- •Table of Contents
- •Preface
- •What This Book Covers
- •What You Need for This Book
- •Conventions
- •Reader Feedback
- •Customer Support
- •Errata
- •Questions
- •The Need for Cryptography
- •Privacy
- •Security
- •A History of the Internet
- •Holding the Internet Together
- •The Creation of ICANN
- •ICANN Bypassed
- •The Root Name Servers
- •Running the Top-Level Domains
- •History of Internet Engineering
- •The Internet Engineering Task Force (IETF)
- •RFCs—Requests For Comments
- •IETF and Crypto
- •The War on Crypto
- •Dual Use
- •Public Cryptography
- •The Escrowed Encryption Standard
- •Export Laws
- •The Summer of '97
- •The EFF DES Cracker
- •Echelon
- •The End of the Export Restrictions
- •Free Software
- •Free as in Verifiable
- •The Open Source Movement
- •The History of Openswan
- •IETF Troubles over DNS
- •Super FreeS/WAN
- •The Arrival of Openswan
- •NETKEY
- •Further Reading
- •Using Openswan
- •Copyright and License Conditions
- •Writing and Contributing Code
- •Legality of Using Openswan
- •International Agreements
- •International Law and Hosting Openswan
- •Unrecognized International Claims
- •Patent Law
- •Expired and Bogus Patents
- •Useful Legal Links
- •Summary
- •A Very Brief Overview of Cryptography
- •Valid Packet Rewriting
- •Ciphers
- •Algorithms
- •Uniqueness
- •Public-Key Algorithms
- •Exchanging Public Keys
- •Digital Signatures
- •Diffie-Hellman Key Exchange
- •Avoiding the Man in the Middle
- •Session Keys
- •Crypto Requirements for IPsec
- •IPsec: A Suite of Protocols
- •Kernel Mode: Packet Handling
- •Authentication Header (AH)
- •Encapsulated Security Payload (ESP)
- •Transport and Tunnel Mode
- •Choosing the IPsec Mode and Type
- •The Kernel State
- •Encryption Details
- •Manual Keying
- •Final Note on Protocols and Ports
- •Usermode: Handling the Trust Relationships
- •The IKE Protocol
- •Phase 1: Creating the ISAKMP SA
- •Phase 2: Quick Mode
- •The NAT Problem
- •Summary
- •Linux Distributions
- •Debian
- •SuSE
- •Slackware
- •Gentoo
- •Linux 'Router' Distributions
- •Deciding on the Userland
- •Pluto
- •Racoon
- •Isakmpd
- •More Reasons to Pick Pluto
- •Choosing the Kernel IPsec Stack
- •KLIPS, the Openswan Stack
- •ipsecX Interfaces
- •First Packet Caching
- •Path MTU Discovery
- •KLIPS' Downside
- •NETKEY, the 2.6 IPsec Stack
- •The USAGI / SuSE IPsec Stack
- •Making the Choice
- •GPL Compliance and KLIPS
- •Binary Installation of the Openswan Userland
- •Checking for Old Versions
- •Installing the Binary Package for Openswan
- •Building from Source
- •Using RPM-based Distributions
- •Rebuilding the Openswan Userland
- •Building src.rpm from Scratch
- •Openswan Options
- •Building the Openswan Userland from Source
- •Downloading the Source Code
- •Configuring the Userland Tools
- •Optional Features
- •Compile Flags
- •File Path Options
- •Obscure Pluto Options
- •Compiling and Installing
- •Binary Installation of KLIPS
- •Building KLIPS from Source
- •Kernel Prerequisites
- •Identifying your Kernel's Abilities
- •Using Both KLIPS and NETKEY
- •The Kernel Build Options
- •Required Kernel Options
- •Desired Options
- •NETKEY Stack Options
- •KLIPS Stack Options
- •L2TP Options
- •Patching the Kernel
- •NAT-Traversal Patch
- •KLIPS Compile Shortcut
- •Activating KLIPS
- •Determining the Stack in Use
- •Building KLIPS into the Linux Kernel Source Tree
- •Building a Standard Kernel
- •NAT Traversal
- •Patching KLIPS into the Linux Kernel
- •Verifying the Installation
- •Summary
- •Manual versus Automatic
- •PSK versus RSA
- •Pitfalls of Debugging IPsec
- •Pre-Flight Check
- •The ipsec verify Command
- •NAT and Masquerading
- •Checking External Commands
- •Opportunistic Encryption
- •The ipsec livetest Command
- •Configuration of Openswan
- •The ipsec.conf File
- •Host-to-Host Tunnel
- •Left and Right
- •The type Options
- •The auto Option
- •The rsasigkey Options
- •Bringing Up the IPsec Tunnels
- •Listing IPsec Connections
- •Testing the IPsec Tunnel
- •Connecting Subnets Through an IPsec Connection
- •Testing Subnet Connections
- •Testing Properly
- •Encrypting the Host and the Network Behind It
- •Employing Advanced Routing
- •Creating More Tunnels
- •Avoiding Duplication
- •The Also Keyword
- •KLIPS and the ipsecX Interfaces
- •Pre-Shared Keys (PSKs)
- •Proper Secrets
- •Dynamic IP Addresses
- •Hostnames
- •Roadwarriors
- •Multiple Roadwarrior Connections
- •Dynamic IP and PSKs
- •Mixing PSK and RSA
- •Connection Management
- •Subnet Extrusion
- •NAT Traversal
- •Deprecated Syntax
- •Confirming a Functional NAT-T
- •Dead Peer Detection
- •DPD Works Both Ways
- •Configuring DPD
- •Buggy Cisco Routers
- •Ciphers and Algorithms
- •Using ike= to Specify Phase 1 Parameters
- •Using esp= to Specify Phase 2 Parameters
- •Defaults and Strictness
- •Unsupported Ciphers and Algorithms
- •Aggressive Mode
- •XAUTH
- •XAUTH Gateway (Server Side)
- •XAUTH Client (Supplicant Side)
- •Fine Tuning
- •Perfect Forward Secrecy
- •Rekeying
- •Key Rollover
- •Summary
- •X.509 Certificates Explained
- •X.509 Objects
- •X.509 Packing
- •Types of Certificates
- •Passphrases, PIN Codes, and Interactivity
- •IKE and Certificates
- •Using the Certificate DN as ID for Openswan
- •Generating Certificates with OpenSSL
- •Setting the Time
- •Configuring OpenSSL
- •Be Consistent with All Certificates
- •OpenSSL Commands for Common Certificate Actions
- •Configuring Apache for IPsec X.509 Files
- •Creating X.509-based Connections
- •Using a Certificate Authority
- •Using Multiple CAs
- •Sending and Receiving Certificate Information
- •Creating your own CA using OpenSSL
- •Creating Host Certificates with Your Own CA
- •Host Certificates for Microsoft Windows (PKCS#12)
- •Certificate Revocation
- •Dynamic CRL Fetching
- •Configuring CRL
- •Online Certificate Status Protocol (OCSP)
- •Summary
- •History of Opportunistic Encryption
- •Trusting Third Parties
- •Trusting the DNS?
- •OE in a Nutshell
- •An OE Security Gateway
- •DNS Key Records
- •Forward and Reverse Zones
- •The OE DNS Records
- •Different Types of OE
- •Policy Groups
- •Internal States
- •Configuring OE
- •Configuring Policies
- •Full OE or Initiate-Only
- •Generating Correct DNS Records
- •Name Server Updates
- •Verifying Your OE Setup
- •Testing Your OE Setup
- •The trap eroute
- •The pass eroute
- •The hold eroute
- •Manipulating OE Connections Manually
- •Advanced OE Setups
- •Caveats
- •Summary
- •Where to Firewall?
- •Allowing IPsec Traffic
- •NAT and IPsec Passthrough
- •Configuring the Firewall on the Openswan Host
- •Firewalling and KLIPS
- •Firewalling and NETKEY
- •Packet Size
- •Summary
- •Microsoft Windows
- •Layer 2 Tunneling Protocol (L2TP)
- •Assigning an IP for VPN Access
- •L2TP Properties
- •Pure IPsec versus L2TP/IPsec
- •Client and Server Configurations for L2TP/IPsec
- •The L2TP Openswan Server
- •Configuring Openswan for L2TP/IPsec
- •Linux Kernel Runtime Parameters for L2TP/IPsec
- •Protecting the L2TP Daemon with IPsec using iptables
- •Choosing an L2TP Daemon
- •Configuring L2TPD
- •Configuring User Authentication for pppd
- •Microsoft Windows XP L2TP Configuration
- •Microsoft Windows 2000 L2TP Configuration
- •Apple Mac OS X L2TP Configuration
- •Server Configuration for X.509 IPsec without L2TP
- •Openswan Configuration for X.509 without L2TP
- •Client Configuration for X.509 IPsec without L2TP
- •Microsoft's IKE Daemon
- •Microsoft's Certificate Store
- •Clients using Microsoft Native IPsec Implementation
- •The ipsec.exe Wrapper
- •The Linsys IPsec Tool (lsipsectool)
- •Securepoint IPsec Client
- •TauVPN (iVPN)
- •The WaveSEC Client
- •Third-Party Replacement Clients for Windows
- •The GreenBow VPN Client
- •Astaro Secure Client
- •Mac OS X IPSecuritas
- •VPNtracker
- •Manual Racoon Configuration
- •Importing X.509 Certificates into Windows
- •Importing X.509 Certificates on Mac OS X (Tiger)
- •Summary
- •Openswan as a Client to an Appliance
- •Preparing the Interop
- •The Human Factor
- •Terminology
- •Preparation
- •IPsec Passthrough
- •Tunnel Limitations
- •Anticipate Known Problems
- •Update the Firmware
- •GUI Issues
- •Keepalives
- •ISP Filtering
- •Frequently used VPN Gateways
- •Webmin with Openswan
- •Cisco VPN 3000
- •Cisco PIX Concentrator
- •Nortel Contivity
- •Checkpoint
- •WatchGuard Firebox
- •Symantec
- •Frequently used VPN Client Appliances
- •ZyXEL
- •DrayTek Vigor
- •The Vigor Web Interface
- •Windows Logon Issues
- •Other Vigorisms
- •Unresolved Issues
- •NetScreen
- •Known Issues
- •SonicWALL
- •BinTec
- •LANCOM
- •Linksys
- •Lucent Brick
- •NETGEAR
- •KAME/Racoon
- •Aftercare
- •Summary
- •Methods of Encryption
- •Host-to-Host Mesh
- •Host-to-Gateway Setup
- •Single IP Extrusiautomation or L2TP
- •Opportunistic Encryption in the LAN
- •Non-OE-Capable Machines
- •Designing a Solution for Encrypting the LAN
- •Design Goals
- •Separation of WiFi and Crypto
- •Link Layer Protection
- •The Logical Choice: IPsec
- •Hotspot
- •WaveSEC
- •Full WaveSEC
- •Catch 22 Traffic
- •Building a WaveSEC Server
- •DHCP Server Setup
- •DNS Server Setup
- •Openswan Server Setup
- •Catch 22 Traffic Setup
- •Building a WaveSEC Client
- •DH Client Setup
- •Openswan Setup
- •Testing the WaveSEC
- •Starting the WaveSEC Connection
- •Known Issues with WaveSEC
- •WaveSEC for Windows
- •Design Limitations
- •Building a WaveSEC for Windows Server
- •Obtaining the Certificate and Client Software
- •Our Prototype Experiences
- •Openswan Issues
- •Windows Kernel Issues
- •Summary
- •Cipher Performance
- •Handling Thousands of Tunnels
- •Managing Large Configuration Files
- •Standard Naming Convention
- •The also= Parameter
- •The include Parameter
- •Openswan Startup Time
- •Limitations of the Random Device
- •Other Performance-Enhancing Factors
- •Logging to Disk
- •Disable Dead Peer Detection
- •Reducing the Number of Tunnels
- •OSPF Setup
- •BGPv4 Setup
- •High Availability
- •Heartbeat
- •Xen Migration
- •Using Anycast
- •Summary
- •Do Not Lock Yourself Out!
- •Narrowing Down the Problem
- •Host Issues
- •Configuration Problems
- •Connection Names
- •Interoperability
- •Hunting Ghosts
- •Rekey Problems (After an Hour)
- •Openswan Error Messages
- •IKE: Unknown VendorIDs
- •Network Issues
- •Firewalls
- •MTU and Fragmentation Issues
- •Debugging IPsec on Apple Mac OS X
- •Debugging IPsec on Microsoft Windows
- •Oakley Debugging
- •Debugging ipsec.exe
- •Microsoft L2TP Errors
- •You Suddenly Cannot Log in Anymore over the VPN
- •Software Bugs
- •Userland Issues: Assertion Failed or Segmentation Faults
- •Kernel Issues: Crashes and Oopses
- •Memory Issues
- •Common IKE Error Messages
- •Common Kernel-Related Error Messages
- •Common Errors when Upgrading
- •Using tcpdump to Debug IPsec
- •Situation A: No Communication on Port 500
- •Situation B: Failure at Third Exchange
- •Situation C: QUICK Mode Initiates, but Never Completes
- •Situation D: All IKE Messages Occur, but no Traffic Flows
- •A Final tcpdump Example
- •User Mode Linux Testing
- •Preparing the Openswan for the UML Build Process
- •Running the UMLs
- •Writing a UML Test Case
- •Debugging the Kernel with GDB
- •Asking the Openswan Community for Help
- •Internet Relay Chat (IRC)
- •The Openswan Mailing Lists
- •Posting to the Lists
- •Research First, Ask Later
- •Free, as in Beer
- •Do not Anonymize
- •Summary
- •Linux Kernel Developments
- •Kernel API Changes between 2.6.12 and 2.6.14
- •Red Hat Kernel Developments
- •Fedora Kernel Source/Headers Packaging Change
- •MD5 Insecurities
- •Discontinuation of Openswan 1 by the End of 2005
- •Update on UML Testing Suite Installation
- •Openswan GIT Repositories
- •Openswan on Windows and Mac OS X Updates
- •Known Outstanding Bugs
- •Vulnerability Fixes in Openswan 2.4.4
- •The OSI Model and the IP Model
- •No Layers, Just Packets
- •The Protocol
- •IP Network Overview
- •IP Address Management
- •The Old IP Classes
- •Classless IP Networks
- •The Definition of a Subnet
- •Calculating with Subnets: The Subnet Mask
- •The Rest of the Network
- •Linux Networking Commands
- •Routing
- •Routing Decisions
- •Peering
- •Network Address Translation
- •Port Forwarding
- •Openswan Links
- •Community Documentation
- •Generic Linux Distributions Containing Openswan
- •Specialized Linux Distributions Containing Openswan
- •Overview RFCs
- •Basic Protocols
- •Key Management
- •Procedural and Operational RFCs
- •Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
- •Dead Peer Detection RFCs
- •NAT-Traversal and UDP Encapsulation RFCs
- •RFCs for Secure DNS Service, which IPSEC May Use
- •RFCs Related to L2TP, Often Used in Combination with IPsec
- •RFCs on IPsec in Relation to Other Protocols
- •RFCs Not in Use or Implemented across Multiple Vendors
- •Index
Chapter 2
Final Note on Protocols and Ports
A common mistake is that people who are configuring firewalls think that AH and ESP are port numbers. They then write ACCEPT rules for ports 50 and 51 and think this will cause IPsec packets to be allowed to pass. But this is wrong. AH and ESP are IP protocols, just like TCP, UDP and ICMP are IP protocols. They are not ports. And like ICMP, the AH and ESP protocols do not themselves have ports.
Usermode: Handling the Trust Relationships
The other aspect is the creation of a trust relationship between hosts on the Internet. This is also called the control plane. It involves the creation of a secure communication channel and the exchange of cryptographic keys. It also involves many choices and options and a lot of state information. This part is usually implemented in a process that runs on the OS continuously listening for requests for new IPsec connections. Programs that listen for incoming connections are typically called daemons.
These two layers—the userland daemon and the kernel IPsec stack—talk through a special socket interface, usually the PF_KEY interface. Most of the RFCs in the IPsec protocol suite are not actually about packet handling, but about these trust relationships. Handling packets is a relatively straightforward process. A packet comes in, matches a ruleset, is transformed into an IPsec packet, and is sent on.
But handling a whole range of different kinds of trust relationships becomes very complex very quickly. This is one of the reasons why manual keying is so discouraged. Keys need to be destroyed and renewed regularly, and this task is not something a system administrator should do every hour. Instead, a trust relationship is established by other means, and session keys are agreed on and loaded into the kernel by a special daemon. This daemon will talk using the Internet Key Exchange (IKE) protocol.
The IKE Protocol
The IKE protocol is a very complex protocol, and involves many difficult cryptographic operations, and requires even more options to be exchanged between two hosts who want to communicate via IPsec. IKE is therefore always implemented as a userland process. IKE operations can be roughly split in two parts, or phases.
Phase 1: Creating the ISAKMP SA
Phase 1 deals with obtaining privacy through a Diffie-Hellman key exchange, which ensures there is no eavesdropper. Next, the two hosts perform an out-of-bound verification of the other based on the type and content of the ID they receive, to prevent a man-in-the-middle attack. The type of ID can vary, but it will be based on IP address, hostname, email address, or ASN.1 Distinguished Name (DN).
37
Practical Overview of the IPsec Protocol
ID Type |
Typical Example |
|
|
ID_IPV4 |
193.110.157.77 |
ID_FQDN |
lists.openswan.org |
ID_USER_FQDN |
user@openswan.org |
DER_ASN1_DN |
C=CA,L=Toronto,O=Xelerance ,CN=lists.openswan.org, E=paul@xelerance.com |
|
|
The out-of-bound verification can happen in various ways. One can use a PreShared Key (PSK), but much better is to use public key cryptography, such as RSA, to prove one's identity. These raw RSA keys can come from a PGP-signed email. Or the keys can come from DNS, preferably protected by DNSSEC to prevent attacks on the DNS, or they can come from X.509 certificates signed by a mutually trusted third party, a so-called Certificate Agency (CA). If one person is setting up both ends, it is of course possible to use Secure Shell (ssh or scp) to set up raw public RSA keys on both machines.
What is important to realize is that phase 1 needs to convey the identity of the remote host, and the host that receives the supposed identity from a remote host should have some way of verifying that claim. If phase 1 is successful, the two hosts have established an Internet Security Association Key Management Protocol Security Association (ISAKMP SA). This is often called a Phase 1 SA.
This exchange will also state whether the identification is based on PSK or RSA public keys. Because this information is exchanged very early on in the negotiation, these decisions need to be made very quickly. This actually hampers certain situations where it is not clear what type of exchange is requested in the first few packets. One such difficult situation is a client using PSK on a dynamic IP address, which is not recommended for precisely this reason.
The ISAKMP SA also needs to be re-negotiated at regular times to prevent overusing a single cryptographic session key.
Main Mode
Establishing a successful phase 1 connection requires a few packets to be sent and received before the ISAKMP SA is established. This normal method is called Main Mode. However it has the longest latency, because it involves sending and receiving several packets one after the other. These packets set up a full Diffie-Hellman key exchange, before sending any information about the requested IPsec connection. Because of these extra packets, it is both the safest mode of operation, and the most flexible, since both parties can safely and privately request options, and when the other end denies a certain request, a less favorable but still acceptable alternative option can be tried.
Aggressive Mode
Some vendors wanted a faster mode, where less packets would be needed, so that the overall latency to establish a phase 1 ISAKMP SA would be shorter. This mode is called Aggressive Mode, and to reduce the number of packets needed, this mode requires that some CPU-intensive
38
Chapter 2
tasks involving the Diffie-Hellman key exchange are already done before the first packets are sent and received. The problem is that this leads to an easy denial-of-service attack: just sending bogus initial Aggressive Mode packets to a host can bring it to a grinding halt.
Main Mode versus Aggressive Mode
A bigger vulnerability in Aggressive Mode is that to reduce the number of packets sent, the hash of the PreShared Key is transmitted before encryption has been enabled. These packets can be captured, and a brute force or dictionary attack can be run against them, for instance using a program such as ikecrack. In Main Mode however, this hash is sent only after the encryption has been enabled.
With Aggressive Mode, there is also no way to negotiate the most favorable options. The initial packet has to have all the right options in the request, or the remote end will have no choice but to say "I cannot do this." When combined with XAUTH, a man-in-the-middle attack becomes possible, and even trivial when the attacker is a valid VPN client on the network.
The limitation of negotiation of options has another drawback. Imagine that at some point in the future, the one cipher you had hard-coded into all your configurations for Aggressive Mode has been broken by a clever cryptographer. You now have to reconfigure all your clients, while if Main Mode had been used, all you would have to do would be to disallow that one broken cipher on the gateway, and the Main Mode negotiation would just pick another of the ciphers that it supports.
Avoid using Aggressive Mode since it is known to be unsafe in certain deployments, and restricts the flexibility of your configurations.
Phase 2: Quick Mode
When the ISAKMP SA is established, 'Phase 2' can start. This is also called 'Quick Mode'. Phase 2 involves creating key material for the 'IPsec SA'. That is, the key material that the program needs to communicate to the kernel for use in the IPsec SA.
Phase 2 also involves agreeing many cryptographic parameters, such as which ciphers and algorithms to use, and how long a session key may be used for, but also further information, such as for which source and destination addresses the IPsec SA will be valid. Of course it also contains which 'transform' to use, that is, which kind of protocol to use (AH or ESP) and which mode (Transport or Tunnel mode). The IPsec SA information is communicated from the userland process to the kernel using a PFKEY socket. This IPsec SA is then stored in the SAD.
The term Quick Mode is ambiguous. Some refer to a Phase 2 SA to mean the IPsec SA, but throughout the book we will use the term IPsec SA for this purpose.
Perfect Forward Secrecy (PFS)
Another option that is strongly recommended, but not available on all IPsec products, is Perfect Forward Secrecy (PFS). This is also negotiated and must be agreed upon by both ends for phase 2 to complete successfully.
39
Practical Overview of the IPsec Protocol
PFS ensures that even if your current private key is compromised, all past communication that has been sniffed and stored cannot be decrypted with this private key. It works by using a session key that is discarded after use.
VendorIDs
To make it easier to work around bugs in certain IPsec implementations, one option introduced is VendorID. It identifies the vendor, device, and sometimes even the firmware version. VendorIDs can assist in debugging a certain IPsec connection, but of course they can also pose a security risk. You might not want to announce a VendorID of a known vulnerable device for instance. If you are accepting IPsec negotiations from dynamic IPs (roadwarriors), you might have a rogue client attempting to connect, and you would give out the VendorID before you have determined this client cannot authenticate with you and should be denied. By then it might already be too late.
Multiple VendorIDs can be sent. Usually VendorIDs are strings which are hashed using MD5, which has a few advantages. First, you have to know the original string to understand the MD5 hash, so it is harder for information to leak. Second, it makes all the VendorIDs equally long in size (96 bits), which greatly simplifies the programming effort, as 96 bits happens to be the length of the md5sum output. Every parameter space in IKE has private-use values and in order to avoid conflicts among vendor-proprietary extensions, the VendorID is used to qualify whose private use it is. It has also turned out to be useful for public extensions, options that span multiple or all vendors. For example, the capability to do ESPinUDP encapsulation, to break through NAT (called IPsec NAT-Traversal), is advertised using a VendorID.
Some vendors send proprietary extensions and information through additional VendorIDs, most notably Nortel, Cisco, and Microsoft. Since we often only know the MD5 hashes, we have no idea what some of these VendorIDs actually signify.
Dead Peer Detection (DPD)
DPD is an addition to the IKE protocol, also using VendorIDs to see if the remote IPsec gateway is still up. This is done by sending and responding to probe packets over the ISAKMP SA. It works much like the ping command, but is not supported by all vendors, being notably absent from Microsoft's built-in IPsec client. This is somewhat unfortunate, since DPD would be most useful on roaming end-user laptops.
ModeConfig
ModeConfig is an extension to the IKE protocol for interactiveness. One peer can ask the other peer for something and get an answer back. This can be a username, a password, an IP address, an IP address assignment (via DHCP), policies of the tunnel, or cryptographic token responses such as SecureID.
XAUTH
XAUTH is a custom authentication extension to the IKE protocol to work around various operational issues when deploying IKE. It is actually implemented with ModeConfig and VendorIDs, and provides for an additional user and password identification. This user/password scheme can include onetime passwords, SecureID tokens, or hooks to other authentication mechanisms such as Radius, PAM, or LDAP.
40