IPSec kasutamine Debianiga

Allikas: Kuutõrvaja
Redaktsioon seisuga 20. juuli 2008, kell 18:47 kasutajalt Imre (arutelu | kaastöö) (OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega)

Sissejuhatus

...


Käsitsi võtmehaldusega eeljaotatud võtmetega transport-režiim

Praktiliseks kasutuseks kohmakas, kuid samal ajal IPSec'i tööpõhimõtte illustreerimiseks sobilik on omada ühes arvutis sellist setkey skripti 

 192.168.10.144# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.144 192.168.10.145 any -P out ipsec
    esp/transport//require
    ah/transport//require;
 
 spdadd 192.168.10.145 192.168.10.144 any -P in ipsec
    esp/transport//require
    ah/transport//require;

ning teises arvutis 

 192.168.10.145# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
    esp/transport//require
    ah/transport//require;
          
 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
    esp/transport//require
    ah/transport//require;

IPSec sisselülitamiseks tuleb laadida sellised tuumamoodulid 

 # cat /root/ipsec.modules
 xfrm6_tunnel
 tunnel6
 esp6
 ah6
 ipcomp
 esp4
 ah4
 xfrm_user
 cast5
 khazad
 arc4
 tgr192
 tea
 crc32c
 libcrc32c
 michael_mic
 sha512
 anubis
 cast6
 md4
 wp512

 # for i in `cat /root/ipsec.modules`; do modprobe $i; done

ja öelda mõlemas arvutis üks kord 

 # chmod /root/ipsec-static.sh

ning edaspidi 

 # /root/ipsec-static.sh

Kontrollimaks, et andmevahetus on tõepoolest turvaline maksab ühest arvutist teist nt pingida samal ajal kuulates liiklust tcpdump abil 

 # tcpdump -nettti eth0 host 192.168.10.145
 000000 00:16:3e:6a:0d:4d > 00:16:3e:6a:0d:4e, ethertype IPv4 (0x0800), length 146: \
 192.168.10.144 > 192.168.10.145:   AH(spi=0x0001e240,seq=0x1e): ESP(spi=0x00010001,seq=0x1e), length 88
 000452 00:16:3e:6a:0d:4e > 00:16:3e:6a:0d:4d, ethertype IPv4 (0x0800), length 146: \
 192.168.10.145 > 192.168.10.144: AH(spi=0x0001e241,seq=0x1e): ESP(spi=0x00010002,seq=0x1e), length 88

Laaditud SAD (Security Associations Database) vaatamiseks tuleb öelda 

 # setkey -D

ja SPD (Security Policy Database) vaatamiseks tuleb öelda 

 # setkey -DP

Nende andmebaaside sisu kustutamiseks tuleb öelda vastavalt 

 # setkey -F

ja 

 # setkey -FP

Racoon kasutamine eeljaotatud võtmetega transport-režiimis

Mõlemas arvutis peab olema fail /etc/racoon/psk.txt, ühes sisuga 

 192.168.10.144# cat /etc/racoon/psk.txt 
 192.168.10.145  saladus123

ja teises 

 192.168.10.145# cat /etc/racoon/psk.txt 
 192.168.10.144  saladus123

Lisaks ühes arvutis peab olema seadistusfail /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.10.145 { 

       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }

} sainfo address 192.168.10.144 any address 192.168.10.145 any { 

       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;

}

ja teises arvutis 

 path pre_shared_key "/etc/racoon/psk.txt";
 remote 192.168.10.144 {
       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
 }
 
 sainfo address 192.168.10.145 any address 192.168.10.144 any {
       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;
 }

Ning lisaks olema /etc/ipsec-tools.conf sisuga mõlemas arvutis, in ja out vastupidi 

 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
       esp/transport//require
       ah/transport//require;

 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
       esp/transport//require
       ah/transport//require;

Käivitamiseks tuleb öelda kummaski arvutis, esmalt SA'de laadimiseks 

 # /etc/ipsec-tools.conf

ning seejärel 

 # racoon -Fv
 Foreground mode.
 2008-07-20 12:44:00: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-20 12:44:00: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-20 12:44:00: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-20 12:44:01: INFO: Resize address pool from 0 to 255
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used as isakmp port (fd=7)
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used as isakmp port (fd=8)
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: ::1[500] used as isakmp port (fd=9)
 2008-07-20 12:44:01: INFO: fe80::216:3eff:fe6a:d4e%eth0[500] used as isakmp port (fd=10)
 2008-07-20 12:44:01: INFO: fe80::c499:d5ff:fe29:e6b2%dummy0[500] used as isakmp port (fd=11)
 2008-07-20 12:44:12: INFO: respond new phase 1 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:12: INFO: begin Identity Protection mode.
 2008-07-20 12:44:12: INFO: received Vendor ID: DPD
 2008-07-20 12:44:12: INFO: ISAKMP-SA established 192.168.10.145[500]-192.168.10.144[500]   spi:cdd44e43a7303585:63ef33d8d8446163
 2008-07-20 12:44:13: INFO: respond new phase 2 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.144[0]->192.168.10.145[0] spi=8119090(0x7be332)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[0]->192.168.10.145[0] spi=117850401(0x7064121)
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.145[500]->192.168.10.144[500] spi=155051761(0x93de6f1)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.145[500]->192.168.10.144[500] spi=31436875(0x1dfb04b)

OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega

Esmalt tuleb genereerida kummalegi osalisele sertifikaadid, teeme seda OpenBSD abil

  • CA sertifikaadi tekitamine
 # mkdir /root/ipsec-certs
 # cd /root/ipsec-serts
 # openssl req -x509 -days 365 -newkey rsa:1024 -keyout ca.key -out ca.crt
  • 192.168.10.144 (Debian) arvuti sertifikaadi tekitamine
 # openssl genrsa -out 192.168.10.144.key 1024
 # openssl req -new -key 192.168.10.144.key -out 192.168.10.144.csr
 # env CERTIP=192.168.10.144 openssl x509 -req -days 365 -in 192.168.10.144.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.144.crt
  • 192.168.10.241 (OpenBSD) arvuti sertifikaadi tekitamine
 # openssl genrsa -out 192.168.10.241.key 1024
 # openssl req -new -key 192.168.10.241.key -out 192.168.10.241.csr
 # env CERTIP=192.168.10.241 openssl x509 -req -days 365 -in 192.168.10.241.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.241.crt
  • Kopeerime OpenBSD arvutisse vajalikud sertifikaadid paika
 # cp ca.crt /etc/isakmpd/ca
 # 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs
 # cp 192.168.10.241.key /etc/isakmpd/private
 # chown 0600 /etc/isakmpd/private/192.168.10.241.key
  • Kopeerime Debiani arvutisse vajalikud sertifikaadid paika
 # scp 192.168.10.241.crt 192.168.10.144.crt ca.crt 192.168.10.144.key root@192.168.10.144:/etc/racoon/certs
  • Lisame OpenBSD /etc/ipsec.conf faili
 ike esp transport from 192.168.10.241 to 192.168.10.144 \
 main auth hmac-sha1 enc blowfish group modp1024 \
 quick auth hmac-sha2-256 enc blowfish group modp1024
  • Lisame Debiani /etc/ipsec-tools.conf faili
 spdadd 192.168.10.144 192.168.10.241 any -P out ipsec
       esp/transport//require;
 
 spdadd 192.168.10.241 192.168.10.144 any -P in ipsec
       esp/transport//require;
  • Debiani /etc/racoon/racoon.conf peab sisaldama
 path certificate "/etc/racoon/certs";
 
 # "padding" defines some padding parameters.
 # You should not touch these.
 padding
 {
       maximum_length 20;      # maximum padding length.
       randomize off;          # enable randomize length.
       strict_check off;       # enable strict check.
       exclusive_tail off;     # extract last one octet.
 }
 
 listen
 {
       isakmp 192.168.10.144;
 }
 
 remote anonymous
 {
       exchange_mode main;
       doi ipsec_doi;
       situation identity_only;
 
       my_identifier asn1dn;
       certificate_type x509 "192.168.10.144.crt" "192.168.10.144.key";
       peers_certfile x509 "192.168.10.241.crt";
 
       nonce_size 16;
       initial_contact on;
       proposal_check obey;
 
       proposal {
               encryption_algorithm blowfish;
               hash_algorithm sha1;
               authentication_method rsasig;
               dh_group modp1024;
       }
 }
 
 sainfo anonymous
 {
       pfs_group modp1024;
       encryption_algorithm blowfish;
       authentication_algorithm hmac_sha256;
       compression_algorithm deflate;
 }

Kasulikud lisamaterjalid

Pärit leheküljelt "https://kuutorvaja.eenet.ee/w/index.php?title=IPSec_kasutamine_Debianiga&oldid=7953"