IPSec kasutamine Debianiga

Sissejuhatus

IPSec kasutamine tundub olema selline teema, kus on nö sõltuvalt kasutusjuhust üks, teine või mõni järgmine lahendus sobivaim. Käesolev tekst dokumenteerib ära mõned teadaolevalt töötavad konkreetsed kasutusjuhud.

IPSec (Internet Protocol Security) esineb kahel kujul

• transport režiim - suhtlevad kaks otspunkti kusjuures krüptitakse ip paketi sees sisalduvat tcp, udp vms paketti; ip paketi enda päiseid ei krüptita
• tunnel režiim - suhtlevad kahe lüüsi taga alamvõrkudes asuvad arvutid; krüptitakse kogu ip pakett

Tööpõhimõte

IPSec puhul toimub andmete krüptimine IP kihis, asjakohased päiste lisamisel on võimalik saavutada

• AH (Authentication Header) - suhtlevate osapoolte autentsus
• ESP (Encapsulated Security Payload) - andmete salastatus ja terviklus

IPSec puhul kõneldakse

• SA (Security Association) - reegilid, mis ütlevad, kuidas toimub andmete mingi tegevus, st autentsuse ja tervikluste tagamine, salastamine
• SP (Security Policy) - reeglid, mis ütlevad millisele andmevahtusele SA abil kirjeldatud reegleid rakendada

Neid reegleid hoitakse vastavates andmebaasides

• SAD - Security Association Database
• SPD - Security Policy Database

IPSec kasutamiseks tuleb mõlemas osalises kirjeldada kooskõlaliselt SA ja SP andmebaasid, põhimõtteliselt tuleb kernelile öelda vastavad reeglid ja seda saab teha nt programmi setkey abil. Kuna praktiliselt on aga ebamugav ja ka ebaturvaline käsitsi osapoolte koostööd tagada, siis on välja mõeldud IKE (Internet Key Exchange) Protocol. IKE on implementeeritud Debianil nt tarkvarana isakmpd ja Racoon.

Tarkvara

Debiani paketihalduses esineb mitmed IPSec lahendusi

• KAME - algselt IPv6 protokolli jaoks tehtud ja IPv4 jaoks backporditud lahendus
• FreeSWAN - iseseisev lahendus
• isakmpd - OpenBSD IPSec implementatsioon, mis on porditud Debianile

Käesolevas tekstis kirjeldataks KAME projekti tarkvara kasutamist, paigaldada tuleb kaks paketti

 # apt-get install ipsec-tools racoon

Põhimõtteliselt tuleb IPSec kasutamisel tegeleda kahe küsimusega

• IPSec andmevahtuse pidamine eeldab, et osalised saavad omavahel kokku leppida krüptoalgoritmide kasutamise osas

Käsitsi võtmehaldusega transport-režiim

Praktiliseks kasutuseks kohmakas, kuid samal ajal IPSec'i tööpõhimõtte illustreerimiseks sobilik moodus.

Ühes arvutis peab olema selline nn setkey skripti

 192.168.10.144# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.144 192.168.10.145 any -P out ipsec
    esp/transport//require
    ah/transport//require;
 
 spdadd 192.168.10.145 192.168.10.144 any -P in ipsec
    esp/transport//require
    ah/transport//require;

ning teises arvutis

 192.168.10.145# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
    esp/transport//require
    ah/transport//require;
          
 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
    esp/transport//require
    ah/transport//require;

IPSec sisselülitamiseks tuleb laadida sellised tuumamoodulid

 # cat /root/ipsec.modules
 xfrm6_tunnel
 tunnel6
 esp6
 ah6
 ipcomp
 esp4
 ah4
 xfrm_user
 cast5
 khazad
 arc4
 tgr192
 tea
 crc32c
 libcrc32c
 michael_mic
 sha512
 anubis
 cast6
 md4
 wp512

 # for i in `cat /root/ipsec.modules`; do modprobe $i; done

ja öelda mõlemas arvutis üks kord

 # chmod /root/ipsec-static.sh

ning edaspidi

 # /root/ipsec-static.sh

Kontrollimaks, et andmevahetus on tõepoolest turvaline maksab ühest arvutist teist nt pingida samal ajal kuulates liiklust tcpdump abil

 # tcpdump -nettti eth0 host 192.168.10.145
 000000 00:16:3e:6a:0d:4d > 00:16:3e:6a:0d:4e, ethertype IPv4 (0x0800), length 146: \
 192.168.10.144 > 192.168.10.145:   AH(spi=0x0001e240,seq=0x1e): ESP(spi=0x00010001,seq=0x1e), length 88
 000452 00:16:3e:6a:0d:4e > 00:16:3e:6a:0d:4d, ethertype IPv4 (0x0800), length 146: \
 192.168.10.145 > 192.168.10.144: AH(spi=0x0001e241,seq=0x1e): ESP(spi=0x00010002,seq=0x1e), length 88

Laaditud SAD (Security Associations Database) vaatamiseks tuleb öelda

 # setkey -D

ja SPD (Security Policy Database) vaatamiseks tuleb öelda

 # setkey -DP

Nende andmebaaside sisu kustutamiseks tuleb öelda vastavalt

 # setkey -F

ja

 # setkey -FP

Racoon kasutamine eeljaotatud võtmetega transport-režiimis

Mõlemas arvutis peab olema fail /etc/racoon/psk.txt, ühes sisuga

 192.168.10.144# cat /etc/racoon/psk.txt 
 192.168.10.145  saladus123

ja teises

 192.168.10.145# cat /etc/racoon/psk.txt 
 192.168.10.144  saladus123

Lisaks ühes arvutis peab olema seadistusfail /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.10.145 {

       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }

} sainfo address 192.168.10.144 any address 192.168.10.145 any {

       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;

}

ja teises arvutis

 path pre_shared_key "/etc/racoon/psk.txt";
 remote 192.168.10.144 {
       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
 }
 
 sainfo address 192.168.10.145 any address 192.168.10.144 any {
       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;
 }

Ning lisaks olema /etc/ipsec-tools.conf sisuga mõlemas arvutis, in ja out vastupidi

 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
       esp/transport//require
       ah/transport//require;

 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
       esp/transport//require
       ah/transport//require;

Käivitamiseks tuleb öelda kummaski arvutis, esmalt SA'de laadimiseks

 # /etc/ipsec-tools.conf

ning seejärel

 # racoon -Fv
 Foreground mode.
 2008-07-20 12:44:00: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-20 12:44:00: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-20 12:44:00: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-20 12:44:01: INFO: Resize address pool from 0 to 255
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used as isakmp port (fd=7)
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used as isakmp port (fd=8)
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: ::1[500] used as isakmp port (fd=9)
 2008-07-20 12:44:01: INFO: fe80::216:3eff:fe6a:d4e%eth0[500] used as isakmp port (fd=10)
 2008-07-20 12:44:01: INFO: fe80::c499:d5ff:fe29:e6b2%dummy0[500] used as isakmp port (fd=11)
 2008-07-20 12:44:12: INFO: respond new phase 1 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:12: INFO: begin Identity Protection mode.
 2008-07-20 12:44:12: INFO: received Vendor ID: DPD
 2008-07-20 12:44:12: INFO: ISAKMP-SA established 192.168.10.145[500]-192.168.10.144[500]   spi:cdd44e43a7303585:63ef33d8d8446163
 2008-07-20 12:44:13: INFO: respond new phase 2 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.144[0]->192.168.10.145[0] spi=8119090(0x7be332)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[0]->192.168.10.145[0] spi=117850401(0x7064121)
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.145[500]->192.168.10.144[500] spi=155051761(0x93de6f1)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.145[500]->192.168.10.144[500] spi=31436875(0x1dfb04b)

OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega

Esmalt tuleb genereerida kummalegi osalisele sertifikaadid, teeme seda OpenBSD abil

• CA sertifikaadi tekitamine

 # mkdir /root/ipsec-certs
 # cd /root/ipsec-serts
 # openssl req -x509 -days 365 -newkey rsa:1024 -keyout ca.key -out ca.crt

• 192.168.10.144 (Debian) arvuti sertifikaadi tekitamine

 # openssl genrsa -out 192.168.10.144.key 1024
 # openssl req -new -key 192.168.10.144.key -out 192.168.10.144.csr
 # env CERTIP=192.168.10.144 openssl x509 -req -days 365 -in 192.168.10.144.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.144.crt

• 192.168.10.241 (OpenBSD) arvuti sertifikaadi tekitamine

 # openssl genrsa -out 192.168.10.241.key 1024
 # openssl req -new -key 192.168.10.241.key -out 192.168.10.241.csr
 # env CERTIP=192.168.10.241 openssl x509 -req -days 365 -in 192.168.10.241.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.241.crt

• Kopeerime OpenBSD arvutisse vajalikud sertifikaadid paika

 # cp ca.crt /etc/isakmpd/ca
 # 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs
 # cp 192.168.10.241.key /etc/isakmpd/private
 # chown 0600 /etc/isakmpd/private/192.168.10.241.key

• Kopeerime Debiani arvutisse vajalikud sertifikaadid paika

 # scp 192.168.10.241.crt 192.168.10.144.crt ca.crt 192.168.10.144.key root@192.168.10.144:/etc/racoon/certs

• Lisame OpenBSD /etc/ipsec.conf faili

 ike esp transport from 192.168.10.241 to 192.168.10.144 \
 main auth hmac-sha1 enc blowfish group modp1024 \
 quick auth hmac-sha2-256 enc blowfish group modp1024

• Debiani /etc/ipsec-tools.conf faili peab olema käivitatav ning sisaldama

 #!/usr/sbin/setkey -f
 flush;
 spdflush;
 
 spdadd 192.168.10.144 192.168.10.241 any -P out ipsec
       esp/transport//require;
 
 spdadd 192.168.10.241 192.168.10.144 any -P in ipsec
       esp/transport//require;

• Debiani /etc/racoon/racoon.conf peab sisaldama

 path certificate "/etc/racoon/certs";
 
 # "padding" defines some padding parameters.
 # You should not touch these.
 padding
 {
       maximum_length 20;      # maximum padding length.
       randomize off;          # enable randomize length.
       strict_check off;       # enable strict check.
       exclusive_tail off;     # extract last one octet.
 }
 
 listen
 {
       isakmp 192.168.10.144;
 }
 
 remote anonymous
 {
       exchange_mode main;
       doi ipsec_doi;
       situation identity_only;
 
       my_identifier asn1dn;
       certificate_type x509 "192.168.10.144.crt" "192.168.10.144.key";
       peers_certfile x509 "192.168.10.241.crt";
 
       nonce_size 16;
       initial_contact on;
       proposal_check obey;
 
       proposal {
               encryption_algorithm blowfish;
               hash_algorithm sha1;
               authentication_method rsasig;
               dh_group modp1024;
       }
 }
 
 sainfo anonymous
 {
       pfs_group modp1024;
       encryption_algorithm blowfish;
       authentication_algorithm hmac_sha256;
       compression_algorithm deflate;
 }

• OpenBSD poolel IPSec sisselülitamiseks tuleb öelda

 # isakmpd -Kdv
 194552.887107 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
 194552.887646 Default message_negotiate_sa: no compatible proposal found
 194552.887974 Default dropped message from 10.0.10.250 port 500 due to notification type NO_PROPOSAL_CHOSEN
 194610.737219 Default isakmpd: phase 1 done: initiator id c0a80af1: 192.168.10.241, responder id \
   /C=EE/ST=Tartu/L=Tartu/CN=sid1.auul, src:   192.168.10.241 dst: 192.168.10.144
 194610.806354 Default isakmpd: quick mode done: src: 192.168.10.241 dst: 192.168.10.144

ning

 # ipsecctl -f /etc/ipsec.conf

• Debiabi poolel IPSec sisselülitamiseks tuleb öelda

 # setkey -F && setkey -FP
 # /etc/ipsec-tools.conf
 # racoon -Fv
 Foreground mode.
 2008-07-20 15:52:14: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-20 15:52:14: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-20 15:52:14: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-20 15:52:14: INFO: Resize address pool from 0 to 255
 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used as isakmp port (fd=6)
 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used for NAT-T
 2008-07-20 15:52:16: INFO: respond new phase 1 negotiation: 192.168.10.144[500]<=>192.168.10.241[500]
 2008-07-20 15:52:16: INFO: begin Identity Protection mode.
 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
 2008-07-20 15:52:16: INFO: received Vendor ID: RFC 3947
 2008-07-20 15:52:16: INFO: received Vendor ID: DPD
 2008-07-20 15:52:16: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
 2008-07-20 15:52:16: INFO: ISAKMP-SA established 192.168.10.144[500]-192.168.10.241[500] spi:078680685f34034b:3537ef1b297d0a21
 2008-07-20 15:52:16: INFO: respond new phase 2 negotiation: 192.168.10.144[500]<=>192.168.10.241[500]
 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.241[0]->192.168.10.144[0] spi=153552890(0x92707fa)
 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[500]->192.168.10.241[500] spi=3129349703(0xba861647)

Kasulikud lisamaterjalid

• http://www.ipsec-howto.org/
• http://www.unixwiz.net/techtips/iguide-ipsec.html