News Update :

Advice About IPSec Lab Scenarios

Host-to-host security hardly is used anymore today, and the same is true for manual IPSec keying and manual SA setup. IKE dominates the picture with rapid acceptance of X.509v3 certificate integration. The most widespread deployments of IPSec feature gateway-to-gateway and road-warrior-to-gateway configurations. VPN client software is required on the road warrior (PDA, notebook).

Because OpenSWAN and native kernel IPSec for 2.6 kernels is rapidly approaching its final stage of consolidation, we will wait until the dust settles and focus on FreeBSD and OpenBSD IKE here. Dynamically negotiated IPSec requires configuration of the IKE daemons and a policy that defines qualified traffic that triggers SA establishment (for example, network to network via tunnel mode).

Lab 11-8: An IPSec with IKE (racoon/isakmpd) Scenario (Gateway-to-Gateway Tunnel Mode)
In this lab, we require the discussed gif tunnel setup on the FreeBSD side. Example 11-17 demonstrates the setup and output of the IPSec gateway ganymed (OpenBSD), and Example 11-18 shows the configuration of the IPSec peer castor (FreeBSD). FreeBSD has a dedicated configuration file for the IPSec policy, and OpenBSD isakmpd contains everything in a single configuration file. The tunnel operation is verified via extended pings from castor and callisto in combination with sniffer traces. The highlighted text emphasizes successful SA establishment.

Example 11-17. OpenBSD IPSec with ISAKMPD and Preshared Key

[root@ganymed:/etc/isakmpd#] cat isakmpd.policy

KeyNote-Version: 2

Authorizer: "POLICY"

Licensees: "passphrase:cisco"

Conditions: app_domain == "IPsec policy" &&

esp_present == "yes" &&

esp_enc_alg == "3des" &&

esp_auth_alg == "hmac-md5" -> "true";



[root@ganymed:/etc/isakmpd#] cat isakmpd.conf

#

# A configuration sample VPN for the isakmpd ISAKMP/Oakley (a.k.a. IKE) daemon.

# "ganymed" and "castor" are the respective security gateways (a.k.a. VPN nodes).

#

[General]

Retransmits= 5

Exchange-max-time= 120

Listen-on= 192.168.2.254



[Phase 1]

192.168.2.7= ISAKMP-peer-castor



[Phase 2]

Connections= IPsec-ganymed-castor



[ISAKMP-peer-castor]

Phase= 1

Transport= udp

Local-address= 192.168.2.254

Address= 192.168.2.7

Authentication= cisco

Configuration= Default-main-mode



[IPsec-ganymed-castor]

Phase= 2

ISAKMP-peer= ISAKMP-peer-castor

Configuration= Default-quick-mode

Local-ID= Net-ganymed

Remote-ID= Net-castor



[Net-ganymed]

ID-type= IPV4_ADDR_SUBNET

Network= 192.168.45.0

Netmask= 255.255.255.0



[Net-castor]

ID-type= IPV4_ADDR_SUBNET

Network= 192.168.7.0

Netmask= 255.255.255.0



[Default-main-mode]

EXCHANGE_TYPE= ID_PROT

Transforms= 3DES-MD5-GRP2



[Default-quick-mode]

DOI= IPSEC

EXCHANGE_TYPE= QUICK_MODE

Suites= QM-ESP-3DES-MD5-PFS-GRP2-SUITE



### Proof of the two uni-directional SAs ###



[root@ganymed:~#] cat /kern/ipsec

Hashmask: 31, policy entries: 2

SPI = 0ea713d5, Destination = 192.168.2.7, Sproto = 50

Established 416 seconds ago

Source = 192.168.2.254

Flags (00011082) =

Crypto ID: 1

xform =

Encryption = <3DES>

Authentication =

3528 bytes processed by this SA

Last used 378 seconds ago

Expirations:

Hard expiration(1) in 784 seconds

Soft expiration(1) in 664 seconds



SPI = b6297e4e, Destination = 192.168.2.254, Sproto = 50

Established 416 seconds ago

Source = 192.168.2.7

Flags (00001082) =

Crypto ID: 2

xform =

Encryption = <3DES>

Authentication =

3696 bytes processed by this SA

Last used 378 seconds ago

Expirations:

Hard expiration(1) in 784 seconds

Soft expiration(1) in 664 seconds



### The encap routing situation as derived from the VPN policy setup

(isakmpd.policy) ###



[root@ganymed:~#] netstat -f encap -rn

Routing tables



Encap:

Source Port Destination Port Proto SA(Address/Proto/Type/Direction)

192.168.7/24 0 192.168.45/24 0 0 192.168.2.7/50/use/in

192.168.45/24 0 192.168.7/24 0 0 192.168.2.7/50/require/out



### Detailed Protocol Statistics for ESP/AH ###



[root@ganymed:~#] netstat -p esp

esp:

42 input ESP packets

42 output ESP packets

0 packets from unsupported protocol families

0 packets shorter than header shows

0 packets dropped due to policy

0 packets for which no TDB was found

0 input packets that failed to be processed

0 packets with bad encryption received

0 packets that failed verification received

0 packets for which no XFORM was set in TDB received

0 packets were dropped due to full output queue

0 packets where counter wrapping was detected

0 possibly replayed packets received

0 packets with bad payload size or padding received

0 packets attempted to use an invalid tdb

0 packets got larger than max IP packet size

0 packets that failed crypto processing

3696 input bytes

3528 output bytes



[root@ganymed:~#] netstat -p ah

ah:

0 input AH packets

0 output AH packets

0 packets from unsupported protocol families

0 packets shorter than header shows

0 packets dropped due to policy

0 packets for which no TDB was found

0 input packets that failed to be processed

0 packets that failed verification received

0 packets for which no XFORM was set in TDB received

0 packets were dropped due to full output queue

0 packets where counter wrapping was detected

0 possibly replayed packets received

0 packets with bad authenticator length received

0 packets attempted to use an invalid tdb

0 packets got larger than max IP packet size

0 packets that failed crypto processing

0 input bytes

0 output bytes



### And the sniffer traces to prove that we are really encrypting ###



[root@castor:~#] ping -S 192.168.7.7 192.168.45.1

PING 192.168.45.1 (192.168.45.1) from 192.168.7.7: 56 data bytes

64 bytes from 192.168.45.1: icmp_seq=0 ttl=63 time=2.412 ms

64 bytes from 192.168.45.1: icmp_seq=1 ttl=63 time=2.382 ms

64 bytes from 192.168.45.1: icmp_seq=2 ttl=63 time=2.320 ms

^C

--- 192.168.45.1 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max/stddev = 2.320/2.371/2.412/0.038 ms



[root@callisto:~#] ping -I 192.168.45.1 192.168.7.7

PING 192.168.7.7 (192.168.7.7) from 192.168.45.1 : 56(84) bytes of data.

64 bytes from 192.168.7.7: icmp_seq=1 ttl=63 time=3.84 ms

64 bytes from 192.168.7.7: icmp_seq=2 ttl=63 time=2.64 ms

64 bytes from 192.168.7.7: icmp_seq=3 ttl=63 time=2.51 ms



--- 192.168.7.7 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2018ms

rtt min/avg/max/mdev = 2.515/3.002/3.846/0.600 ms



[root@ganymed:~#] tethereal -i ne4

Capturing on ne4

0.000000 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)

0.001213 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)

0.272924 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)

0.273586 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)

1.001848 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)

1.003015 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)

1.282909 192.168.2.254 -> castor.nerdzone.org ESP ESP (SPI=0x01a960cc)

1.283591 castor.nerdzone.org -> 192.168.2.254 ESP ESP (SPI=0x2b76d234)



[root@ganymed:~#] tethereal -i enc0

Capturing on enc0

0.000000 -> UNKNOWN WTAP_ENCAP = 0

0.001566 -> UNKNOWN WTAP_ENCAP = 0

0.668721 -> UNKNOWN WTAP_ENCAP = 0

0.669053 -> UNKNOWN WTAP_ENCAP = 0

1.009968 -> UNKNOWN WTAP_ENCAP = 0

1.011561 -> UNKNOWN WTAP_ENCAP = 0

1.670448 -> UNKNOWN WTAP_ENCAP = 0

1.670744 -> UNKNOWN WTAP_ENCAP = 0




Example 11-18. FreeBSD IPSec with racoon and Preshared Key

### gif tunnel setup for routing ###



[root@castor:~#] gifconfig gif0 192.168.2.7 192.168.2.254



[root@castor:~#] ifconfig gif0 inet 192.168.7.7 netmask 255.255.255.0 192.168.45.254

netmask 255.255.255.0



[root@castor:~#] gifconfig gif0

[gif0: flags=8051 mtu 1280

inet6 fe80::210:5aff:fec4:2c04%gif0 prefixlen 64

inet 192.168.7.7 --> 192.168.45.254 netmask 0xffffff00

physical address inet 192.168.2.7 --> 192.168.2.254



[root@castor:~#] netstat -rn -f inet

Routing tables



Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.2.254 UGSc 3 121 xl0

10.0.0.4 10.0.0.4 UH 0 0 lo0

127.0.0.1 127.0.0.1 UH 1 32 lo0

192.168.2 link#1 UC 2 0 xl0

192.168.2.7 00:10:5a:c4:2c:04 UHLW 3 4 lo0

192.168.2.254 52:54:05:e3:e4:2f UHLW 5 446 xl0 402

192.168.7 link#2 UC 0 0 ed0

192.168.45.254 192.168.7.7 UH 0 0 gif0

192.168.80 link#15 UC 0 0 vlan8



### IPsec configurations ###



[root@castor:~#] cat /etc/ipsec.conf

spdadd 192.168.7.0/24 192.168.45.0/24 any -P out ipsec

esp/tunnel/192.168.2.7-192.168.2.254/require;

spdadd 192.168.45.0/24 192.168.7.0/24 any -P in ipsec

esp/tunnel/192.168.2.254-192.168.2.7/require;



[root@castor:~#] cat /usr/local/etc/racoon/psk.txt

# IPv4/v6 addresses

192.168.2.254 cisco



[root@castor:~#] cat /usr/local/etc/racoon/racoon.conf



path include "/usr/local/etc/racoon" ;



# search this file for pre_shared_key with various ID key.

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;



# racoon will look for certificate file in the directory,

# if the certificate/certificate request payload is received.

path certificate "/usr/local/etc/cert" ;



# "log" specifies logging level. It is followed by either "notify," "debug,"

# or "debug2."

#log debug;



# "padding" defines some parameter of padding. You should not touch these.

padding

{

maximum_length 20; # maximum padding length.

randomize off; # enable randomize length.

strict_check off; # enable strict check.

exclusive_tail off; # extract last one octet.

}



# if no listen directive is specified, racoon will listen to all

# available interface addresses.

listen

{

isakmp 192.168.2.7 [500];

#admin [7002]; # administrative port by kmpstat.

strict_address; # all addresses must be bound.

}



# Specification of various default timers.

timer

{

# These value can be changed per remote node.

counter 5; # maximum trying count to send.

interval 20 sec; # maximum interval to resend.

persend 1; # the number of packets per a send.



# timer for waiting to complete each phase.

phase1 30 sec;

phase2 15 sec;

}



### gateway-to-gateway ###



remote 192.168.2.254

{

exchange_mode main,aggressive;

doi ipsec_doi;

situation identity_only;



my_identifier address 192.168.2.7;

peers_identifier address 192.168.2.254;



nonce_size 16;

lifetime time 1 min; # sec,min,hour



proposal {

encryption_algorithm 3des;

hash_algorithm md5;

authentication_method pre_shared_key ;

dh_group 2 ;

}

}



sainfo address 192.168.2.7 any address 192.168.2.254 any

{

pfs_group 2 ;

lifetime time 30 sec;

encryption_algorithm 3des ;

authentication_algorithm hmac_md5;

compression_algorithm deflate ;

}



[root@castor:~#] cat /var/log/racoon

2004-04-04 13:44:36: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net

2004-04-04 13:44:36: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30

Sep 2003 (http://www.openssl.org/)

2004-04-04 13:44:36: INFO: isakmp.c:1358:isakmp_open(): 192.168.2.7[500] used as isakmp

port (fd=5)

2004-04-04 13:44:51: INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1

negotiation: 192.168.2.7[500]<=>192.168.2.254[500]

2004-04-04 13:44:51: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode.

2004-04-04 13:44:51: WARNING: isakmp_inf.c:1281:isakmp_check_notify(): ignore

INITIAL-CONTACT notification, because it is only accepted after phase1.

2004-04-04 13:44:51: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID value mismatched.

2004-04-04 13:44:51: INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established 192

.168.2.7[500]-192.168.2.254[500] spi:1340537a78e1b7d8

:d25809b27e1f5e75

2004-04-04 13:44:52: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2

negotiation: 192.168.2.7[0]<=>192.168.2.254[0]

2004-04-04 13:44:52: INFO: pfkey.c:1134:pk_recvupdate(): IPsec-SA established: ESP/Tunnel

192.168.2.254->192.168.2.7 spi=245830613(0xea713d5)

2004-04-04 13:44:52: INFO: pfkey.c:1357:pk_recvadd(): IPsec-SA established: ESP/Tunnel 192

.168.2.7->192.168.2.254 spi=3056172622(0xb6297e4e)

2004-04-04 13:45:51: INFO: isakmp.c:1516:isakmp_ph1expire(): ISAKMP-SA expired 192.168.2

.7[500]-192.168.2.254[500] spi:1340537a78e1b7d8:d2580

9b27e1f5e75

2004-04-04 13:45:52: INFO: isakmp.c:1564:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.2

.7[500]-192.168.2.254[500] spi:1340537a78e1b7d8:d2580

9b27e1f5e75
Share this Article on :

0 comments:

Post a Comment

 

© Copyright Cisco elearning 2010 -2011 | Design by Herdiansyah Hamzah | Published by Borneo Templates | Powered by Blogger.com.