- •Table of Contents
- •Preface
- •What This Book Covers
- •What You Need for This Book
- •Conventions
- •Reader Feedback
- •Customer Support
- •Errata
- •Questions
- •The Need for Cryptography
- •Privacy
- •Security
- •A History of the Internet
- •Holding the Internet Together
- •The Creation of ICANN
- •ICANN Bypassed
- •The Root Name Servers
- •Running the Top-Level Domains
- •History of Internet Engineering
- •The Internet Engineering Task Force (IETF)
- •RFCs—Requests For Comments
- •IETF and Crypto
- •The War on Crypto
- •Dual Use
- •Public Cryptography
- •The Escrowed Encryption Standard
- •Export Laws
- •The Summer of '97
- •The EFF DES Cracker
- •Echelon
- •The End of the Export Restrictions
- •Free Software
- •Free as in Verifiable
- •The Open Source Movement
- •The History of Openswan
- •IETF Troubles over DNS
- •Super FreeS/WAN
- •The Arrival of Openswan
- •NETKEY
- •Further Reading
- •Using Openswan
- •Copyright and License Conditions
- •Writing and Contributing Code
- •Legality of Using Openswan
- •International Agreements
- •International Law and Hosting Openswan
- •Unrecognized International Claims
- •Patent Law
- •Expired and Bogus Patents
- •Useful Legal Links
- •Summary
- •A Very Brief Overview of Cryptography
- •Valid Packet Rewriting
- •Ciphers
- •Algorithms
- •Uniqueness
- •Public-Key Algorithms
- •Exchanging Public Keys
- •Digital Signatures
- •Diffie-Hellman Key Exchange
- •Avoiding the Man in the Middle
- •Session Keys
- •Crypto Requirements for IPsec
- •IPsec: A Suite of Protocols
- •Kernel Mode: Packet Handling
- •Authentication Header (AH)
- •Encapsulated Security Payload (ESP)
- •Transport and Tunnel Mode
- •Choosing the IPsec Mode and Type
- •The Kernel State
- •Encryption Details
- •Manual Keying
- •Final Note on Protocols and Ports
- •Usermode: Handling the Trust Relationships
- •The IKE Protocol
- •Phase 1: Creating the ISAKMP SA
- •Phase 2: Quick Mode
- •The NAT Problem
- •Summary
- •Linux Distributions
- •Debian
- •SuSE
- •Slackware
- •Gentoo
- •Linux 'Router' Distributions
- •Deciding on the Userland
- •Pluto
- •Racoon
- •Isakmpd
- •More Reasons to Pick Pluto
- •Choosing the Kernel IPsec Stack
- •KLIPS, the Openswan Stack
- •ipsecX Interfaces
- •First Packet Caching
- •Path MTU Discovery
- •KLIPS' Downside
- •NETKEY, the 2.6 IPsec Stack
- •The USAGI / SuSE IPsec Stack
- •Making the Choice
- •GPL Compliance and KLIPS
- •Binary Installation of the Openswan Userland
- •Checking for Old Versions
- •Installing the Binary Package for Openswan
- •Building from Source
- •Using RPM-based Distributions
- •Rebuilding the Openswan Userland
- •Building src.rpm from Scratch
- •Openswan Options
- •Building the Openswan Userland from Source
- •Downloading the Source Code
- •Configuring the Userland Tools
- •Optional Features
- •Compile Flags
- •File Path Options
- •Obscure Pluto Options
- •Compiling and Installing
- •Binary Installation of KLIPS
- •Building KLIPS from Source
- •Kernel Prerequisites
- •Identifying your Kernel's Abilities
- •Using Both KLIPS and NETKEY
- •The Kernel Build Options
- •Required Kernel Options
- •Desired Options
- •NETKEY Stack Options
- •KLIPS Stack Options
- •L2TP Options
- •Patching the Kernel
- •NAT-Traversal Patch
- •KLIPS Compile Shortcut
- •Activating KLIPS
- •Determining the Stack in Use
- •Building KLIPS into the Linux Kernel Source Tree
- •Building a Standard Kernel
- •NAT Traversal
- •Patching KLIPS into the Linux Kernel
- •Verifying the Installation
- •Summary
- •Manual versus Automatic
- •PSK versus RSA
- •Pitfalls of Debugging IPsec
- •Pre-Flight Check
- •The ipsec verify Command
- •NAT and Masquerading
- •Checking External Commands
- •Opportunistic Encryption
- •The ipsec livetest Command
- •Configuration of Openswan
- •The ipsec.conf File
- •Host-to-Host Tunnel
- •Left and Right
- •The type Options
- •The auto Option
- •The rsasigkey Options
- •Bringing Up the IPsec Tunnels
- •Listing IPsec Connections
- •Testing the IPsec Tunnel
- •Connecting Subnets Through an IPsec Connection
- •Testing Subnet Connections
- •Testing Properly
- •Encrypting the Host and the Network Behind It
- •Employing Advanced Routing
- •Creating More Tunnels
- •Avoiding Duplication
- •The Also Keyword
- •KLIPS and the ipsecX Interfaces
- •Pre-Shared Keys (PSKs)
- •Proper Secrets
- •Dynamic IP Addresses
- •Hostnames
- •Roadwarriors
- •Multiple Roadwarrior Connections
- •Dynamic IP and PSKs
- •Mixing PSK and RSA
- •Connection Management
- •Subnet Extrusion
- •NAT Traversal
- •Deprecated Syntax
- •Confirming a Functional NAT-T
- •Dead Peer Detection
- •DPD Works Both Ways
- •Configuring DPD
- •Buggy Cisco Routers
- •Ciphers and Algorithms
- •Using ike= to Specify Phase 1 Parameters
- •Using esp= to Specify Phase 2 Parameters
- •Defaults and Strictness
- •Unsupported Ciphers and Algorithms
- •Aggressive Mode
- •XAUTH
- •XAUTH Gateway (Server Side)
- •XAUTH Client (Supplicant Side)
- •Fine Tuning
- •Perfect Forward Secrecy
- •Rekeying
- •Key Rollover
- •Summary
- •X.509 Certificates Explained
- •X.509 Objects
- •X.509 Packing
- •Types of Certificates
- •Passphrases, PIN Codes, and Interactivity
- •IKE and Certificates
- •Using the Certificate DN as ID for Openswan
- •Generating Certificates with OpenSSL
- •Setting the Time
- •Configuring OpenSSL
- •Be Consistent with All Certificates
- •OpenSSL Commands for Common Certificate Actions
- •Configuring Apache for IPsec X.509 Files
- •Creating X.509-based Connections
- •Using a Certificate Authority
- •Using Multiple CAs
- •Sending and Receiving Certificate Information
- •Creating your own CA using OpenSSL
- •Creating Host Certificates with Your Own CA
- •Host Certificates for Microsoft Windows (PKCS#12)
- •Certificate Revocation
- •Dynamic CRL Fetching
- •Configuring CRL
- •Online Certificate Status Protocol (OCSP)
- •Summary
- •History of Opportunistic Encryption
- •Trusting Third Parties
- •Trusting the DNS?
- •OE in a Nutshell
- •An OE Security Gateway
- •DNS Key Records
- •Forward and Reverse Zones
- •The OE DNS Records
- •Different Types of OE
- •Policy Groups
- •Internal States
- •Configuring OE
- •Configuring Policies
- •Full OE or Initiate-Only
- •Generating Correct DNS Records
- •Name Server Updates
- •Verifying Your OE Setup
- •Testing Your OE Setup
- •The trap eroute
- •The pass eroute
- •The hold eroute
- •Manipulating OE Connections Manually
- •Advanced OE Setups
- •Caveats
- •Summary
- •Where to Firewall?
- •Allowing IPsec Traffic
- •NAT and IPsec Passthrough
- •Configuring the Firewall on the Openswan Host
- •Firewalling and KLIPS
- •Firewalling and NETKEY
- •Packet Size
- •Summary
- •Microsoft Windows
- •Layer 2 Tunneling Protocol (L2TP)
- •Assigning an IP for VPN Access
- •L2TP Properties
- •Pure IPsec versus L2TP/IPsec
- •Client and Server Configurations for L2TP/IPsec
- •The L2TP Openswan Server
- •Configuring Openswan for L2TP/IPsec
- •Linux Kernel Runtime Parameters for L2TP/IPsec
- •Protecting the L2TP Daemon with IPsec using iptables
- •Choosing an L2TP Daemon
- •Configuring L2TPD
- •Configuring User Authentication for pppd
- •Microsoft Windows XP L2TP Configuration
- •Microsoft Windows 2000 L2TP Configuration
- •Apple Mac OS X L2TP Configuration
- •Server Configuration for X.509 IPsec without L2TP
- •Openswan Configuration for X.509 without L2TP
- •Client Configuration for X.509 IPsec without L2TP
- •Microsoft's IKE Daemon
- •Microsoft's Certificate Store
- •Clients using Microsoft Native IPsec Implementation
- •The ipsec.exe Wrapper
- •The Linsys IPsec Tool (lsipsectool)
- •Securepoint IPsec Client
- •TauVPN (iVPN)
- •The WaveSEC Client
- •Third-Party Replacement Clients for Windows
- •The GreenBow VPN Client
- •Astaro Secure Client
- •Mac OS X IPSecuritas
- •VPNtracker
- •Manual Racoon Configuration
- •Importing X.509 Certificates into Windows
- •Importing X.509 Certificates on Mac OS X (Tiger)
- •Summary
- •Openswan as a Client to an Appliance
- •Preparing the Interop
- •The Human Factor
- •Terminology
- •Preparation
- •IPsec Passthrough
- •Tunnel Limitations
- •Anticipate Known Problems
- •Update the Firmware
- •GUI Issues
- •Keepalives
- •ISP Filtering
- •Frequently used VPN Gateways
- •Webmin with Openswan
- •Cisco VPN 3000
- •Cisco PIX Concentrator
- •Nortel Contivity
- •Checkpoint
- •WatchGuard Firebox
- •Symantec
- •Frequently used VPN Client Appliances
- •ZyXEL
- •DrayTek Vigor
- •The Vigor Web Interface
- •Windows Logon Issues
- •Other Vigorisms
- •Unresolved Issues
- •NetScreen
- •Known Issues
- •SonicWALL
- •BinTec
- •LANCOM
- •Linksys
- •Lucent Brick
- •NETGEAR
- •KAME/Racoon
- •Aftercare
- •Summary
- •Methods of Encryption
- •Host-to-Host Mesh
- •Host-to-Gateway Setup
- •Single IP Extrusiautomation or L2TP
- •Opportunistic Encryption in the LAN
- •Non-OE-Capable Machines
- •Designing a Solution for Encrypting the LAN
- •Design Goals
- •Separation of WiFi and Crypto
- •Link Layer Protection
- •The Logical Choice: IPsec
- •Hotspot
- •WaveSEC
- •Full WaveSEC
- •Catch 22 Traffic
- •Building a WaveSEC Server
- •DHCP Server Setup
- •DNS Server Setup
- •Openswan Server Setup
- •Catch 22 Traffic Setup
- •Building a WaveSEC Client
- •DH Client Setup
- •Openswan Setup
- •Testing the WaveSEC
- •Starting the WaveSEC Connection
- •Known Issues with WaveSEC
- •WaveSEC for Windows
- •Design Limitations
- •Building a WaveSEC for Windows Server
- •Obtaining the Certificate and Client Software
- •Our Prototype Experiences
- •Openswan Issues
- •Windows Kernel Issues
- •Summary
- •Cipher Performance
- •Handling Thousands of Tunnels
- •Managing Large Configuration Files
- •Standard Naming Convention
- •The also= Parameter
- •The include Parameter
- •Openswan Startup Time
- •Limitations of the Random Device
- •Other Performance-Enhancing Factors
- •Logging to Disk
- •Disable Dead Peer Detection
- •Reducing the Number of Tunnels
- •OSPF Setup
- •BGPv4 Setup
- •High Availability
- •Heartbeat
- •Xen Migration
- •Using Anycast
- •Summary
- •Do Not Lock Yourself Out!
- •Narrowing Down the Problem
- •Host Issues
- •Configuration Problems
- •Connection Names
- •Interoperability
- •Hunting Ghosts
- •Rekey Problems (After an Hour)
- •Openswan Error Messages
- •IKE: Unknown VendorIDs
- •Network Issues
- •Firewalls
- •MTU and Fragmentation Issues
- •Debugging IPsec on Apple Mac OS X
- •Debugging IPsec on Microsoft Windows
- •Oakley Debugging
- •Debugging ipsec.exe
- •Microsoft L2TP Errors
- •You Suddenly Cannot Log in Anymore over the VPN
- •Software Bugs
- •Userland Issues: Assertion Failed or Segmentation Faults
- •Kernel Issues: Crashes and Oopses
- •Memory Issues
- •Common IKE Error Messages
- •Common Kernel-Related Error Messages
- •Common Errors when Upgrading
- •Using tcpdump to Debug IPsec
- •Situation A: No Communication on Port 500
- •Situation B: Failure at Third Exchange
- •Situation C: QUICK Mode Initiates, but Never Completes
- •Situation D: All IKE Messages Occur, but no Traffic Flows
- •A Final tcpdump Example
- •User Mode Linux Testing
- •Preparing the Openswan for the UML Build Process
- •Running the UMLs
- •Writing a UML Test Case
- •Debugging the Kernel with GDB
- •Asking the Openswan Community for Help
- •Internet Relay Chat (IRC)
- •The Openswan Mailing Lists
- •Posting to the Lists
- •Research First, Ask Later
- •Free, as in Beer
- •Do not Anonymize
- •Summary
- •Linux Kernel Developments
- •Kernel API Changes between 2.6.12 and 2.6.14
- •Red Hat Kernel Developments
- •Fedora Kernel Source/Headers Packaging Change
- •MD5 Insecurities
- •Discontinuation of Openswan 1 by the End of 2005
- •Update on UML Testing Suite Installation
- •Openswan GIT Repositories
- •Openswan on Windows and Mac OS X Updates
- •Known Outstanding Bugs
- •Vulnerability Fixes in Openswan 2.4.4
- •The OSI Model and the IP Model
- •No Layers, Just Packets
- •The Protocol
- •IP Network Overview
- •IP Address Management
- •The Old IP Classes
- •Classless IP Networks
- •The Definition of a Subnet
- •Calculating with Subnets: The Subnet Mask
- •The Rest of the Network
- •Linux Networking Commands
- •Routing
- •Routing Decisions
- •Peering
- •Network Address Translation
- •Port Forwarding
- •Openswan Links
- •Community Documentation
- •Generic Linux Distributions Containing Openswan
- •Specialized Linux Distributions Containing Openswan
- •Overview RFCs
- •Basic Protocols
- •Key Management
- •Procedural and Operational RFCs
- •Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
- •Dead Peer Detection RFCs
- •NAT-Traversal and UDP Encapsulation RFCs
- •RFCs for Secure DNS Service, which IPSEC May Use
- •RFCs Related to L2TP, Often Used in Combination with IPsec
- •RFCs on IPsec in Relation to Other Protocols
- •RFCs Not in Use or Implemented across Multiple Vendors
- •Index
Practical Overview of the IPsec Protocol
Crypto Requirements for IPsec
In conclusion, we need a strong cryptographic checksum to protect the integrity of our packets using a symmetric cipher. This cipher will be keyed by a session key, which we need to exchange after we have achieved privacy using a DH key exchange, and have authenticated each other based on trusted public key encryption.
We want to add a digital signature to as much of the packet as we can. That is, we want a digital signature that covers all the IP headers that don't change plus the data (payload) of the packet. Since there is no space in the original TCP or UDP headers, we will have to define a new IP protocol. And it turns out we don't have just one, but two new IP protocols: Authenticated Header (AH) and Encapsulated Security Payload (ESP).
We also learned that we need a clever system to exchange session keys based on public key systems. The protocol in the IPsec suite that is used for that is called the Internet Key Exchange (IKE).
These protocols are explained in depth later in this chapter.
IPsec: A Suite of Protocols
There is not a single IPsec protocol. IPsec is in fact a collection of standards (and drafts, because the IETF process is very slow) that all deal with using cryptography to ensure authenticity and in almost all cases to also guarantee confidentiality of the content of the IP packets. Most of the standards documents contain details of the cryptographic ciphers and algorithms used. The intent of this chapter is to cover what you need to know from a practical point of view, without going into all the details and design decisions.
The IPsec protocols can be split into two main categories: packet handling and trust relationship management. Packet handling is usually done by the operating system kernel itself, since it requires speed, efficiency, and low latency that are easier to offer at the low-level processing of the kernel.
The trust relationship management is not as time sensitive, since it only happens at the start and at the refresh intervals of an IPsec connection, which is usually about once an hour. It is also a very complex process, requiring a lot of very complex code that is much better done outside the kernel, as a regular program running on the computer.
Kernel Mode: Packet Handling
The kernel deals with the individual packets sent and received by the computer. This is sometimes called the forwarding plane. It involves turning normal IP packets into secure IPsec packets, carrying out encryption, decryption, signing, encapsulation, and decapsulation of the packets. These techniques all involve changing and verifying packets, and are normally performed by the kernel.
32
Chapter 2
Authentication Header (AH)
Authentication Header (RFC 2404) is the first new network protocol that was introduced. It received IP protocol number 51. (Other examples are the TCP protocol, IP protocol 6, and the UDP protocol, IP protocol 17. On a computer running Linux, you can find a list of IP protocols in /etc/protocols). Don't be misled by the name: AH does not just authenticate the header of an IP packet, but authenticates the data (payload) as well as parts of the header.
When two machines are configured with secret keys to communicate using the AH protocol, they agree on a unique number identifying the connection. This number is called the Security Parameter Index (SPI).
The machines then set the Sequence Number (SN) to 0. For each packet that is to be sent, the SN is increased by one to prevent replay attacks. In a replay attack, a malicious listener intercepts an encrypted packet, and without being able to read that captured data, resends it over and over again. Without the SN, the two computers that are communicating with encryption would not be able to distinguish a genuine packet from a copy of a previous packet, since the cryptography checks will be satisfied by the replayed packet. After all, it was a valid packet. The SN prevents these attacks, because now the packet can be correctly identified as an old retransmitted packet, and discarded.
A cryptographic checksum is then calculated for the packet, using a hashing algorithm, usually MD5 or SHA1, using a secret key that only the sender and receiver know. This cryptographic checksum is called the integrity check value (ICV). The SPI, SN, and ICV form the important part of the AH header. The SN and ICV together with the hash are also called the HMAC (for keyed Hash Message Authentication Code). The term HMAC actually refers to the specific method used to calculate the ICV, but colloquially the result is sometimes called the HMAC.
The rest of the header consists of various administration pointers for these header parameters within the packet. This packet is then sent to the other IPsec endpoint. Upon receiving the packet, it also calculates the ICV for the packet using its own copy of the secret key. If the calculated ICV matches the ICV stored in the received packet, the packet is authentic. The IPsec header of the packet is then removed, leaving a regular IP packet which can then continue on into the kernel like any other unencrypted packet. If the ICV does not match, for instance because a NAT device rewrote the IP address, or some host on the way changed any data in the packet, the packet is discarded by the kernel before any application gets to see the malicious or broken packet.
AH only provides authentication and does not encrypt the payload. Anyone who can sniff the AH packets can see who is communicating with whom, and what they are saying. However attackers cannot change or inject any packets, since they cannot forge the ICV in the packets since they do not have access to the secret key used to compute the ICV that assures packet integrity.
The source and destination address are part of the data protected by AH, so they cannot be spoofed. But neither can they be rewritten by a NAT device without causing the packet to be discarded as invalid, because the rewriting does not match the computer AH HMAC. Therefore, AH does not work together with NAT. This can be seen as a feature or as a bug, depending upon your threat model.
Since AH on its own does not offer encryption, it is hardly used at all.
33
Practical Overview of the IPsec Protocol
Encapsulated Security Payload (ESP)
ESP is a much more useful new protocol of the IPsec suite. It received protocol number 50. Its job is not only to authenticate the packet, like AH, but also to add a security policy to the packet, and optionally encrypt it. So it has some of the same properties as AH, such as the SPI, SN, and ICV. For the decryption of the packet content, both ends need to have the secret key with which the packet has been encrypted, and can be decrypted. You can use ESP without encryption by using the NULL encryption. The protocol header is different to accommodate the additional encryption settings and some padding, which is necessary due to the way some ciphers work.
Originally ESP provided no authentication, so if you wanted integrity and privacy, you would build an IP packet in ESP in AH. ESP now provides for authentication as well, in a very similar form to AH. So now you either use ESP with authentication or you have an AH header around the ESP header. In practice however, the ESP implementations do not allow ESP without authentication, so the ESP in AH construct of packets is no longer used.
The only reason AH is separate from ESP is because of the US export restrictions that were in effect when they were devised.
Transport and Tunnel Mode
There are two modes for IPsec connections. One is called transport mode, the other is called tunnel mode. Transport mode is only used for communication between two hosts. There is only one IP header, and the protocol header within the IP header (such as TCP or UDP) is protected. In transport mode, the goal is to safely transport the packet itself. In other words, the packet itself is the payload. In tunnel mode, there is a clear distinction between the transport packet and the payload, which is a complete packet in its own right. An entire IP packet, with its own full IP header, forms the payload of a newly created IPsec packet. On top of that, there is an additional IPsec policy that dictates what kinds of packets are allowed to travel over a tunnel mode connection. You could call this a built-in ingress firewall.
You can compare this with cars. Transport mode equates to simply driving a car from one place to the other. Tunnel mode is more like driving the car onto a train, which then takes the car to its destination, where the car is unloaded again. You would need to obtain a valid train ticket for your car to be allowed to be put on the train.
The only time transport mode is still useful today is when you perform your own encapsulation, as it saves another layer of IP header, or about 20 bytes per packet. This is the case for Microsoft's LT2P protocol, which uses PPP encapsulation.
The reason for the existence of both modes is now mostly historic. Host-based stacks would like to get rid of tunnel mode, because it can be done with transport mode, but third-party IPsec stacks that put themselves between the operating system and the user, also called bump in the stack-based stacks, would like to get rid of transport mode because it can be done with tunnel mode.
34
Chapter 2
Choosing the IPsec Mode and Type
In almost all cases, you will use ESP in tunnel mode. This is what people call a Virtual Private Network (VPN). ESP allows you to encrypt your packets as well as authenticate them, and tunnel mode means that you can connect not only a single host to another single host, but also that you can hook up subnets to subnets. And you can even hide the source and destination addresses of those packets, since in tunnel mode the entire packet, including source address, destination address, and port are encrypted. Even if you are setting up a host to host connection, you should use tunnel mode, so that all the IP options of the packets can be encapsulated and encrypted. In fact, two well known people in the cryptography world, Bruce Schneier and Niels Ferguson, have argued for AH and transport mode to be got rid of altogether.
ESP tunnel mode offers all the options you could want at a cost of a very few bytes per packet at the most.
The only time we will use transport mode in this book is when we're discussing how to set up Microsoft L2TP, or Layer 2 Tunneling Protocol.
Some people might be tempted to use AH in an effort to reduce the CPU load of some IPsec connection, for example if they believe that their network is already encrypted safely. People with WiFi networks who encrypt using the (very weak) WEP encryption regularly try to disable IPsec encryption because the CPU on most WiFi equipment is not very powerful. We feel we must stress the point that most of these vendor-made encryption protocols are broken sooner rather than later. And even if they are not broken yet, those protocols have not withstood the years of public scrutiny and research that the IPsec protocol has had. Don't be too clever. Do not try to be too efficient. Stick to ESP with tunnel mode, unless you are trying to do L2TP interop with Microsoft.
Do not use Authenticated Header (AH) or Transport mode. Only use Encapsulated Security Payload (ESP) in Tunnel mode. This is the most secure solution from a cryptographic point of view.
The Kernel State
The kernel needs to manage the IPsec connections it has been made aware of, and it does this mainly through Security Policies (SP). These determine which packets need or do not need processing. For example, one important rule is: Never accept unencrypted traffic from a host for which we have an established, working IPsec connection. Another rule could be: If we do not have an established IPsec connection for this host, an attempt should be started to establish one before allowing this packet through. Security Policies are stored in the Security Policy Database (SPD).
Furthermore the kernel has to keep track of all IPsec connections and their corresponding parameters, such as SPI, mode, cryptographic keys, and SPs that apply to it. All this information for a single IPsec connection is called an IPsec Security Association (IPsec SA). This is a unidirectional concept. Two are required for packets to flow in both directions.
35