- •Table of Contents
- •Preface
- •What This Book Covers
- •What You Need for This Book
- •Conventions
- •Reader Feedback
- •Customer Support
- •Errata
- •Questions
- •The Need for Cryptography
- •Privacy
- •Security
- •A History of the Internet
- •Holding the Internet Together
- •The Creation of ICANN
- •ICANN Bypassed
- •The Root Name Servers
- •Running the Top-Level Domains
- •History of Internet Engineering
- •The Internet Engineering Task Force (IETF)
- •RFCs—Requests For Comments
- •IETF and Crypto
- •The War on Crypto
- •Dual Use
- •Public Cryptography
- •The Escrowed Encryption Standard
- •Export Laws
- •The Summer of '97
- •The EFF DES Cracker
- •Echelon
- •The End of the Export Restrictions
- •Free Software
- •Free as in Verifiable
- •The Open Source Movement
- •The History of Openswan
- •IETF Troubles over DNS
- •Super FreeS/WAN
- •The Arrival of Openswan
- •NETKEY
- •Further Reading
- •Using Openswan
- •Copyright and License Conditions
- •Writing and Contributing Code
- •Legality of Using Openswan
- •International Agreements
- •International Law and Hosting Openswan
- •Unrecognized International Claims
- •Patent Law
- •Expired and Bogus Patents
- •Useful Legal Links
- •Summary
- •A Very Brief Overview of Cryptography
- •Valid Packet Rewriting
- •Ciphers
- •Algorithms
- •Uniqueness
- •Public-Key Algorithms
- •Exchanging Public Keys
- •Digital Signatures
- •Diffie-Hellman Key Exchange
- •Avoiding the Man in the Middle
- •Session Keys
- •Crypto Requirements for IPsec
- •IPsec: A Suite of Protocols
- •Kernel Mode: Packet Handling
- •Authentication Header (AH)
- •Encapsulated Security Payload (ESP)
- •Transport and Tunnel Mode
- •Choosing the IPsec Mode and Type
- •The Kernel State
- •Encryption Details
- •Manual Keying
- •Final Note on Protocols and Ports
- •Usermode: Handling the Trust Relationships
- •The IKE Protocol
- •Phase 1: Creating the ISAKMP SA
- •Phase 2: Quick Mode
- •The NAT Problem
- •Summary
- •Linux Distributions
- •Debian
- •SuSE
- •Slackware
- •Gentoo
- •Linux 'Router' Distributions
- •Deciding on the Userland
- •Pluto
- •Racoon
- •Isakmpd
- •More Reasons to Pick Pluto
- •Choosing the Kernel IPsec Stack
- •KLIPS, the Openswan Stack
- •ipsecX Interfaces
- •First Packet Caching
- •Path MTU Discovery
- •KLIPS' Downside
- •NETKEY, the 2.6 IPsec Stack
- •The USAGI / SuSE IPsec Stack
- •Making the Choice
- •GPL Compliance and KLIPS
- •Binary Installation of the Openswan Userland
- •Checking for Old Versions
- •Installing the Binary Package for Openswan
- •Building from Source
- •Using RPM-based Distributions
- •Rebuilding the Openswan Userland
- •Building src.rpm from Scratch
- •Openswan Options
- •Building the Openswan Userland from Source
- •Downloading the Source Code
- •Configuring the Userland Tools
- •Optional Features
- •Compile Flags
- •File Path Options
- •Obscure Pluto Options
- •Compiling and Installing
- •Binary Installation of KLIPS
- •Building KLIPS from Source
- •Kernel Prerequisites
- •Identifying your Kernel's Abilities
- •Using Both KLIPS and NETKEY
- •The Kernel Build Options
- •Required Kernel Options
- •Desired Options
- •NETKEY Stack Options
- •KLIPS Stack Options
- •L2TP Options
- •Patching the Kernel
- •NAT-Traversal Patch
- •KLIPS Compile Shortcut
- •Activating KLIPS
- •Determining the Stack in Use
- •Building KLIPS into the Linux Kernel Source Tree
- •Building a Standard Kernel
- •NAT Traversal
- •Patching KLIPS into the Linux Kernel
- •Verifying the Installation
- •Summary
- •Manual versus Automatic
- •PSK versus RSA
- •Pitfalls of Debugging IPsec
- •Pre-Flight Check
- •The ipsec verify Command
- •NAT and Masquerading
- •Checking External Commands
- •Opportunistic Encryption
- •The ipsec livetest Command
- •Configuration of Openswan
- •The ipsec.conf File
- •Host-to-Host Tunnel
- •Left and Right
- •The type Options
- •The auto Option
- •The rsasigkey Options
- •Bringing Up the IPsec Tunnels
- •Listing IPsec Connections
- •Testing the IPsec Tunnel
- •Connecting Subnets Through an IPsec Connection
- •Testing Subnet Connections
- •Testing Properly
- •Encrypting the Host and the Network Behind It
- •Employing Advanced Routing
- •Creating More Tunnels
- •Avoiding Duplication
- •The Also Keyword
- •KLIPS and the ipsecX Interfaces
- •Pre-Shared Keys (PSKs)
- •Proper Secrets
- •Dynamic IP Addresses
- •Hostnames
- •Roadwarriors
- •Multiple Roadwarrior Connections
- •Dynamic IP and PSKs
- •Mixing PSK and RSA
- •Connection Management
- •Subnet Extrusion
- •NAT Traversal
- •Deprecated Syntax
- •Confirming a Functional NAT-T
- •Dead Peer Detection
- •DPD Works Both Ways
- •Configuring DPD
- •Buggy Cisco Routers
- •Ciphers and Algorithms
- •Using ike= to Specify Phase 1 Parameters
- •Using esp= to Specify Phase 2 Parameters
- •Defaults and Strictness
- •Unsupported Ciphers and Algorithms
- •Aggressive Mode
- •XAUTH
- •XAUTH Gateway (Server Side)
- •XAUTH Client (Supplicant Side)
- •Fine Tuning
- •Perfect Forward Secrecy
- •Rekeying
- •Key Rollover
- •Summary
- •X.509 Certificates Explained
- •X.509 Objects
- •X.509 Packing
- •Types of Certificates
- •Passphrases, PIN Codes, and Interactivity
- •IKE and Certificates
- •Using the Certificate DN as ID for Openswan
- •Generating Certificates with OpenSSL
- •Setting the Time
- •Configuring OpenSSL
- •Be Consistent with All Certificates
- •OpenSSL Commands for Common Certificate Actions
- •Configuring Apache for IPsec X.509 Files
- •Creating X.509-based Connections
- •Using a Certificate Authority
- •Using Multiple CAs
- •Sending and Receiving Certificate Information
- •Creating your own CA using OpenSSL
- •Creating Host Certificates with Your Own CA
- •Host Certificates for Microsoft Windows (PKCS#12)
- •Certificate Revocation
- •Dynamic CRL Fetching
- •Configuring CRL
- •Online Certificate Status Protocol (OCSP)
- •Summary
- •History of Opportunistic Encryption
- •Trusting Third Parties
- •Trusting the DNS?
- •OE in a Nutshell
- •An OE Security Gateway
- •DNS Key Records
- •Forward and Reverse Zones
- •The OE DNS Records
- •Different Types of OE
- •Policy Groups
- •Internal States
- •Configuring OE
- •Configuring Policies
- •Full OE or Initiate-Only
- •Generating Correct DNS Records
- •Name Server Updates
- •Verifying Your OE Setup
- •Testing Your OE Setup
- •The trap eroute
- •The pass eroute
- •The hold eroute
- •Manipulating OE Connections Manually
- •Advanced OE Setups
- •Caveats
- •Summary
- •Where to Firewall?
- •Allowing IPsec Traffic
- •NAT and IPsec Passthrough
- •Configuring the Firewall on the Openswan Host
- •Firewalling and KLIPS
- •Firewalling and NETKEY
- •Packet Size
- •Summary
- •Microsoft Windows
- •Layer 2 Tunneling Protocol (L2TP)
- •Assigning an IP for VPN Access
- •L2TP Properties
- •Pure IPsec versus L2TP/IPsec
- •Client and Server Configurations for L2TP/IPsec
- •The L2TP Openswan Server
- •Configuring Openswan for L2TP/IPsec
- •Linux Kernel Runtime Parameters for L2TP/IPsec
- •Protecting the L2TP Daemon with IPsec using iptables
- •Choosing an L2TP Daemon
- •Configuring L2TPD
- •Configuring User Authentication for pppd
- •Microsoft Windows XP L2TP Configuration
- •Microsoft Windows 2000 L2TP Configuration
- •Apple Mac OS X L2TP Configuration
- •Server Configuration for X.509 IPsec without L2TP
- •Openswan Configuration for X.509 without L2TP
- •Client Configuration for X.509 IPsec without L2TP
- •Microsoft's IKE Daemon
- •Microsoft's Certificate Store
- •Clients using Microsoft Native IPsec Implementation
- •The ipsec.exe Wrapper
- •The Linsys IPsec Tool (lsipsectool)
- •Securepoint IPsec Client
- •TauVPN (iVPN)
- •The WaveSEC Client
- •Third-Party Replacement Clients for Windows
- •The GreenBow VPN Client
- •Astaro Secure Client
- •Mac OS X IPSecuritas
- •VPNtracker
- •Manual Racoon Configuration
- •Importing X.509 Certificates into Windows
- •Importing X.509 Certificates on Mac OS X (Tiger)
- •Summary
- •Openswan as a Client to an Appliance
- •Preparing the Interop
- •The Human Factor
- •Terminology
- •Preparation
- •IPsec Passthrough
- •Tunnel Limitations
- •Anticipate Known Problems
- •Update the Firmware
- •GUI Issues
- •Keepalives
- •ISP Filtering
- •Frequently used VPN Gateways
- •Webmin with Openswan
- •Cisco VPN 3000
- •Cisco PIX Concentrator
- •Nortel Contivity
- •Checkpoint
- •WatchGuard Firebox
- •Symantec
- •Frequently used VPN Client Appliances
- •ZyXEL
- •DrayTek Vigor
- •The Vigor Web Interface
- •Windows Logon Issues
- •Other Vigorisms
- •Unresolved Issues
- •NetScreen
- •Known Issues
- •SonicWALL
- •BinTec
- •LANCOM
- •Linksys
- •Lucent Brick
- •NETGEAR
- •KAME/Racoon
- •Aftercare
- •Summary
- •Methods of Encryption
- •Host-to-Host Mesh
- •Host-to-Gateway Setup
- •Single IP Extrusiautomation or L2TP
- •Opportunistic Encryption in the LAN
- •Non-OE-Capable Machines
- •Designing a Solution for Encrypting the LAN
- •Design Goals
- •Separation of WiFi and Crypto
- •Link Layer Protection
- •The Logical Choice: IPsec
- •Hotspot
- •WaveSEC
- •Full WaveSEC
- •Catch 22 Traffic
- •Building a WaveSEC Server
- •DHCP Server Setup
- •DNS Server Setup
- •Openswan Server Setup
- •Catch 22 Traffic Setup
- •Building a WaveSEC Client
- •DH Client Setup
- •Openswan Setup
- •Testing the WaveSEC
- •Starting the WaveSEC Connection
- •Known Issues with WaveSEC
- •WaveSEC for Windows
- •Design Limitations
- •Building a WaveSEC for Windows Server
- •Obtaining the Certificate and Client Software
- •Our Prototype Experiences
- •Openswan Issues
- •Windows Kernel Issues
- •Summary
- •Cipher Performance
- •Handling Thousands of Tunnels
- •Managing Large Configuration Files
- •Standard Naming Convention
- •The also= Parameter
- •The include Parameter
- •Openswan Startup Time
- •Limitations of the Random Device
- •Other Performance-Enhancing Factors
- •Logging to Disk
- •Disable Dead Peer Detection
- •Reducing the Number of Tunnels
- •OSPF Setup
- •BGPv4 Setup
- •High Availability
- •Heartbeat
- •Xen Migration
- •Using Anycast
- •Summary
- •Do Not Lock Yourself Out!
- •Narrowing Down the Problem
- •Host Issues
- •Configuration Problems
- •Connection Names
- •Interoperability
- •Hunting Ghosts
- •Rekey Problems (After an Hour)
- •Openswan Error Messages
- •IKE: Unknown VendorIDs
- •Network Issues
- •Firewalls
- •MTU and Fragmentation Issues
- •Debugging IPsec on Apple Mac OS X
- •Debugging IPsec on Microsoft Windows
- •Oakley Debugging
- •Debugging ipsec.exe
- •Microsoft L2TP Errors
- •You Suddenly Cannot Log in Anymore over the VPN
- •Software Bugs
- •Userland Issues: Assertion Failed or Segmentation Faults
- •Kernel Issues: Crashes and Oopses
- •Memory Issues
- •Common IKE Error Messages
- •Common Kernel-Related Error Messages
- •Common Errors when Upgrading
- •Using tcpdump to Debug IPsec
- •Situation A: No Communication on Port 500
- •Situation B: Failure at Third Exchange
- •Situation C: QUICK Mode Initiates, but Never Completes
- •Situation D: All IKE Messages Occur, but no Traffic Flows
- •A Final tcpdump Example
- •User Mode Linux Testing
- •Preparing the Openswan for the UML Build Process
- •Running the UMLs
- •Writing a UML Test Case
- •Debugging the Kernel with GDB
- •Asking the Openswan Community for Help
- •Internet Relay Chat (IRC)
- •The Openswan Mailing Lists
- •Posting to the Lists
- •Research First, Ask Later
- •Free, as in Beer
- •Do not Anonymize
- •Summary
- •Linux Kernel Developments
- •Kernel API Changes between 2.6.12 and 2.6.14
- •Red Hat Kernel Developments
- •Fedora Kernel Source/Headers Packaging Change
- •MD5 Insecurities
- •Discontinuation of Openswan 1 by the End of 2005
- •Update on UML Testing Suite Installation
- •Openswan GIT Repositories
- •Openswan on Windows and Mac OS X Updates
- •Known Outstanding Bugs
- •Vulnerability Fixes in Openswan 2.4.4
- •The OSI Model and the IP Model
- •No Layers, Just Packets
- •The Protocol
- •IP Network Overview
- •IP Address Management
- •The Old IP Classes
- •Classless IP Networks
- •The Definition of a Subnet
- •Calculating with Subnets: The Subnet Mask
- •The Rest of the Network
- •Linux Networking Commands
- •Routing
- •Routing Decisions
- •Peering
- •Network Address Translation
- •Port Forwarding
- •Openswan Links
- •Community Documentation
- •Generic Linux Distributions Containing Openswan
- •Specialized Linux Distributions Containing Openswan
- •Overview RFCs
- •Basic Protocols
- •Key Management
- •Procedural and Operational RFCs
- •Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
- •Dead Peer Detection RFCs
- •NAT-Traversal and UDP Encapsulation RFCs
- •RFCs for Secure DNS Service, which IPSEC May Use
- •RFCs Related to L2TP, Often Used in Combination with IPsec
- •RFCs on IPsec in Relation to Other Protocols
- •RFCs Not in Use or Implemented across Multiple Vendors
- •Index
Building and Installing Openswan
Racoon is not as well tested as Pluto. Ralf Spenneberg, an IPsec consultant from Germany, has carried out extensive testing on various IKE daemons, and found several large holes in Racoon that have been present in the Racoon code for many years.
Apparently Racoon also has a tendency to forget established SAs, causing a lot of unnecessary re-key events. This would also complicate large scale deployment.
Isakmpd
Isakmpd originally comes from OpenBSD, and is not really used on Linux although a Debian port exists. There is some sparse information available if you use a search engine such as Google, but we do not know of any large scale isakmpd deployment on Linux.
More Reasons to Pick Pluto
Pluto is the default IKE daemon in Debian, SuSE, Mandrake, Gentoo, and all Linux-based embedded solutions we have encountered. Red Hat and Fedora distributions are still using Racoon, though Pluto is available for those distributions too.
Configuring Racoon is explained in Chapter 8. We will assume the Openswan IKE daemon will be used. Otherwise, you would not be reading this book.
Choosing the Kernel IPsec Stack
A more difficult choice is that of the IPsec kernel stack. There are currently three IPsec stacks in use, the most widely deployed being KLIPS. The upcoming alternative is the NETKEY stack, which is currently included in the 2.6 kernel. NETKEY is a rewrite from scratch of KAME. NETKEY can be used with the traditional KAME userland tool Racoon, which has been ported to Linux and is called ipsec-tools. The third commercially deployed stack is the USAGI stack, a patched KLIPS stack that adds IPv6 support to the IPsec code and was mostly used by SuSE Linux, Germany's biggest Linux distribution.
There are a few other obscure IPsec stacks out there, but these are mostly scientific experiments or personal hobby projects, and have not gotten any large scale deployment or extensive scrutiny from the Open Source community. They should clearly not be used for production environments where money or lives are at stake.
KLIPS, the Openswan Stack
KLIPS was the first available IPsec stack for Linux. Early versions ran on Linux 2.0, and the latest version runs on anything between 2.2 and 2.6. It is the only Linux IPsec stack that has been in use for over a year; in fact, it has been in use for over five years. It has a very strong solid reputation in the IPsec community, and was considered the de facto interop test platform by many commercial vendors. If KLIPS didn't talk to your proprietary IPsec hardware, you had done something wrong.
KLIPS got a major rewrite between FreeS/WAN version 1.99 and version 2.x. Some of its functions had grown far too big and were re-factored. The 2.x code also introduced the regression testing system. Every single feature of KLIPS was tested in a nightly regression test suite. The 2.x version was also the base for Openswan 2.x.
50
Chapter 3
ipsecX Interfaces
Since KLIPS pre-dates the netfilter code in the Linux kernel, it had to find another way to hook into the kernel and the network stack. The solution creates virtual devices, the ipsecX devices, and applies a routing trick to send packets into these virtual devices. The advantage is that the flow of packets is very clear. An encrypted packet comes in on the ethX device. It is detected that this is an IPsec packet, and it is sent to the KLIPS code to be processed. KLIPS decrypts the packet, and puts the decrypted packet on the ipsecX device. Thus the packet traverses all the Linux iptables (or ipfwadm /ipchains on older kernels) once per interface, allowing separate firewall rules to be made for the encrypted and the decrypted packet. This makes writing firewall rules very easy and is considered to be one of KLIPS' major features.
First Packet Caching
Another important feature is the caching of network packets for which it is known that an IPsec tunnel needs to be created. Because of this caching, tunnels can be easily brought up and down without any packet loss. Now packet loss in general is not much of a problem, but losing the first few packets will give you a substantial delay. If you are at home, and fire up the website of your company's internal web server, you do not want to always wait ten seconds while your packets are dropped because your first browser packet triggered the IPsec negotiation, which is still being negotiated as your browser sends more packets that are just being dropped.
Proper packet caching is essential for Opportunistic Encryption, where IPsec tunnels are set up on the fly depending on the received packets, as we will discuss later in Chapter 6.
Path MTU Discovery
Another feature of KLIPS is that it supports full Path MTU discovery (RFC 1191). Path MTU discovery describes a method for determining the Maximum Transmission Unit of a packet.
In the early days of the Internet, a lot of strange non-standard devices or communication lines were used to hook up machines. Some of them were as slow as 300 baud. Buffers to store network packets would be small, so some devices had to send a lot of small packets instead of fewer bigger packets. Of course mainframes had far less problems with big packets, and didn't want to send lots of smaller ones. Competing technologies in the LAN, such as token ring, Ethernet, DECnet, LAT, and other technologies such as serial cables, all had a different standard packet size that could be received and transmitted. The packet size was not as uniform as it is today, when most people use 1500 byte Ethernet frames.
Path MTU discovery finds the largest packet size that can be handled by all the intermediary routers between two computers. The initiating computer will start sending small packets, but once they are received correctly on the other side, will increase its packet size incrementally. At some point, either that other end, or a machine in the middle that is just relaying the packets on, will get a packet it cannot send further because it is too big. It will drop the packet and send a notification back to the sending host. This is an ICMP 'Destination Unreachable' packet which contains a message saying "Datagram Too Big". The sending computer will receive that ICMP packet, read the 'Next-Hop MTU' value, and use that (smaller) packet size instead. If the path between the two computers changes, and another hop in the chain can't receive a certain size packet, the same process will start again with that host. And just once in a while, the sending computer will increase
51
Building and Installing Openswan
the packet size just in case the limiting computer in the middle has vanished.
Firewalls and Path MTU
Unfortunately, in January 1997, the Internet was hit by something that came to be known as the Ping of Death. A bug in the networking code for processing certain incoming packets, most notably ICMP ping request packets, could crash the operating system. This bug was found in the reference code for fragmentation handling, code that had been copied into a wide range of commercial and open source operating systems. Almost all operating systems were affected: Sun, Microsoft, Novell, HP, Digital, SCI, IBM, some BSDs, and Linux.
Since these ping packets are a type of ICMP packet, a lot of system administrators decided to block all types of ICMP packets. And since Path MTU discovery depends on the ICMP Destination Unreachable packet, it was broken when these packets were dropped by the Internet at large. This is the main reason that IPv6 no longer implements Path MTU discovery. But since most computers on the Internet are now connected by ethernet, this limitation does not cause too many problems. At least, that was true until the commercial battle for broadband access began.
A lot of technologies were rolled out for broadband, and most of them worked by tunneling packets one way or another. The complexity of cable and DSL networks and their tunneling mechanisms, such as Microsoft's PPTP, PPPoE (A hack to pretend ethernet is just like an analog phone line), PPPoA (similar, involving ATM instead of ethernet), and various other types of tunneling protocols used by ISPs introduced a lot of tunnels within tunnels. Suddenly, packet size became variable again, and Path MTU discovery once more became an important issue. VPNs are used to connect two remote ends of the Internet. These connections will travel through many ISP networks, often a consumer-grade cable or DSL network. Therefore, broken Path MTU discovery greatly impacts on IPsec connections. Unfortunately, NETKEY does not support this properly.
KLIPS' Downside
KLIPS is not included in the official Linux kernel. As such, many people automatically dislike or distrust KLIPS. Often, the system administrator is already trying something new, IPsec, and does not want to make things any harder than they are already, for instance by having to add code and build their own custom kernel. Compiling KLIPS into your kernel has been made very easy, however, so don't be too quick to discard it as an option. Remember that KLIPS has been in use for about ten years and has proven itself to be extremely stable. NETKEY on the other hand is brand new. It looks very promising, but it hasn't seen large scale deployment yet.
That said, you might not have a choice. KLIPS has no IPv6 support, and unless you are willing to run the unmaintained SuSE version of KLIPS, you will need to use NETKEY if you need IPv6.
Another drawback of KLIPS is that routing hack to receive packets from the kernel. On a KLIPS machine, you can see routes going into ipsecX devices. If these routes are deleted or vanish, packets are no longer being processed by KLIPS. This happens mostly in scenarios where the physical interface is changed, for instance if a PC card or USB network device is added or removed from the system. However it also happens when PPP or PPTP sessions restart, which can happen regularly on DSL or GPRS connections. Most of this can be addressed using custom updown scripts. In the future, these kind of hotplug devices should be better supported.
52