IPSEC

IPSEC

VPNs and network security

1

La 1ère école 100 % dédiée à l'open source

Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.

Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.

Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.

2

Les formations du plein emploi !

Formation Continue

Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.

Pour vos demandes : [email protected]

Formation Initiale

100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.

mailto:[email protected]

3

Nos domaines de formations

Introduction IPSEC Protocols VPNs over IPSEC Applications T13G

Plan

1 Introduction

2 IPSEC Protocols

3 VPNs over IPSEC

4 Applications

5 Troubleshooting

www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/29


What is a VPN ?



What is encapsulation



Introduction to IPSEC

IPSEC is a set of protocols to harden network communicationsecurity.

A part of the IPv6 spec, but ported to IPv4

Often used for VPNs, however it has other purposes too

Unlike most products (eg OpenVPN) it is an IETF standard,allowing interoperability

This presentation is about IPSEC implementation in operatingsystems, there are also software implementations, hardwareimplementations in dedicated equipment, etc.



Plan

1 Introduction

2 IPSEC Protocols

3 VPNs over IPSEC

4 Applications

5 Troubleshooting



IPSEC Protocols

IPSEC is built around several protocols

ESP

AH

IKE

NAT-T



Encapsulation protocols

ESP allows :

Authentication

Integrity (of payload)

Confidentiality

AH allows :

Authentification

Integrite (of whole packet)

ESP does not protect the IP header, that makes it suitable for NAT



Negociation protocols

IKE

IKE is the main protocol that allows security parametersnegociation between hosts

NAT-T

NAT-T is a helper protocol which encapsulates traffic into a UDPport, allowing it to cross firewalls and NAT devices.



Establishment of an IPSEC session

Hosts contact each other using IKE (UDP 500)

IKE Phase 1 : hosts authenticate to each other

IKE Phase 2 : hosts negotiate the IPSEC parameters

IPSEC-protected traffic starts flowing



Two possible modes

Transport mode : only the payload is encapsulated

Tunnel mode : the IP header is encapsulated too

In tunnel mode, you can rewrite IP headers, allowing VPNs



Plan

1 Introduction

2 IPSEC Protocols

3 VPNs over IPSEC

4 Applications

5 Troubleshooting



SPD and SAD

Security Policy Database

SPDs are IPSEC’s routing tables.They decide which traffic is protected

Security Association Database

SAD are IPSEC’s network status (“netstat“), they contain currentsessions



Phase 1 parameters

Mode : main / aggressive

Identity : IP, DN, mail...

Authentication method : PSK, X509, RSA...

Encryption algorithm : 3DES, AES, blowfish...

Authentication algorithm : MD5, SHA1, ...

Diffie-Hellman key length

Lifetime



Phase 2 parameters

Encryption algorithm

Authentication algorithm

Perfect Forward Secrecy

Lifetime

Domain : single host, subnet...



How sessions are established

Hosts contact each other spotaneously or on demand

Required sessions are established

When they expire, they are automatically renewed



Plan

1 Introduction

2 IPSEC Protocols

3 VPNs over IPSEC

4 Applications

5 Troubleshooting



Introduction

All the implementations we will study share certain characteristics :

SAD, SPD, routing, encapsulation are managed by the kernel

IKE negociation, retries, renewal, are managed by userlanddaemons

Both talk to each other on the standard PF KEY interface,allowing different implementations to coexist

On Linux, two kernel implementation exist : a native PF KEYimplementation and KLIPS, an historical implementation.

Warning

Firewalls can process IPSEC traffic, you’ll have to configure yours.



Openswan/Strongswan : configuration

Configuration is done in ipsec.conf

conn net−netl e f t =192 .168 .0 .1l e f t s u b n e t =10 .1 .0 .0/16l e f t i d =192 .168 .0 .1l e f t f i r e w a l l=yesr i g h t =192 .168 .0 .2r i g h t s u b n e t =10 .2 .0 .0/16r i g h t i d =192 .168 .0 .2auto=add

Write the PSK in ipsec.secrets .Examples :http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples



Openswan/Strongswan : commands

Restart :/ e t c / i n i t . d/ i p s e c r e s t a r t

Status :i p s e c c t l auto −−s t a t u s



KAME : Architecture

as usual, SPD/SAD are in-kernel

setkey(8) is used to manipulate SPD/SAD

racoon(8) is the IKE daemon



KAME : Configuration

setkey script

#!/ u s r / s b i n / s e t k e y −f## Flush SAD and SPDf l u s h ;s p d f l u s h ;

# Crea te p o l i c i e s f o r racoonspdadd 172 . 16 . 1 . 0 /24 172 . 16 . 2 . 0 /24 any −P out i p s e c

esp / t unn e l /192 .168 .1 .100−192 .168 .2 .100/ r e q u i r e ;

spdadd 172 . 16 . 2 . 0 /24 172 . 16 . 1 . 0 /24 any −P i n i p s e cesp / t unn e l /192 .168 .2 .100−192 .168 .1 .100/ r e q u i r e ;



KAME : Configuration (2)

racoon.conf

path p r e s h a r e d k e y ”/ e t c / psk . t x t ” ;

remote 192 . 168 . 2 . 1 00 {exchange mode main ;p r o po s a l {

e n c r y p t i o n a l g o r i t hm 3 des ;h a s h a l g o r i t hm md5 ;au t h en t i c a t i o n me thod p r e s h a r e d k e y ;dh group modp1024 ;

}}

s a i n f o add r e s s 172 . 16 . 1 . 0 /24 any add r e s s 172 . 16 . 2 . 0 /24 any {p f s g r o up modp768 ;e n c r y p t i o n a l g o r i t hm 3 des ;a u t h e n t i c a t i o n a l g o r i t hm hmac md5 ;c omp r e s s i o n a l g o r i t hm d e f l a t e ;

}



KAME : Administration

SPD/SAD status

s e t k e y −Dse t k e y −DP

/etc/init.d/setkey restart

/etc/init.d/racoon restart

racoon.log



OpenBSD : configuration

/etc/ipsec.conf

i k e esp from 10 . 1 . 0 . 0 / 1 6 to 10 . 10 . 22 . 0/24 \l o c a l 2 12 . 85 . 148 . 172 pee r 195 . 154 . 89 . 7 0 \main auth hmac−sha1 enc aes group modp1024 \qu i ck auth hmac−sha1 enc aes group modp1024 psk ” to to ”



OpenBSD : administration

isakmpd -K

ipsecctl -f /etc/ipsec.conf

ipsecctl -vsa



Plan

1 Introduction

2 IPSEC Protocols

3 VPNs over IPSEC

4 Applications

5 Troubleshooting



Troubleshooting

Use tcpdump :

91 . 216 . 2 09 . 2 29 . 5 00 > 109 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 . 0 exchange ID PROTcook i e : 68399732 f c60 f ebb −>0000000000000000 msgid : 00000000 l e n : 184




. . .e sp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x00183f10 seq 165869 l e n 484esp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x00183f10 seq 165870 l e n 468esp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x00183f10 seq 165871 l e n 468esp 41 . 141 . 252 . 214 > 91 . 216 . 209 . 229 s p i 0 x f 1 a f a c e c seq 40877 l e n 132esp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x0abd6f35 seq 40540 l e n 132esp 41 . 141 . 252 . 214 > 91 . 216 . 209 . 229 s p i 0 x5 f 060 f d e seq 186105 l e n 100. . .


IPSEC

Technology

Transcript of IPSEC