Difference between revisions of "IPsec"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Pew
imported>Pew
(lmgtfy)
Line 1: Line 1:
TODO: Can easily find this information on google
 
 
''This Provides an overview of IPsec in general. For information on the vtluug IPsec tunnel, see [[Infrastructure:IPsec]]''
 
 
'''IPsec''' is a method of running an encrypted overlay network, so as to protect traffic originating
 
from an unencrypted and/or untrusted network, such as a coffee shop's open WAP. It is among a number of
 
other protocols which can be used. L2TP/IPsec is one of the most common methods, although OpenVPN and IKEv2
 
also are viable, faster, and arguably more secure methods. The latter is supported in openiked developed by
 
the [[OpenBSD]] project. Most of this article assumes the use of IPsec/IKEv1
 
 
==Network-to-Network==
 
For purposes of this tutorial, we are setting up two endpoints, '''vpn1''' and '''vpn2''', both using IPv6 with the subnets '''2001:db8:1::/64''' and '''2001:db8:2::/64''', respectively.
 
 
===Linux with OpenSWAN===
 
Tested with OpenSWAN 2.6.41 on Arch Linux (updated on 2014-09-12).
 
 
* Generate a new host key on both endpoints:
 
sudo ipsec newhostkey --output /etc/ipsec.secrets
 
 
* Configure '''/etc/ipsec.conf''' on '''vpn1''':
 
config setup
 
    protostack=netkey
 
    nat_traversal=off
 
 
conn vpn2
 
    authby=rsasig
 
    connaddrfamily=ipv6
 
    type=tunnel
 
 
    ike=aes256-sha2_256;modp2048
 
    phase2alg=aes256-sha2_256;modp2048
 
    sha2_truncbug=yes
 
 
    left=vpn1.example.com
 
    leftid=@vpn1.example.com
 
    leftsubnet=2001:db8:1::/64
 
    leftrsasigkey=0s...
 
 
    right=vpn2.example.com
 
    rightid=@vpn2.example.com
 
    rightsubnet=2001:db8:2::/64
 
    rightrsasigkey=0s...
 
 
    auto=start
 
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
 
 
* Configure '''/etc/ipsec.conf''' on '''vpn2''':
 
config setup
 
    protostack=netkey
 
    nat_traversal=off
 
 
conn vpn1
 
    authby=rsasig
 
    connaddrfamily=ipv6
 
    type=tunnel
 
 
    ike=aes256-sha2_256;modp2048
 
    phase2alg=aes256-sha2_256;modp2048
 
    sha2_truncbug=yes
 
 
    left=vpn2.example.com
 
    leftid=@vpn2.example.com
 
    leftsubnet=2001:db8:2::/64
 
    leftrsasigkey=0s...
 
 
    right=vpn1.example.com
 
    rightid=@vpn1.example.com
 
    rightsubnet=2001:db8:1::/64
 
    rightrsasigkey=0s...
 
 
    auto=start
 
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
 
 
* After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two.
 
 
===OpenBSD===
 
Tested on [[OpenBSD]] 5.0 (updated on 2012-02-25).
 
 
* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
 
<pre>isakmpd_flags="-K"
 
ipsec=YES</pre>
 
 
* Configure '''/etc/ipsec.conf''' on '''vpn1''':
 
ike esp from 2001:db8:1::/64 to 2001:db8:2::/64 \
 
    peer vpn2.example.com \
 
    main auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    quick auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    srcid vpn1.example.com tag ipsec-vpn1
 
 
* Configure '''/etc/ipsec.conf''' on '''vpn2''':
 
ike esp from 2001:db8:2::/64 to 2001:db8:1::/64 \
 
    peer vpn1.example.com \
 
    main auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    quick auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    srcid vpn2.example.com tag ipsec-vpn1
 
 
* We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file '''/etc/isakmpd/local.pub''' was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this process in reverse for '''vpn2'''.
 
 
* After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels:
 
sudo /etc/rc.d/isakmpd start
 
sudo ipsecctl -f /etc/ipsec.conf
 
 
The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot.
 
 
==Roadwarrior==
 
===Linux with OpenSWAN===
 
Tested with OpenSWAN 2.6.41 on Arch Linux (updated on 2014-09-12).
 
 
* Generate a new host key on both endpoints:
 
sudo ipsec newhostkey --output /etc/ipsec.secrets
 
 
* Configure '''/etc/ipsec.conf''' on your VPN server:
 
config setup
 
    protostack=netkey
 
    nat_traversal=on
 
 
conn myvpn
 
    authby=rsasig
 
    connaddrfamily=ipv6
 
    type=tunnel
 
 
    ike=aes256-sha2_256;modp2048
 
    phase2alg=aes256-sha2_256;modp2048
 
    sha2_truncbug=yes
 
 
    left=vpn1.example.com
 
    leftid=@vpn1.example.com
 
    leftsubnet=2001:db8:1::/64
 
    leftrsasigkey=0s...
 
 
    right=%any
 
    rightid=@vpn2.example.com
 
    rightsubnet=2001:db8:2::/64
 
    rightrsasigkey=0s...
 
 
    auto=start
 
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
 
 
* Configure '''/etc/ipsec.conf''' on the machine that will connect to your VPN:
 
config setup
 
    protostack=netkey
 
    nat_traversal=on
 
 
conn vpn1
 
    authby=rsasig
 
    connaddrfamily=ipv6
 
    type=tunnel
 
 
    ike=aes256-sha2_256;modp2048
 
    phase2alg=aes256-sha2_256;modp2048
 
    sha2_truncbug=yes
 
 
    left=%defaultroute
 
    leftid=@vpn2.example.com
 
    leftsubnet=2001:db8:2::1/128
 
    leftsourceip=2001:db8:2::1
 
    leftrsasigkey=0s...
 
 
    right=vpn1.example.com
 
    rightid=@vpn1.example.com
 
    rightsubnet=2001:db8:1::/64
 
    rightrsasigkey=0s...
 
 
    auto=start
 
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
 
 
* After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two.
 
 
===OpenBSD===
 
Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27).
 
 
* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
 
<pre>isakmpd_flags="-K"
 
ipsec=YES</pre>
 
 
* Configure '''/etc/ipsec.conf''' on your VPN server:
 
ike esp from 2001:db8:1::/64 to 2001:db8:2::1 \
 
    peer any \
 
    main auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    quick auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    srcid vpn1.example.com tag ipsec-vpn1
 
 
* Configure '''/etc/ipsec.conf''' on the machine that will connect to your VPN:
 
ike esp from 2001:db8:2::1 to 2001:db8:1::/64 \
 
    peer vpn1.example.com \
 
    main auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    quick auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    srcid vpn2.example.com tag ipsec-vpn1
 
 
* We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the file '''/etc/isakmpd/local.pub''' was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this process in reverse for '''vpn2'''.
 
 
* After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels:
 
sudo /etc/rc.d/isakmpd start
 
sudo ipsecctl -f /etc/ipsec.conf
 
 
The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot.
 
 
===Linux with OpenSWAN (laptop) to OpenBSD (router)===
 
Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27).
 
 
Assume router has an IPv4 only hostname of home.example.org and you want to route the IPv6 subnet 2001:420:1:9A8::/64
 
Assume the laptop is called laptop.example.org (does not have to be an actuall DNS entry) and will round the org-local subnet fd20:50::1/128 (which is actually just 1 ip)
 
 
* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
 
<pre>isakmpd_flags="-K"
 
ipsec=YES</pre>
 
 
* Configure '''/etc/ipsec.conf''' on '''home.example.org''':
 
ike esp from 2001:420:1:9A8::/64 to fd20:50::1/128 \
 
    peer any \
 
    main auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    quick auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    srcid home.example.org tag ipsec-vpn1
 
 
* Generate a new host key on '''laptop.example.org''':
 
sudo ipsec newhostkey --output /etc/ipsec.secrets
 
 
* Configure '''/etc/ipsec.conf''' on '''laptop.example.org''':
 
config setup
 
    protostack=netkey
 
    nat_traversal=off
 
 
conn vpn2
 
  authby=rsasig
 
  connaddrfamily=ipv6
 
  type=tunnel
 
 
  ike=aes256-sha2_256;modp2048
 
  phase2alg=aes256-sha2_256;modp2048
 
  sha2_truncbug=yes
 
 
  left=%defaultroute
 
  leftid=@laptop.example.org
 
  leftsubnet=fd20:50::1/128
 
  leftsourceip=fd20:50::1
 
  leftrsasigkey=<laptop_pubkey> # from /etc/ipsec.secrets on '''laptop.example.org'''
 
 
  right=home.example.org
 
  rightid=@home.example.org
 
  rightsubnet=2001:420:1:9A8::/64
 
  rightrsasigkey=<server_pubkey> # converted later from key on '''home.example.org'''
 
 
  auto=start
 
 
The trickiest part (and its not actually *that* tricky) is to convert the the pubkey on Linux to the format OpenBSD uses, and vice versa. There is a handy perl script found [http://pastebin.com/THUf4Dsg here] that takes in a Linux or OpenBSD formated pubkey in stdin and outputs a OpenBSD or Linux formated pubkey.
 
 
On OpenBSD the pubkey is found in '''/etc/isakmpd/local.pub''' and in Linux it is found in /etc/ipsec.secrets. In ipsec.secrets, you will find a public key like:
 
#pubkey=0s...
 
 
* To convert this to OpenBSD format, run
 
 
echo ": PUB 0s..." | ./ipsec.pl
 
 
where 0s... is your full public key.
 
 
* For the OpenBSD key, it is possible to pipe in local.pub like:
 
 
cat local.pub | ./ipsec.pl
 
 
* Place the output from the OpenBSD pubkey into '''/etc/ipsec.conf''' on '''laptop.example.org''' here:
 
 
rightrsasigkey=<server_pubkey>
 
 
and put the output for the Linux pubkey into '''/etc/isakmpd/pubkeys/fqdn/laptop.example.org'''
 
 
* After you make the necessary changes, starting IPsec is simply a matter of running the following command on '''home.example.org''':
 
sudo /etc/rc.d/isakmpd start
 
sudo ipsecctl -f /etc/ipsec.conf
 
 
and on '''laptop.example.org''' restart openswan (generally under the rc script name ipsec) in whatever manner perscribed by your favorite distro.
 
 
===Linux with strongSwan (laptop) to OpenBSD (router)===
 
Tested on [[OpenBSD]] 5.5 and [[Arch Linux]] (updated on 2014-10-05).
 
 
Assume your router has the hostname home.example.org and you want to route the IPv6 subnet 2001:db8:1::/64 from your laptop, laptop.example.org. Note that DNS entries are not required for either of these. We will be using IKEv1 for key exchange, as IKEv2 support on OpenBSD was not complete at the time of writing.
 
 
* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
 
<pre>isakmpd_flags="-K"
 
ipsec=YES</pre>
 
 
* Configure '''/etc/ipsec.conf''' on '''home.example.org''':
 
ike passive esp from 2001:db8:1::/64 to any \
 
    peer any \
 
    main auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    quick auth hmac-sha2-256 enc aes-256 group modp2048 \
 
    srcid home.example.org tag ipsec-vpn1
 
 
* Generate a new host key on '''laptop.example.org''':
 
sudo openssl genrsa -out /etc/ipsec.d/private/laptop.example.org.pem 4096
 
 
* Add the path to that private key you generated to /etc/ipsec.secrets:
 
: RSA home.example.org.pem
 
 
* Extract the corresponding public key for your private key:
 
sudo openssl rsa -in /etc/ipsec.d/private/laptop.example.org.pem -pubout -out /etc/ipsec.d/certs/laptop.example.org.pem
 
 
* Configure '''/etc/ipsec.conf''' on '''laptop.example.org''':
 
config setup
 
 
conn home
 
    keyexchange=ikev1
 
    authby=pubkey
 
    connaddrfamily=ipv6
 
    type=tunnel
 
 
    ike=aes256-sha256-modp2048
 
    esp=aes256-sha256-modp2048
 
 
    left=%defaultroute
 
    leftid=@laptop.example.org
 
    leftsubnet=fdf0:f00::1/128
 
    leftrsasigkey=laptop.example.org.pem
 
 
    # if you don't have home.example.org in DNS or don't want strongswan to do a DNS lookup when it starts, hardcode the right IP
 
    right=home.example.org
 
    rightid=@home.example.org
 
    rightsubnet=2001:db8:1::/64
 
    rightrsasigkey=home.example.org.pem
 
 
    auto=add
 
Note that leftsubnet should correspond to the IPv6 source address you want to use. You will need to manually configure this address on your interface, and add a route for traffic to rightsubnet, if one does not exist already.
 
 
* Copy the /etc/ipsec.d/certs/home.example.org.pem from '''laptop.example.org''' and place it at /etc/isakmpd/pubkeys/fqdn/home.example.org on '''home.example.org'''.
 
 
* Download the /etc/isakmpd/local.pub file from '''home.example.org''' and place it at /etc/ipsec.d/certs/home.example.org.pem.
 
 
* After you make the necessary changes, starting IPsec is simply a matter of running the following command on '''home.example.org''':
 
sudo /etc/rc.d/isakmpd start
 
sudo ipsecctl -f /etc/ipsec.conf
 
 
and on '''laptop.example.org''', restart strongswan:
 
sudo systemctl restart strongswan.service
 
 
== External links ==
 
* [[w:IPsec|IPsec]]
 
 
[[Category:Howtos]]
 
 
[[Category:Pending deletion]]
 
[[Category:Pending deletion]]

Revision as of 05:16, 4 January 2018