- •Table of Contents
- •Preface
- •What This Book Covers
- •What You Need for This Book
- •Conventions
- •Reader Feedback
- •Customer Support
- •Errata
- •Questions
- •The Need for Cryptography
- •Privacy
- •Security
- •A History of the Internet
- •Holding the Internet Together
- •The Creation of ICANN
- •ICANN Bypassed
- •The Root Name Servers
- •Running the Top-Level Domains
- •History of Internet Engineering
- •The Internet Engineering Task Force (IETF)
- •RFCs—Requests For Comments
- •IETF and Crypto
- •The War on Crypto
- •Dual Use
- •Public Cryptography
- •The Escrowed Encryption Standard
- •Export Laws
- •The Summer of '97
- •The EFF DES Cracker
- •Echelon
- •The End of the Export Restrictions
- •Free Software
- •Free as in Verifiable
- •The Open Source Movement
- •The History of Openswan
- •IETF Troubles over DNS
- •Super FreeS/WAN
- •The Arrival of Openswan
- •NETKEY
- •Further Reading
- •Using Openswan
- •Copyright and License Conditions
- •Writing and Contributing Code
- •Legality of Using Openswan
- •International Agreements
- •International Law and Hosting Openswan
- •Unrecognized International Claims
- •Patent Law
- •Expired and Bogus Patents
- •Useful Legal Links
- •Summary
- •A Very Brief Overview of Cryptography
- •Valid Packet Rewriting
- •Ciphers
- •Algorithms
- •Uniqueness
- •Public-Key Algorithms
- •Exchanging Public Keys
- •Digital Signatures
- •Diffie-Hellman Key Exchange
- •Avoiding the Man in the Middle
- •Session Keys
- •Crypto Requirements for IPsec
- •IPsec: A Suite of Protocols
- •Kernel Mode: Packet Handling
- •Authentication Header (AH)
- •Encapsulated Security Payload (ESP)
- •Transport and Tunnel Mode
- •Choosing the IPsec Mode and Type
- •The Kernel State
- •Encryption Details
- •Manual Keying
- •Final Note on Protocols and Ports
- •Usermode: Handling the Trust Relationships
- •The IKE Protocol
- •Phase 1: Creating the ISAKMP SA
- •Phase 2: Quick Mode
- •The NAT Problem
- •Summary
- •Linux Distributions
- •Debian
- •SuSE
- •Slackware
- •Gentoo
- •Linux 'Router' Distributions
- •Deciding on the Userland
- •Pluto
- •Racoon
- •Isakmpd
- •More Reasons to Pick Pluto
- •Choosing the Kernel IPsec Stack
- •KLIPS, the Openswan Stack
- •ipsecX Interfaces
- •First Packet Caching
- •Path MTU Discovery
- •KLIPS' Downside
- •NETKEY, the 2.6 IPsec Stack
- •The USAGI / SuSE IPsec Stack
- •Making the Choice
- •GPL Compliance and KLIPS
- •Binary Installation of the Openswan Userland
- •Checking for Old Versions
- •Installing the Binary Package for Openswan
- •Building from Source
- •Using RPM-based Distributions
- •Rebuilding the Openswan Userland
- •Building src.rpm from Scratch
- •Openswan Options
- •Building the Openswan Userland from Source
- •Downloading the Source Code
- •Configuring the Userland Tools
- •Optional Features
- •Compile Flags
- •File Path Options
- •Obscure Pluto Options
- •Compiling and Installing
- •Binary Installation of KLIPS
- •Building KLIPS from Source
- •Kernel Prerequisites
- •Identifying your Kernel's Abilities
- •Using Both KLIPS and NETKEY
- •The Kernel Build Options
- •Required Kernel Options
- •Desired Options
- •NETKEY Stack Options
- •KLIPS Stack Options
- •L2TP Options
- •Patching the Kernel
- •NAT-Traversal Patch
- •KLIPS Compile Shortcut
- •Activating KLIPS
- •Determining the Stack in Use
- •Building KLIPS into the Linux Kernel Source Tree
- •Building a Standard Kernel
- •NAT Traversal
- •Patching KLIPS into the Linux Kernel
- •Verifying the Installation
- •Summary
- •Manual versus Automatic
- •PSK versus RSA
- •Pitfalls of Debugging IPsec
- •Pre-Flight Check
- •The ipsec verify Command
- •NAT and Masquerading
- •Checking External Commands
- •Opportunistic Encryption
- •The ipsec livetest Command
- •Configuration of Openswan
- •The ipsec.conf File
- •Host-to-Host Tunnel
- •Left and Right
- •The type Options
- •The auto Option
- •The rsasigkey Options
- •Bringing Up the IPsec Tunnels
- •Listing IPsec Connections
- •Testing the IPsec Tunnel
- •Connecting Subnets Through an IPsec Connection
- •Testing Subnet Connections
- •Testing Properly
- •Encrypting the Host and the Network Behind It
- •Employing Advanced Routing
- •Creating More Tunnels
- •Avoiding Duplication
- •The Also Keyword
- •KLIPS and the ipsecX Interfaces
- •Pre-Shared Keys (PSKs)
- •Proper Secrets
- •Dynamic IP Addresses
- •Hostnames
- •Roadwarriors
- •Multiple Roadwarrior Connections
- •Dynamic IP and PSKs
- •Mixing PSK and RSA
- •Connection Management
- •Subnet Extrusion
- •NAT Traversal
- •Deprecated Syntax
- •Confirming a Functional NAT-T
- •Dead Peer Detection
- •DPD Works Both Ways
- •Configuring DPD
- •Buggy Cisco Routers
- •Ciphers and Algorithms
- •Using ike= to Specify Phase 1 Parameters
- •Using esp= to Specify Phase 2 Parameters
- •Defaults and Strictness
- •Unsupported Ciphers and Algorithms
- •Aggressive Mode
- •XAUTH
- •XAUTH Gateway (Server Side)
- •XAUTH Client (Supplicant Side)
- •Fine Tuning
- •Perfect Forward Secrecy
- •Rekeying
- •Key Rollover
- •Summary
- •X.509 Certificates Explained
- •X.509 Objects
- •X.509 Packing
- •Types of Certificates
- •Passphrases, PIN Codes, and Interactivity
- •IKE and Certificates
- •Using the Certificate DN as ID for Openswan
- •Generating Certificates with OpenSSL
- •Setting the Time
- •Configuring OpenSSL
- •Be Consistent with All Certificates
- •OpenSSL Commands for Common Certificate Actions
- •Configuring Apache for IPsec X.509 Files
- •Creating X.509-based Connections
- •Using a Certificate Authority
- •Using Multiple CAs
- •Sending and Receiving Certificate Information
- •Creating your own CA using OpenSSL
- •Creating Host Certificates with Your Own CA
- •Host Certificates for Microsoft Windows (PKCS#12)
- •Certificate Revocation
- •Dynamic CRL Fetching
- •Configuring CRL
- •Online Certificate Status Protocol (OCSP)
- •Summary
- •History of Opportunistic Encryption
- •Trusting Third Parties
- •Trusting the DNS?
- •OE in a Nutshell
- •An OE Security Gateway
- •DNS Key Records
- •Forward and Reverse Zones
- •The OE DNS Records
- •Different Types of OE
- •Policy Groups
- •Internal States
- •Configuring OE
- •Configuring Policies
- •Full OE or Initiate-Only
- •Generating Correct DNS Records
- •Name Server Updates
- •Verifying Your OE Setup
- •Testing Your OE Setup
- •The trap eroute
- •The pass eroute
- •The hold eroute
- •Manipulating OE Connections Manually
- •Advanced OE Setups
- •Caveats
- •Summary
- •Where to Firewall?
- •Allowing IPsec Traffic
- •NAT and IPsec Passthrough
- •Configuring the Firewall on the Openswan Host
- •Firewalling and KLIPS
- •Firewalling and NETKEY
- •Packet Size
- •Summary
- •Microsoft Windows
- •Layer 2 Tunneling Protocol (L2TP)
- •Assigning an IP for VPN Access
- •L2TP Properties
- •Pure IPsec versus L2TP/IPsec
- •Client and Server Configurations for L2TP/IPsec
- •The L2TP Openswan Server
- •Configuring Openswan for L2TP/IPsec
- •Linux Kernel Runtime Parameters for L2TP/IPsec
- •Protecting the L2TP Daemon with IPsec using iptables
- •Choosing an L2TP Daemon
- •Configuring L2TPD
- •Configuring User Authentication for pppd
- •Microsoft Windows XP L2TP Configuration
- •Microsoft Windows 2000 L2TP Configuration
- •Apple Mac OS X L2TP Configuration
- •Server Configuration for X.509 IPsec without L2TP
- •Openswan Configuration for X.509 without L2TP
- •Client Configuration for X.509 IPsec without L2TP
- •Microsoft's IKE Daemon
- •Microsoft's Certificate Store
- •Clients using Microsoft Native IPsec Implementation
- •The ipsec.exe Wrapper
- •The Linsys IPsec Tool (lsipsectool)
- •Securepoint IPsec Client
- •TauVPN (iVPN)
- •The WaveSEC Client
- •Third-Party Replacement Clients for Windows
- •The GreenBow VPN Client
- •Astaro Secure Client
- •Mac OS X IPSecuritas
- •VPNtracker
- •Manual Racoon Configuration
- •Importing X.509 Certificates into Windows
- •Importing X.509 Certificates on Mac OS X (Tiger)
- •Summary
- •Openswan as a Client to an Appliance
- •Preparing the Interop
- •The Human Factor
- •Terminology
- •Preparation
- •IPsec Passthrough
- •Tunnel Limitations
- •Anticipate Known Problems
- •Update the Firmware
- •GUI Issues
- •Keepalives
- •ISP Filtering
- •Frequently used VPN Gateways
- •Webmin with Openswan
- •Cisco VPN 3000
- •Cisco PIX Concentrator
- •Nortel Contivity
- •Checkpoint
- •WatchGuard Firebox
- •Symantec
- •Frequently used VPN Client Appliances
- •ZyXEL
- •DrayTek Vigor
- •The Vigor Web Interface
- •Windows Logon Issues
- •Other Vigorisms
- •Unresolved Issues
- •NetScreen
- •Known Issues
- •SonicWALL
- •BinTec
- •LANCOM
- •Linksys
- •Lucent Brick
- •NETGEAR
- •KAME/Racoon
- •Aftercare
- •Summary
- •Methods of Encryption
- •Host-to-Host Mesh
- •Host-to-Gateway Setup
- •Single IP Extrusiautomation or L2TP
- •Opportunistic Encryption in the LAN
- •Non-OE-Capable Machines
- •Designing a Solution for Encrypting the LAN
- •Design Goals
- •Separation of WiFi and Crypto
- •Link Layer Protection
- •The Logical Choice: IPsec
- •Hotspot
- •WaveSEC
- •Full WaveSEC
- •Catch 22 Traffic
- •Building a WaveSEC Server
- •DHCP Server Setup
- •DNS Server Setup
- •Openswan Server Setup
- •Catch 22 Traffic Setup
- •Building a WaveSEC Client
- •DH Client Setup
- •Openswan Setup
- •Testing the WaveSEC
- •Starting the WaveSEC Connection
- •Known Issues with WaveSEC
- •WaveSEC for Windows
- •Design Limitations
- •Building a WaveSEC for Windows Server
- •Obtaining the Certificate and Client Software
- •Our Prototype Experiences
- •Openswan Issues
- •Windows Kernel Issues
- •Summary
- •Cipher Performance
- •Handling Thousands of Tunnels
- •Managing Large Configuration Files
- •Standard Naming Convention
- •The also= Parameter
- •The include Parameter
- •Openswan Startup Time
- •Limitations of the Random Device
- •Other Performance-Enhancing Factors
- •Logging to Disk
- •Disable Dead Peer Detection
- •Reducing the Number of Tunnels
- •OSPF Setup
- •BGPv4 Setup
- •High Availability
- •Heartbeat
- •Xen Migration
- •Using Anycast
- •Summary
- •Do Not Lock Yourself Out!
- •Narrowing Down the Problem
- •Host Issues
- •Configuration Problems
- •Connection Names
- •Interoperability
- •Hunting Ghosts
- •Rekey Problems (After an Hour)
- •Openswan Error Messages
- •IKE: Unknown VendorIDs
- •Network Issues
- •Firewalls
- •MTU and Fragmentation Issues
- •Debugging IPsec on Apple Mac OS X
- •Debugging IPsec on Microsoft Windows
- •Oakley Debugging
- •Debugging ipsec.exe
- •Microsoft L2TP Errors
- •You Suddenly Cannot Log in Anymore over the VPN
- •Software Bugs
- •Userland Issues: Assertion Failed or Segmentation Faults
- •Kernel Issues: Crashes and Oopses
- •Memory Issues
- •Common IKE Error Messages
- •Common Kernel-Related Error Messages
- •Common Errors when Upgrading
- •Using tcpdump to Debug IPsec
- •Situation A: No Communication on Port 500
- •Situation B: Failure at Third Exchange
- •Situation C: QUICK Mode Initiates, but Never Completes
- •Situation D: All IKE Messages Occur, but no Traffic Flows
- •A Final tcpdump Example
- •User Mode Linux Testing
- •Preparing the Openswan for the UML Build Process
- •Running the UMLs
- •Writing a UML Test Case
- •Debugging the Kernel with GDB
- •Asking the Openswan Community for Help
- •Internet Relay Chat (IRC)
- •The Openswan Mailing Lists
- •Posting to the Lists
- •Research First, Ask Later
- •Free, as in Beer
- •Do not Anonymize
- •Summary
- •Linux Kernel Developments
- •Kernel API Changes between 2.6.12 and 2.6.14
- •Red Hat Kernel Developments
- •Fedora Kernel Source/Headers Packaging Change
- •MD5 Insecurities
- •Discontinuation of Openswan 1 by the End of 2005
- •Update on UML Testing Suite Installation
- •Openswan GIT Repositories
- •Openswan on Windows and Mac OS X Updates
- •Known Outstanding Bugs
- •Vulnerability Fixes in Openswan 2.4.4
- •The OSI Model and the IP Model
- •No Layers, Just Packets
- •The Protocol
- •IP Network Overview
- •IP Address Management
- •The Old IP Classes
- •Classless IP Networks
- •The Definition of a Subnet
- •Calculating with Subnets: The Subnet Mask
- •The Rest of the Network
- •Linux Networking Commands
- •Routing
- •Routing Decisions
- •Peering
- •Network Address Translation
- •Port Forwarding
- •Openswan Links
- •Community Documentation
- •Generic Linux Distributions Containing Openswan
- •Specialized Linux Distributions Containing Openswan
- •Overview RFCs
- •Basic Protocols
- •Key Management
- •Procedural and Operational RFCs
- •Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
- •Dead Peer Detection RFCs
- •NAT-Traversal and UDP Encapsulation RFCs
- •RFCs for Secure DNS Service, which IPSEC May Use
- •RFCs Related to L2TP, Often Used in Combination with IPsec
- •RFCs on IPsec in Relation to Other Protocols
- •RFCs Not in Use or Implemented across Multiple Vendors
- •Index
Chapter 2
XAUTH is often combined with Aggressive Mode, and the combination is vulnerable to a man-in- the-middle attack, because it uses a 'group password', and in general it is always a bad idea to share secret credentials with others. How secret is a secret that a whole group knows? It is expected that IKE version 2 will incorporate all the extra features of XAUTH without the problems that surround it.
Even though we do not recommend XAUTH, it is often the only way to get an IPsec connection into the big corporate networks.
X.509 Certificates
X.509 is a method of packing up cryptographic keys with an identity or other options and then digitally signing the bundle. Though people like to believe X.509 is the only way to use public key authentication, this is not the case. For example, DNSSEC-based raw RSA keys are another secure method for combining one's identity with a key.
The X.509 extensions to IKE move the IPsec authorization more to a Public Key Infrastructure (PKI) system. You have Certificate Agencies (CA) who can sign X.509 certificates for people or computers, which can then be used to permit or deny access to a VPN. X.509 certificates offer various options that can be set, tightly controlling their validity. X.509 is very popular in larger organizations.
Both IPsec hosts have the CA certificate and their own X.509 certificate, which includes their own private key belonging to the public key in the certificate. When they connect, they exchange their X.509 certificates, and verify the signature. If they have the proper CA certificate installed, they can each validate the other's identity. Then they can use each other's public RSA key from that certificate. The 'trusted third party' here, preventing the man-in-the-middle attack, is the CA, the certificate for which both ends already have installed.
The NAT Problem
Network Address Translation, NAT, is a classic example of a good hack gone bad. It proved to be so incredibly useful for so many people that NAT is not going to go away any time soon. The original reason for NAT was to hook up more networks and hosts behind fewer IP addresses, to hold off the end of the world when the IPv4 address space would run out.
Internal IP addresses of the network are translated on the fly by the NAT gateway. The NAT gateway swaps, or translates, the source address and source port of the packet for its own actual public address and another port that is free.
Usually NAT devices try to keep the same source port, but that is not always possible. Multiple clients in its local network could be using the same source port. It also remembers the destination address and keeps a list of these mappings ready. When a response comes in from a remote machine, which thinks that the NAT device itself sent the packet, the NAT device reverses the packet rewriting. It will look up the remote IP address, see which internal client belongs to this connection, and swap its own IP address in the packet it just received for the internal client's address (and port).
41
Practical Overview of the IPsec Protocol
We have looked at a similar network scenario to this already, the man-in-the-middle attack. Only at that time, we were talking about a malicious man in the middle, and not a friendly one. The problem is, of course, that IPsec peers cannot tell the difference.
One important feature (or limitation, depending on your point of view) is that a computer behind a NAT gateway can only initiate a connection to the outside world. The outside world cannot initiate a connection to a specific computer, since any connections from the outside to the original sender of the IP packet would just end up at the NAT device, since its IP address is the IP address that ended up as source address in the outgoing packet. When the NAT gateway receives a packet for a new connection, it will not be able to determine to which of the clients behind it should send the packet and it will be dropped.
The situation is further complicated by combining NAT with port-forwarding. For instance, one can put a web server behind a NAT device, and forward all HTTP packets that arrive on port 80 to the web server's internal IP on port 80. People have even used NAT to implement failover or load balancing solutions.
There are NATs that can only handle TCP and UDP. Most NAT routers can handle ICMP as well, but the IP protocol has 256 different protocols. Many consumer NAT routers do not support these other IP protocols, such as IPsec ESP or Multicast.
NATworks
People saw additional use for these NATed networks. They were much easier to deploy than the various SOCKS proxies. NAT, combined with transparent proxies, proved an excellent way to centrally control web browsing and caching within big companies. Additionally, machines with vulnerable software were no longer susceptible to being probed and taken over from the Internet, since the Internet couldn't reach those machines behind the NAT gateway.
However, NAT has been overused in recent years. Every company now claims their network is their own private network, and thus justifies using private IP space and a NAT gateway. Unfortunately, this is often an excuse to keep more control in their network, force a proxy or even a portal login site, and simply reduces the cost for deploying proper IP-space networks. Many public networks are now really just big private networks. The new GPRS and many WiFi networks especially suffer from this problem.
At the other end of the spectrum are the home users. Because many end-user ISPs give their customers only one IP address, NAT is used for home networks on a massive scale.
Passing Clients Through
As the big corporations switched from leased lines to VPNs, and broadband at home became commonplace, end users behind a NAT device became more of a problem. Usually the end-user machine has some fixed internal IP address, and at home, only one person would be using any VPN connection. So some NAT devices simply remember which internal client generated the first IPsec packet, and when IPsec answers come from the Internet, they simply translate these packets to that single IP address. On some devices, you would have to configure this single address manually. This option of the even friendlier man in the middle is called IPsec passthrough support.
42
Chapter 2
Unfortunately, it is both severely limiting in its requirement of a single client inside the NAT, and is also usually completely broken. IPsec and NAT just don't go together very well, since IPsec protects the packet integrity, and NAT mangles the packets and thus destroys integrity. A new standard was necessary, and many IETF drafts have been issued and implemented. The results of all these drafts are what we now call IPsec NAT-Traversal support, or NAT-T.T In January 2005 these drafts were finally released as RFC 3947 and RFC 3948.
NAT-Traversal
NAT-T is an addition on top of the IPsec protocol to detect a NAT device in between the two endpoints. It basically works by the clients telling each other what they believe their IP address is. The other end can then compare what the client thinks with what it sees. If it is different, the remote end is being NATed. It will then inform the other end of this unfortunate situation. Once both ends have found out and agreed that a NAT router would likely mangle or drop IPsec packets, the two sides will encapsulate each IPsec packet in a UDP packet. A NAT device can handle simple UDP packets, translating the outer IP address, without touching what is inside the packet, which in this case happens to be a full IPsec packet, which of course contains another complete packet in its payload.
At the other end, the IPsec peer will just discard the outer IP address, and take the payload and decapsulate it. The resulting IPsec packet, having survived any possible network mangling, can then be authenticated, verified, decrypted, and processed just like any normal IPsec packet.
NAT-T and IPsec Passthrough
Routers supporting IPsec passthrough sometimes recognize these IPsec in UDP packets and will try to attempt some passthrough-type operations on those packers. This almost always breaks NAT-T because at the very least, the SPI is changed by these routers, so they themselves can keep state of the connections.
That is why IPsec passthrough is no longer a feature you want to have on a NAT device. Unfortunately, especially vendors of NAT devices that do not support IPsec natively seem to like the sound of IPsec passthrough support, so they keep this feature in their products. But with all the major IPsec stacks now supporting full NAT-T, this feature breaks a lot more than it saves.
Always and without any exception, disable IPsec passthrough support. If you have not yet bought the device supporting IPsec passthrough, put it back on the shelf.
NAT-T Intricacies
When NAT is involved, IPsec needs to talk to an entity that is not the current IP address, since the current IP address is not that of the client, but of the NAT device. NAT-T uses the subnet-to-subnet method of connecting. So in the case of a roadwarrior for instance, where you would normally see a host-to-subnet connection from a public IP address, you now establish a subnet-to-subnet tunnel, where the roadwarrior's local subnet is its own internal IP address. This is how the packets can still reach the roadwarrior's internal IP address, while still being part of an IPsec connection with a different IP address as endpoint. And the encapsulation of this connection in UDP causes it to move through the NAT device without being mangled.
43