IPSEC
-
Upload
open-source-school -
Category
Technology
-
view
818 -
download
0
Transcript of IPSEC
IPSEC
VPNs and network security
1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
2
Les formations du plein emploi !
Formation Continue
Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.
Pour vos demandes : [email protected]
Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
3
Nos domaines de formations
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Plan
1 Introduction
2 IPSEC Protocols
3 VPNs over IPSEC
4 Applications
5 Troubleshooting
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
What is a VPN ?
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
What is a VPN ?
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
What is encapsulation
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Introduction to IPSEC
IPSEC is a set of protocols to harden network communicationsecurity.
A part of the IPv6 spec, but ported to IPv4
Often used for VPNs, however it has other purposes too
Unlike most products (eg OpenVPN) it is an IETF standard,allowing interoperability
This presentation is about IPSEC implementation in operatingsystems, there are also software implementations, hardwareimplementations in dedicated equipment, etc.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Plan
1 Introduction
2 IPSEC Protocols
3 VPNs over IPSEC
4 Applications
5 Troubleshooting
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
IPSEC Protocols
IPSEC is built around several protocols
ESP
AH
IKE
NAT-T
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Encapsulation protocols
ESP allows :
Authentication
Integrity (of payload)
Confidentiality
AH allows :
Authentification
Integrite (of whole packet)
ESP does not protect the IP header, that makes it suitable for NAT
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Negociation protocols
IKE
IKE is the main protocol that allows security parametersnegociation between hosts
NAT-T
NAT-T is a helper protocol which encapsulates traffic into a UDPport, allowing it to cross firewalls and NAT devices.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Establishment of an IPSEC session
Hosts contact each other using IKE (UDP 500)
IKE Phase 1 : hosts authenticate to each other
IKE Phase 2 : hosts negotiate the IPSEC parameters
IPSEC-protected traffic starts flowing
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Two possible modes
Transport mode : only the payload is encapsulated
Tunnel mode : the IP header is encapsulated too
In tunnel mode, you can rewrite IP headers, allowing VPNs
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Plan
1 Introduction
2 IPSEC Protocols
3 VPNs over IPSEC
4 Applications
5 Troubleshooting
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
SPD and SAD
Security Policy Database
SPDs are IPSEC’s routing tables.They decide which traffic is protected
Security Association Database
SAD are IPSEC’s network status (“netstat“), they contain currentsessions
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Phase 1 parameters
Mode : main / aggressive
Identity : IP, DN, mail...
Authentication method : PSK, X509, RSA...
Encryption algorithm : 3DES, AES, blowfish...
Authentication algorithm : MD5, SHA1, ...
Diffie-Hellman key length
Lifetime
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Phase 2 parameters
Encryption algorithm
Authentication algorithm
Perfect Forward Secrecy
Lifetime
Domain : single host, subnet...
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
How sessions are established
Hosts contact each other spotaneously or on demand
Required sessions are established
When they expire, they are automatically renewed
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Plan
1 Introduction
2 IPSEC Protocols
3 VPNs over IPSEC
4 Applications
5 Troubleshooting
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Introduction
All the implementations we will study share certain characteristics :
SAD, SPD, routing, encapsulation are managed by the kernel
IKE negociation, retries, renewal, are managed by userlanddaemons
Both talk to each other on the standard PF KEY interface,allowing different implementations to coexist
On Linux, two kernel implementation exist : a native PF KEYimplementation and KLIPS, an historical implementation.
Warning
Firewalls can process IPSEC traffic, you’ll have to configure yours.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Openswan/Strongswan : configuration
Configuration is done in ipsec.conf
conn net−netl e f t =192 .168 .0 .1l e f t s u b n e t =10 .1 .0 .0/16l e f t i d =192 .168 .0 .1l e f t f i r e w a l l=yesr i g h t =192 .168 .0 .2r i g h t s u b n e t =10 .2 .0 .0/16r i g h t i d =192 .168 .0 .2auto=add
Write the PSK in ipsec.secrets .Examples :http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Openswan/Strongswan : commands
Restart :/ e t c / i n i t . d/ i p s e c r e s t a r t
Status :i p s e c c t l auto −−s t a t u s
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Architecture
as usual, SPD/SAD are in-kernel
setkey(8) is used to manipulate SPD/SAD
racoon(8) is the IKE daemon
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Configuration
setkey script
#!/ u s r / s b i n / s e t k e y −f## Flush SAD and SPDf l u s h ;s p d f l u s h ;
# Crea te p o l i c i e s f o r racoonspdadd 172 . 16 . 1 . 0 /24 172 . 16 . 2 . 0 /24 any −P out i p s e c
esp / t unn e l /192 .168 .1 .100−192 .168 .2 .100/ r e q u i r e ;
spdadd 172 . 16 . 2 . 0 /24 172 . 16 . 1 . 0 /24 any −P i n i p s e cesp / t unn e l /192 .168 .2 .100−192 .168 .1 .100/ r e q u i r e ;
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Configuration (2)
racoon.conf
path p r e s h a r e d k e y ”/ e t c / psk . t x t ” ;
remote 192 . 168 . 2 . 1 00 {exchange mode main ;p r o po s a l {
e n c r y p t i o n a l g o r i t hm 3 des ;h a s h a l g o r i t hm md5 ;au t h en t i c a t i o n me thod p r e s h a r e d k e y ;dh group modp1024 ;
}}
s a i n f o add r e s s 172 . 16 . 1 . 0 /24 any add r e s s 172 . 16 . 2 . 0 /24 any {p f s g r o up modp768 ;e n c r y p t i o n a l g o r i t hm 3 des ;a u t h e n t i c a t i o n a l g o r i t hm hmac md5 ;c omp r e s s i o n a l g o r i t hm d e f l a t e ;
}
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Administration
SPD/SAD status
s e t k e y −Dse t k e y −DP
/etc/init.d/setkey restart
/etc/init.d/racoon restart
racoon.log
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
OpenBSD : configuration
/etc/ipsec.conf
i k e esp from 10 . 1 . 0 . 0 / 1 6 to 10 . 10 . 22 . 0/24 \l o c a l 2 12 . 85 . 148 . 172 pee r 195 . 154 . 89 . 7 0 \main auth hmac−sha1 enc aes group modp1024 \qu i ck auth hmac−sha1 enc aes group modp1024 psk ” to to ”
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
OpenBSD : administration
isakmpd -K
ipsecctl -f /etc/ipsec.conf
ipsecctl -vsa
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 27/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Plan
1 Introduction
2 IPSEC Protocols
3 VPNs over IPSEC
4 Applications
5 Troubleshooting
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 28/29
Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Troubleshooting
Use tcpdump :
91 . 216 . 2 09 . 2 29 . 5 00 > 109 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 . 0 exchange ID PROTcook i e : 68399732 f c60 f ebb −>0000000000000000 msgid : 00000000 l e n : 184
91 . 216 . 2 09 . 2 29 . 5 00 > 109 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 . 0 exchange ID PROTcook i e : 68399732 f c60 f ebb −>0000000000000000 msgid : 00000000 l e n : 184
91 . 216 . 2 09 . 2 29 . 5 00 > 109 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 . 0 exchange ID PROTcook i e : 68399732 f c60 f ebb −>0000000000000000 msgid : 00000000 l e n : 184
91 . 216 . 2 09 . 2 29 . 5 00 > 109 . 1 6 4 . 2 4 5 . 1 8 5 . 5 0 0 : isakmp v1 . 0 exchange ID PROTcook i e : 68399732 f c60 f ebb −>0000000000000000 msgid : 00000000 l e n : 184
. . .e sp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x00183f10 seq 165869 l e n 484esp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x00183f10 seq 165870 l e n 468esp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x00183f10 seq 165871 l e n 468esp 41 . 141 . 252 . 214 > 91 . 216 . 209 . 229 s p i 0 x f 1 a f a c e c seq 40877 l e n 132esp 91 . 216 . 209 . 229 > 41 . 141 . 252 . 214 s p i 0 x0abd6f35 seq 40540 l e n 132esp 41 . 141 . 252 . 214 > 91 . 216 . 209 . 229 s p i 0 x5 f 060 f d e seq 186105 l e n 100. . .
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 29/29