IPSec kasutamine Debianiga
Sisukord
Sissejuhatus
...
Käsitsi võtmehaldusega eeljaotatud võtmetega transport-režiim
Praktiliseks kasutuseks kohmakas, kuid samal ajal IPSec'i tööpõhimõtte illustreerimiseks sobilik on omada ühes arvutis sellist setkey skripti
 192.168.10.144# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.144 192.168.10.145 any -P out ipsec
    esp/transport//require
    ah/transport//require;
 
 spdadd 192.168.10.145 192.168.10.144 any -P in ipsec
    esp/transport//require
    ah/transport//require;
ning teises arvutis
 192.168.10.145# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
    esp/transport//require
    ah/transport//require;
          
 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
    esp/transport//require
    ah/transport//require;
IPSec sisselülitamiseks tuleb laadida sellised tuumamoodulid
# cat /root/ipsec.modules xfrm6_tunnel tunnel6 esp6 ah6 ipcomp esp4 ah4 xfrm_user cast5 khazad arc4 tgr192 tea crc32c libcrc32c michael_mic sha512 anubis cast6 md4 wp512
# for i in `cat /root/ipsec.modules`; do modprobe $i; done
ja öelda mõlemas arvutis üks kord
# chmod /root/ipsec-static.sh
ning edaspidi
# /root/ipsec-static.sh
Kontrollimaks, et andmevahetus on tõepoolest turvaline maksab ühest arvutist teist nt pingida samal ajal kuulates liiklust tcpdump abil
# tcpdump -nettti eth0 host 192.168.10.145 000000 00:16:3e:6a:0d:4d > 00:16:3e:6a:0d:4e, ethertype IPv4 (0x0800), length 146: \ 192.168.10.144 > 192.168.10.145: AH(spi=0x0001e240,seq=0x1e): ESP(spi=0x00010001,seq=0x1e), length 88 000452 00:16:3e:6a:0d:4e > 00:16:3e:6a:0d:4d, ethertype IPv4 (0x0800), length 146: \ 192.168.10.145 > 192.168.10.144: AH(spi=0x0001e241,seq=0x1e): ESP(spi=0x00010002,seq=0x1e), length 88
Laaditud SAD (Security Associations Database) vaatamiseks tuleb öelda
# setkey -D
ja SPD (Security Policy Database) vaatamiseks tuleb öelda
# setkey -DP
Nende andmebaaside sisu kustutamiseks tuleb öelda vastavalt
# setkey -F
ja
# setkey -FP
Racoon kasutamine eeljaotatud võtmetega transport-režiimis
Mõlemas arvutis peab olema fail /etc/racoon/psk.txt, ühes sisuga
192.168.10.144# cat /etc/racoon/psk.txt 192.168.10.145 saladus123
ja teises
192.168.10.145# cat /etc/racoon/psk.txt 192.168.10.144 saladus123
Lisaks ühes arvutis peab olema seadistusfail /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.10.145 {
       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
} sainfo address 192.168.10.144 any address 192.168.10.145 any {
       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;
}
ja teises arvutis
 path pre_shared_key "/etc/racoon/psk.txt";
 remote 192.168.10.144 {
       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
 }
 
 sainfo address 192.168.10.145 any address 192.168.10.144 any {
       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;
 }
Ning lisaks olema /etc/ipsec-tools.conf sisuga mõlemas arvutis, in ja out vastupidi
 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
       esp/transport//require
       ah/transport//require;
 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
       esp/transport//require
       ah/transport//require;
Käivitamiseks tuleb öelda kummaski arvutis, esmalt SA'de laadimiseks
# /etc/ipsec-tools.conf
ning seejärel
# racoon -Fv Foreground mode. 2008-07-20 12:44:00: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) 2008-07-20 12:44:00: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) 2008-07-20 12:44:00: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2008-07-20 12:44:01: INFO: Resize address pool from 0 to 255 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used as isakmp port (fd=6) 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used for NAT-T 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used as isakmp port (fd=7) 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used for NAT-T 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used as isakmp port (fd=8) 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used for NAT-T 2008-07-20 12:44:01: INFO: ::1[500] used as isakmp port (fd=9) 2008-07-20 12:44:01: INFO: fe80::216:3eff:fe6a:d4e%eth0[500] used as isakmp port (fd=10) 2008-07-20 12:44:01: INFO: fe80::c499:d5ff:fe29:e6b2%dummy0[500] used as isakmp port (fd=11) 2008-07-20 12:44:12: INFO: respond new phase 1 negotiation: 192.168.10.145[500]<=>192.168.10.144[500] 2008-07-20 12:44:12: INFO: begin Identity Protection mode. 2008-07-20 12:44:12: INFO: received Vendor ID: DPD 2008-07-20 12:44:12: INFO: ISAKMP-SA established 192.168.10.145[500]-192.168.10.144[500] spi:cdd44e43a7303585:63ef33d8d8446163 2008-07-20 12:44:13: INFO: respond new phase 2 negotiation: 192.168.10.145[500]<=>192.168.10.144[500] 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.144[0]->192.168.10.145[0] spi=8119090(0x7be332) 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[0]->192.168.10.145[0] spi=117850401(0x7064121) 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.145[500]->192.168.10.144[500] spi=155051761(0x93de6f1) 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.145[500]->192.168.10.144[500] spi=31436875(0x1dfb04b)
OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega
Esmalt tuleb genereerida kummalegi osalisele sertifikaadid, teeme seda OpenBSD abil
- CA sertifikaadi tekitamine
# mkdir /root/ipsec-certs # cd /root/ipsec-serts # openssl req -x509 -days 365 -newkey rsa:1024 -keyout ca.key -out ca.crt
- 192.168.10.144 (Debian) arvuti sertifikaadi tekitamine
# openssl genrsa -out 192.168.10.144.key 1024 # openssl req -new -key 192.168.10.144.key -out 192.168.10.144.csr # env CERTIP=192.168.10.144 openssl x509 -req -days 365 -in 192.168.10.144.csr \ -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 192.168.10.144.crt
- 192.168.10.241 (OpenBSD) arvuti sertifikaadi tekitamine
# openssl genrsa -out 192.168.10.241.key 1024 # openssl req -new -key 192.168.10.241.key -out 192.168.10.241.csr # env CERTIP=192.168.10.241 openssl x509 -req -days 365 -in 192.168.10.241.csr \ -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 192.168.10.241.crt
- Kopeerime OpenBSD arvutisse vajalikud sertifikaadid paika
# cp ca.crt /etc/isakmpd/ca # 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs # cp 192.168.10.241.key /etc/isakmpd/private # chown 0600 /etc/isakmpd/private/192.168.10.241.key
- Kopeerime Debiani arvutisse vajalikud sertifikaadid paika
# scp 192.168.10.241.crt 192.168.10.144.crt ca.crt 192.168.10.144.key root@192.168.10.144:/etc/racoon/certs

