was detected
0 possibly replayed packets received
0 packets with bad payload size or padding received
0 packets attempted to use an invalid tdb
0 packets got larger than max IP packet size
0 packets that failed crypto processing
3696 input bytes
3528 output bytes
[root@ganymed:~#] netstat -p ah
ah:
0 input AH packets
0 output AH packets
0 packets from unsupported protocol families
0 packets shorter than header shows
0 packets dropped due to policy
0 packets for which no TDB was found
0 input packets that failed to be processed
0 packets that failed verification received
0 packets for which no XFORM was set in TDB received
0 packets were dropped due to full output queue
0 packets where counter wrapping was detected
0 possibly replayed packets received
0 packets with bad authenticator length received
0 packets attempted to use an invalid tdb
0 packets got larger than max IP packet size
0 packets that failed crypto processing
0 input bytes
0 output bytes
### And the sniffer traces to prove that we are really encrypting ###
[root@castor:~#] ping -S 192.168.7.7 192.168.45.1
PING 192.168.45.1 (192.168.45.1) from 192.168.7.7: 56 data bytes
64 bytes from 192.168.45.1: icmp_seq=0 ttl=63 time=2.412 ms
64 bytes from 192.168.45.1: icmp_seq=1 ttl=63 time=2.382 ms
64 bytes from 192.168.45.1: icmp_seq=2 ttl=63 time=2.320 ms
^C
--- 192.168.45.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.320/2.371/2.412/0.038 ms
[root@callisto:~#] ping -I 192.168.45.1 192.168.7.7
PING 192.168.7.7 (192.168.7.7) from 192.168.45.1 : 56(84) bytes of data.
64 bytes from 192.168.7.7: icmp_seq=1 ttl=63 time=3.84 ms
64 bytes from 192.168.7.7: icmp_seq=2 ttl=63 time=2.64 ms
64 bytes from 192.168.7.7: icmp_seq=3 ttl=63 time=2.51 ms
--- 192.168.7.7 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2018ms
rtt min/avg/max/mdev = 2.515/3.002/3.846/0.600 ms
[root@ganymed:~#] tethereal -i ne4
Capturing on ne4
0.000000 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)
0.001213 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)
0.272924 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)
0.273586 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)
1.001848 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)
1.003015 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)
1.282909 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)
1.283591 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)
[root@ganymed:~#] tethereal -i enc0
Capturing on enc0
0.000000 -> UNKNOWN WTAP_ENCAP = 0
0.001566 -> UNKNOWN WTAP_ENCAP = 0
0.668721 -> UNKNOWN WTAP_ENCAP = 0
0.669053 -> UNKNOWN WTAP_ENCAP = 0
1.009968 -> UNKNOWN WTAP_ENCAP = 0
1.011561 -> UNKNOWN WTAP_ENCAP = 0
1.670448 -> UNKNOWN WTAP_ENCAP = 0
1.670744 -> UNKNOWN WTAP_ENCAP = 0
Example 11-18. FreeBSD IPSec with racoon and Preshared Key
### gif tunnel setup for routing ###
[root@castor:~#] gifconfig gif0 192.168.2.7 192.168.2.254
[root@castor:~#] ifconfig gif0 inet 192.168.7.7 netmask 255.255.255.0 192.168.45.254
netmask 255.255.255.0
[root@castor:~#] gifconfig gif0
[gif0: flags=8051
inet6 fe80::210:5aff:fec4:2c04%gif0 prefixlen 64
inet 192.168.7.7 --> 192.168.45.254 netmask 0xffffff00
physical address inet 192.168.2.7 --> 192.168.2.254
[root@castor:~#] netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.2.254 UGSc 3 121 xl0
10.0.0.4 10.0.0.4 UH 0 0 lo0
127.0.0.1 127.0.0.1 UH 1 32 lo0
192.168.2 link#1 UC 2 0 xl0
192.168.2.7 00:10:5a:c4:2c:04 UHLW 3 4 lo0
192.168.2.254 52:54:05:e3:e4:2f UHLW 5 446 xl0 402
192.168.7 link#2 UC 0 0 ed0
192.168.45.254 192.168.7.7 UH 0 0 gif0
192.168.80 link#15 UC 0 0 vlan8
### IPsec configurations ###
[root@castor:~#] cat /etc/ipsec.conf
spdadd 192.168.7.0/24 192.168.45.0/24 any -P out ipsec
esp/tunnel/192.168.2.7-192.168.2.254/require;
spdadd 192.168.45.0/24 192.168.7.0/24 any -P in ipsec
esp/tunnel/192.168.2.254-192.168.2.7/require;
[root@castor:~#] cat /usr/local/etc/racoon/psk.txt
# IPv4/v6 addresses
192.168.2.254 cisco
[root@castor:~#] cat /usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify," "debug,"
# or "debug2."
#log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
isakmp 192.168.2.7 [500];
#admin [7002]; # administrative port by kmpstat.
strict_address; # all addresses must be bound.
}
# Specification of various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
### gateway-to-gateway ###
remote 192.168.2.254
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 192.168.2.7;
peers_identifier address 192.168.2.254;
nonce_size 16;
lifetime time 1 min; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo address 192.168.2.7 any address 192.168.2.254 any
{
pfs_group 2 ;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
[root@castor:~#] cat /var/log/racoon
2004-04-04 13:44:36: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net
2004-04-04 13:44:36: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30
Sep 2003 (http://www.openssl.org/)
2004-04-04 13:44:36: INFO: isakmp.c:1358:isakmp_open(): 192.168.2.7[500] used as isakmp
port (fd=5)
2004-04-04 13:44:51: INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1
negotiation: 192.168.2.7[500]<=>192.168.2.254[500]
2004-04-04 13:44:51: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.
2004-04-04 13:44:51: WARNING: isakmp_inf.c:1281:isakmp_check_notify(): ignore
INITIAL-CONTACT notification, because it is only accepted after phase1.
2004-04-04 13:44:51: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID value mismatched.
2004-04-04 13:44:51: INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established 192
.168.2.7[500]-192.168.2.254[500] spi:1340537a78e1b7d8
:d25809b27e1f5e75
2004-04-04 13:44:52: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.2.7[0]<=>192.168.2.254[0]
2004-04-04 13:44:52: INFO: pfkey.c:1134:pk_recvupdate(): IPsec-SA established: ESP/Tunnel
192.168.2.254->192.168.2.7 spi=245830613(0xea713d5)
2004-04-04 13:44:52: INFO: pfkey.c:1357:pk_recvadd(): IPsec-SA established: ESP/Tunnel 192
.168.2.7->192.168.2.254 spi=3056172622(0xb6297e4e)
2004-04-04 13:45:51: INFO: isakmp.c:1516:isakmp_ph1expire(): ISAKMP-SA expired 192.168.2
.7[500]-192.168.2.254[500] spi:1340537a78e1b7d8:d2580
9b27e1f5e75
2004-04-04 13:45:52: INFO: isakmp.c:1564:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.2
.7[500]-192.168.2.254[500] spi:1340537a78e1b7d8:d2580
9b27e1f5e75
0 comments:
Post a Comment