IPSec kasutamine Debianiga

Sissejuhatus

...

Käsitsi võtmehaldusega eeljaotatud võtmetega transport-režiim

Praktiliseks kasutuseks kohmakas, kuid samal ajal IPSec'i tööpõhimõtte illustreerimiseks sobilik on omada ühes arvutis sellist setkey skripti

 192.168.10.144# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.144 192.168.10.145 any -P out ipsec
    esp/transport//require
    ah/transport//require;
 
 spdadd 192.168.10.145 192.168.10.144 any -P in ipsec
    esp/transport//require
    ah/transport//require;

ning teises arvutis

 192.168.10.145# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
    esp/transport//require
    ah/transport//require;
          
 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
    esp/transport//require
    ah/transport//require;

IPSec sisselülitamiseks tuleb laadida sellised tuumamoodulid

 # cat /root/ipsec.modules
 xfrm6_tunnel
 tunnel6
 esp6
 ah6
 ipcomp
 esp4
 ah4
 xfrm_user
 cast5
 khazad
 arc4
 tgr192
 tea
 crc32c
 libcrc32c
 michael_mic
 sha512
 anubis
 cast6
 md4
 wp512

 # for i in `cat /root/ipsec.modules`; do modprobe $i; done

ja öelda mõlemas arvutis üks kord

 # chmod /root/ipsec-static.sh

ning edaspidi

 # /root/ipsec-static.sh

Kontrollimaks, et andmevahetus on tõepoolest turvaline maksab ühest arvutist teist nt pingida samal ajal kuulates liiklust tcpdump abil

 # tcpdump -nettti eth0 host 192.168.10.145
 000000 00:16:3e:6a:0d:4d > 00:16:3e:6a:0d:4e, ethertype IPv4 (0x0800), length 146: \
 192.168.10.144 > 192.168.10.145:   AH(spi=0x0001e240,seq=0x1e): ESP(spi=0x00010001,seq=0x1e), length 88
 000452 00:16:3e:6a:0d:4e > 00:16:3e:6a:0d:4d, ethertype IPv4 (0x0800), length 146: \
 192.168.10.145 > 192.168.10.144: AH(spi=0x0001e241,seq=0x1e): ESP(spi=0x00010002,seq=0x1e), length 88

Laaditud SAD (Security Associations Database) vaatamiseks tuleb öelda

 # setkey -D

ja SPD (Security Policy Database) vaatamiseks tuleb öelda

 # setkey -DP

Nende andmebaaside sisu kustutamiseks tuleb öelda vastavalt

 # setkey -F

ja

 # setkey -FP

Racoon kasutamine eeljaotatud võtmetega transport-režiimis

Mõlemas arvutis peab olema fail /etc/racoon/psk.txt, ühes sisuga

 192.168.10.144# cat /etc/racoon/psk.txt 
 192.168.10.145  saladus123

ja teises

 192.168.10.145# cat /etc/racoon/psk.txt 
 192.168.10.144  saladus123

Lisaks ühes arvutis peab olema seadistusfail /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.10.145 {

       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }

} sainfo address 192.168.10.144 any address 192.168.10.145 any {

       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;

}

ja teises arvutis

 path pre_shared_key "/etc/racoon/psk.txt";
 remote 192.168.10.144 {
       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
 }
 
 sainfo address 192.168.10.145 any address 192.168.10.144 any {
       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;
 }

Ning lisaks olema /etc/ipsec-tools.conf sisuga mõlemas arvutis, in ja out vastupidi

 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
       esp/transport//require
       ah/transport//require;

 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
       esp/transport//require
       ah/transport//require;

Käivitamiseks tuleb öelda kummaski arvutis, esmalt SA'de laadimiseks

 # /etc/ipsec-tools.conf

ning seejärel

 # racoon -Fv
 Foreground mode.
 2008-07-20 12:44:00: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-20 12:44:00: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-20 12:44:00: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-20 12:44:01: INFO: Resize address pool from 0 to 255
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used as isakmp port (fd=7)
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used as isakmp port (fd=8)
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: ::1[500] used as isakmp port (fd=9)
 2008-07-20 12:44:01: INFO: fe80::216:3eff:fe6a:d4e%eth0[500] used as isakmp port (fd=10)
 2008-07-20 12:44:01: INFO: fe80::c499:d5ff:fe29:e6b2%dummy0[500] used as isakmp port (fd=11)
 2008-07-20 12:44:12: INFO: respond new phase 1 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:12: INFO: begin Identity Protection mode.
 2008-07-20 12:44:12: INFO: received Vendor ID: DPD
 2008-07-20 12:44:12: INFO: ISAKMP-SA established 192.168.10.145[500]-192.168.10.144[500]   spi:cdd44e43a7303585:63ef33d8d8446163
 2008-07-20 12:44:13: INFO: respond new phase 2 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.144[0]->192.168.10.145[0] spi=8119090(0x7be332)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[0]->192.168.10.145[0] spi=117850401(0x7064121)
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.145[500]->192.168.10.144[500] spi=155051761(0x93de6f1)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.145[500]->192.168.10.144[500] spi=31436875(0x1dfb04b)

OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega

Esmalt tuleb genereerida kummalegi osalisele sertifikaadid, teeme seda OpenBSD abil

• CA sertifikaadi tekitamine

 # mkdir /root/ipsec-certs
 # cd /root/ipsec-serts
 # openssl req -x509 -days 365 -newkey rsa:1024 -keyout ca.key -out ca.crt

• 192.168.10.144 (Debian) arvuti sertifikaadi tekitamine

 # openssl genrsa -out 192.168.10.144.key 1024
 # openssl req -new -key 192.168.10.144.key -out 192.168.10.144.csr
 # env CERTIP=192.168.10.144 openssl x509 -req -days 365 -in 192.168.10.144.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.144.crt

• 192.168.10.241 (OpenBSD) arvuti sertifikaadi tekitamine

 # openssl genrsa -out 192.168.10.241.key 1024
 # openssl req -new -key 192.168.10.241.key -out 192.168.10.241.csr
 # env CERTIP=192.168.10.241 openssl x509 -req -days 365 -in 192.168.10.241.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.241.crt

• Kopeerime OpenBSD arvutisse vajalikud sertifikaadid paika

 # cp ca.crt /etc/isakmpd/ca
 # 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs
 # cp 192.168.10.241.key /etc/isakmpd/private
 # chown 0600 /etc/isakmpd/private/192.168.10.241.key

• Kopeerime Debiani arvutisse vajalikud sertifikaadid paika

 # scp 192.168.10.241.crt 192.168.10.144.crt ca.crt 192.168.10.144.key root@192.168.10.144:/etc/racoon/certs

• Lisame OpenBSD /etc/ipsec.conf faili

 ike esp transport from 192.168.10.241 to 192.168.10.144 \
 main auth hmac-sha1 enc blowfish group modp1024 \
 quick auth hmac-sha2-256 enc blowfish group modp1024

• Debiani /etc/ipsec-tools.conf faili peab olema käivitatav ning sisaldama

 #!/usr/sbin/setkey -f
 flush;
 spdflush;
 
 spdadd 192.168.10.144 192.168.10.241 any -P out ipsec
       esp/transport//require;
 
 spdadd 192.168.10.241 192.168.10.144 any -P in ipsec
       esp/transport//require;

• Debiani /etc/racoon/racoon.conf peab sisaldama

 path certificate "/etc/racoon/certs";
 
 # "padding" defines some padding parameters.
 # You should not touch these.
 padding
 {
       maximum_length 20;      # maximum padding length.
       randomize off;          # enable randomize length.
       strict_check off;       # enable strict check.
       exclusive_tail off;     # extract last one octet.
 }
 
 listen
 {
       isakmp 192.168.10.144;
 }
 
 remote anonymous
 {
       exchange_mode main;
       doi ipsec_doi;
       situation identity_only;
 
       my_identifier asn1dn;
       certificate_type x509 "192.168.10.144.crt" "192.168.10.144.key";
       peers_certfile x509 "192.168.10.241.crt";
 
       nonce_size 16;
       initial_contact on;
       proposal_check obey;
 
       proposal {
               encryption_algorithm blowfish;
               hash_algorithm sha1;
               authentication_method rsasig;
               dh_group modp1024;
       }
 }
 
 sainfo anonymous
 {
       pfs_group modp1024;
       encryption_algorithm blowfish;
       authentication_algorithm hmac_sha256;
       compression_algorithm deflate;
 }

• OpenBSD poolel IPSec sisselülitamiseks tuleb öelda

 # isakmpd -Kdv
 194552.887107 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
 194552.887646 Default message_negotiate_sa: no compatible proposal found
 194552.887974 Default dropped message from 10.0.10.250 port 500 due to notification type NO_PROPOSAL_CHOSEN
 194610.737219 Default isakmpd: phase 1 done: initiator id c0a80af1: 192.168.10.241, responder id \
   /C=EE/ST=Tartu/L=Tartu/CN=sid1.auul, src:   192.168.10.241 dst: 192.168.10.144
 194610.806354 Default isakmpd: quick mode done: src: 192.168.10.241 dst: 192.168.10.144

ning

 # ipsecctl -f /etc/ipsec.conf

• Debiabi poolel IPSec sisselülitamiseks tuleb öelda

 # setkey -F && setkey -FP
 # /etc/ipsec-tools.conf
 # racoon -Fv
 Foreground mode.
 2008-07-20 15:52:14: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-20 15:52:14: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-20 15:52:14: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-20 15:52:14: INFO: Resize address pool from 0 to 255
 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used as isakmp port (fd=6)
 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used for NAT-T
 2008-07-20 15:52:16: INFO: respond new phase 1 negotiation: 192.168.10.144[500]<=>192.168.10.241[500]
 2008-07-20 15:52:16: INFO: begin Identity Protection mode.
 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
 2008-07-20 15:52:16: INFO: received Vendor ID: RFC 3947
 2008-07-20 15:52:16: INFO: received Vendor ID: DPD
 2008-07-20 15:52:16: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
 2008-07-20 15:52:16: INFO: ISAKMP-SA established 192.168.10.144[500]-192.168.10.241[500] spi:078680685f34034b:3537ef1b297d0a21
 2008-07-20 15:52:16: INFO: respond new phase 2 negotiation: 192.168.10.144[500]<=>192.168.10.241[500]
 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.241[0]->192.168.10.144[0] spi=153552890(0x92707fa)
 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[500]->192.168.10.241[500] spi=3129349703(0xba861647)

Kasulikud lisamaterjalid

• http://www.ipsec-howto.org/
• http://www.unixwiz.net/techtips/iguide-ipsec.html