Technical Kitchen: May 2009

From various sources on internet, I am able to setup IPSEC on Linux. I have done the following to achieve this

Pre-requisites:
(Check if IPSec is already installed by typing the command setkey and press enter. If it works then it means it has the ipsec support). If it fails, then do the following till section 3
1) Kernel should be configured to support IPSec. This could be done as follows

a ) Go to kernel sources location
If you do not have the kernel sources then do the following
The installation requires at least a Linux kernel of version 2.5.47 or 2.6.*. The kernel source may be downloaded at http://www.kernel.org/. After downloading the source the kernel source package must be extracted, configured and compiled.
cd /usr/local/src
tar xvjf /path-to-source/linux-.tar.bz2
cd linux-

b) make xconfig OR make menuconfig
Select the following
Networking support (NET) [Y/n/?] y
*
* Networking options
*
PF_KEY sockets (NET_KEY) [Y/n/m/?] y
IP: AH transformation (INET_AH) [Y/n/m/?] y
IP: ESP transformation (INET_ESP) [Y/n/m/?] y
IP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y
Cryptographic API (CRYPTO) [Y/n/?] y
HMAC support (CRYPTO_HMAC) [Y/n/?] y
Null algorithms (CRYPTO_NULL) [Y/n/m/?] y
MD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] y
SHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] y
DES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] y
AES cipher algorithms (CRYPTO_AES) [Y/n/m/?] y

c) make bzImage OR make uImage (depending on what you want the required output. By default for Linux, it is make bzImage)

d) make modules

e) make modules_install

f) make install

g) Boot from this built image (Please check on the internet about configuring the new built image to boot. This is out of scope of the document)

2) Install the ipsec-tools on the Linux machine. (Check if is already installed by typing setkey and enter. If it works then it means it has the support)

a) Get the iptools from http://ipsec-tools.sourceforge.net/.

b) Then configure and install ipsec-tools using the following
./configure --with-kernel-headers=/lib/modules/2.6.X/build/include (Or give the path where you have the kernel-headers installed)
make
make install

Now, everything should be ready to setup the IPSEC. Now type setkey and enter. It should work. If not, there is some problem in configuring. Make sure you have the setkey and other binaries like racoon in the exported PATH

SETTING UP IPSEC.
Our assumption would be as follows
Setting up IPSec between 2 hosts 10.0.0.216 (zakir) and 10.0.0.11 (laptop)

3) Manual Keying

a) On the host 10.0.0.216, write a script host_216
#!/sbin/setkey -f
flush;
spdflush;
# AH
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";
# ESP
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
esp/transport//require
ah/transport//require;

b) On host 10.0.0.11, write a script host_11
#!/sbin/setkey -f
flush;
spdflush;
# AH
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";
# ESP
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";
spdadd 10.0.0.11 10.0.0.216 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 10.0.0.216 10.0.0.11 any -P in ipsec
esp/transport//require
ah/transport//require;

c) chmod +x host_11 host_216

d) On host 216, run host_216
./host_216

e) On host 11, run host_11
./host_11

f) Run setkey -D on both machines to check whether what you have configured is getting reflected

g) ping 10.0.0.216 from 10.0.0.11. It should ping to each other.

h) Run tcpdump on one machine and ping on the other machine.
tcpdump -i eth0 -n -vvv 'host 10.0.0.11' > capture_11 (On machine 10.0.0.216)
ping 10.0.0.216 (on machine 10.0.0.11)

i) Open capture_11 using vim, you will be able to see the AH and ESP what you have set in the scripts host_11 and host_216. This confirms that ipsec is working. This is still a startup

4) Automatic keying:
In manual keying, we had hardcored the value of AH, now, we shall allow racoon to generate automatically.

4.1) On both hosts, do the following

a) if there is no /etc/racoon, then mkdir -p /etc/racoon

b) write the script, /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
lifetime time 2 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 1;
lifetime time 2 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}

4.2) On host 10.0.0.216,
a) Open a file /etc/racoon/psk.txt, type
10.0.0.11 passwd1

b) Write a file host_216_auto
#!/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
esp/transport//require;
spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
esp/transport//require;

4.3) On host 10.0.0.11,
a) Open a file /etc/racoon/psk.txt, type
10.0.0.216 passwd1

b) Write a script, host_11_auto
#!/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.11 10.0.0.216 any -P out ipsec
esp/transport//require;
spdadd 10.0.0.216 10.0.0.11 any -P in ipsec
esp/transport//require;

4.4) chmod +x host_11_auto host_216_auto

4.5) chmod 0600 /etc/racoon/*. Without this it might fail to work

4.6) Run racoon using the following command on both hosts
killall racoon
racoon -f /etc/racoon/racoon.conf -F &

4.7) On host 10.0.0.216, run host_216_auto and on host 10.0.0.11, run host_11_auto

4.8) Ping to each other. First time, it fails to ping, but establishes IPSEC. It pings from second time

4.9) These also, could be captured using tcpdump as explained in Section 3) Manual keying, step h)

5) Automatic Keying using X509 certificates
We used preshared key secret in Automatic Keying, now, we shall use the certificates

5.1) Generate 4 keys for our hosts (public and private key combinations). We shall name our hosts as zakir and laptop
a) openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout zakir.private \ -outform PEM -out request.pem
It might ask some questions, which you can just type enter if you don't want to.
Repeat this for the other host laptop as well

b) Create a public certificate by self signing it
openssl x509 -req -in request.pem -signkey zakir.private -out zakir.public
Repeat this for the other host laptop as well

5.2) On host 10.0.0.216 ( zakir)
a) Write a script /etc/racoon/racoon_cert.conf
path certificate "/etc/racoon/certs";
remote 10.0.0.216
{
exchange_mode aggressive,main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "zakir.public" "zakir.private";
peers_certfile "laptop.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 2 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
b) Create a directory /etc/racoon/certs
mkdir /etc/racoon/certs
chmod 0700 certs
c) Copy the created certificates for the host zakir and the public certificates here
cp zakir.private zakir.public laptop.public /etc/racoon/certs
chmod 0600 /etc/racoon/certs/*
chmod 0600 /etc/racoon/racoon_cert.conf

5.3) On host 10.0.011 (host laptop)
a) Write a script /etc/racoon/racoon_cert.conf
path certificate "/etc/racoon/certs";
remote 10.0.0.11
{
exchange_mode aggressive,main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "laptop.public" "laptop.private";

peers_certfile "zakir.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 1;
lifetime time 2 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
b) Create a directory /etc/racoon/certs
mkdir /etc/racoon/certs
chmod 0700 certs

c) Copy the created certificates for the host laptop and the public certificates here
cp laptop.private laptop.public zakir.public /etc/racoon/certs
chmod 0600 /etc/racoon/certs/*
chmod 0600 /etc/racoon/racoon_cert.conf

5.4) Run racoon on both hosts
killall racoon
racoon -f /etc/racoon/racoon_cert.conf -F &

5.5) Run the same host scripts that we have written in Section 4
On host 10.0.0.216 (zakir),
./host_216_auto
On host 10.0.0.11 (laptop),
./host_11_auto

5.6) ping to each other. First ping fails but you could see the IPSEC handshake messages on the console. Subsequent pings should work correctly. The following are the messages you get on the console
Apr 4 17:14:58 terrapin racoon: INFO: IPsec-SA request for 192.168.1.169 queued due to no phase1 found.
Apr 4 17:14:58 terrapin racoon: INFO: initiate new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.169[500]
Apr 4 17:14:58 terrapin racoon: INFO: begin Aggressive mode.
Apr 4 17:14:58 terrapin racoon: INFO: received Vendor ID: DPD
Apr 4 17:14:58 terrapin racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Apr 4 17:14:58 terrapin racoon: INFO: ISAKMP-SA established 192.168.1.1[500]-192.168.1.169[500] spi:58c4669f762abf10:60593eb9e3dd7406
Apr 4 17:14:59 terrapin racoon: INFO: initiate new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.169[0]
Apr 4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.169->host1ip; spi=232781799(0xddff7e7)
Apr 4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.1->192.168.1.169 spi=93933800(0x59950e8)

Technical Kitchen

Sunday, May 31, 2009

Creating and analysing coredump messages

Tuesday, May 26, 2009

Setting up IPSEC on Linux

Blog Archive

Search This Blog

About Me