An Introduction to Virtual Private Networks over IPSec

1
An Introduction to Virtual Private Networks over
IPSec

• By Oleg Kolesnikov

2
Oleg Kolesnikov

• Ph.D. in CS (in progress)
• The relevant experience I have
• System Administrator,
• Unicom Ltd, European ISP
• Network and Security Administrator,
• GT Police Department
• Security Researcher,
• Distributed Security Department, Berkeley Lab

3
prologue

• Host-Host VPN tunnel in two commands
• Server
• stunnel -v3 -p /vpn/cf/svr.pem -d 2626 -L sudo
  pppd pppd noauth 192.168.254.254192.168.254.253
• Client
• sudo pppd up detach noauth pty sudo -u sslvpn
  stunnel -v3 -S0 -f -D7 -p /vpn/cf/client.pem -c
  -r svr2626

4
what you will learn today

• Existing IPSec implementations
• Basic things you need to know to deploy a VPN
• Practical examples of creating atomic IPSec-based
  VPNs with KAME (BSD) and FreeS/WAN (Linux)

5
assumptions

• I will assume that you already have an idea about
  IPSec, its components, and their functioning
• I will assume that you already have basic
  background in networking
• You will have a chance to ask questions at the
  end of the talk

6
existing ipsec solutions

• Software
• Open Source KAME (BSD), FreeS/WAN (Linux),
  isakmpd (OpenBSD)
• Commercial Win2K/XP VPN, F-Secure VPN,
  Checkpoint VPN-1, McAfee/PGPvpn, Symantec
  Enterprise VPN, Enterasys/Aurorean, Intel
  Netstructure VPN, SafeNet, SSH Sentinel, Gauntlet
  GVPN
• Hardware
• Cisco 300x concentrators and VPN-enabled
  uBRs Merilus Firecard Lucent VPN firewall
  brick, yourKey solution Shiva LanRover
  NetScreen

7
interoperability

• IPSec interoperability is often a problem due to
  the complexity of the protocol suite
• VPN Consortium (VPNC) offers conformance tests to
  its members
• The solutions mentioned before have been
  tested and proved to have at least the basic
  interoperability (can interoperate with gt 3/4th
  of the other VPNC-tested solutions) and/or have
  passed the basic conformance test (support 3DES,
  SHA-1, 1024-bit kex)
• Currently, VPNC lists 11 commercial solutions
  that have passed the basic interoperability test
• VPNC lists 28 solutions that passed the basic
  conformance test

8
three atomic VPN types

• Host-Host
• Host-Network
• Network-Network
• Each of these types will ultimately rely on a
  point-to-point link (think of a host as a /32
  network)

9
information you will need

• For each atomic type present in your VPN, you
  need to determine
• Static IPs of the peers
• Networks behind each peer (networks must have
  non-overlapping IPs)
• Kex method you will use (you may need to create
  and distribute keys, if necessary)
• IPSec solutions you will use on peers the
  solutions must be compatible

10
KAME basics

• KAME -- a comprehensive package offering IPv6 and
  IPSec support for BSD systems (FreeBSD, NetBSD,
  OpenBSD, BSD/OS)
• Consists of kernel IPSec routines and IKE daemon
  (racoon)

11
KAME installation

• 1) Recompile kernel with
• options IPSEC
• options IPSEC_ESP
• pseudo-device gif 6 for tunnel mode
• 2) Install IKE daemon (racoon)
• cd /usr/ports/security/racoon make all
  install distclean

12
KAME configuration (I)

• A setkey(8) utility is used
• A sample Host-Host link between a.b.c.d and
  x.y.z.r using ESP in transport mode can be
  configured as follows
• setkey -C ltlt EOL
• flush flush SAs
• spdflush flush SPD
• add x.y.z.r a.b.c.d esp 6262 -m transport -E
  des-cbc SWORDFSH"
• spdadd a.b.c.d/32 x.y.z.r/32 any -P out ipsec
  esp/transport//require
• spdadd x.y.z.r/32 a.b.c.d/32 any -P in ipsec
  esp/transport//require
• EOL

13
KAME configuration (II)

• A slightly more advanced example for a
  Network-Network link between 172.168.16.1.0/24
  and 172.16.2.0/24 that will only encrypt packets
  from/to port 110
• ...
• spdadd 172.16.1.0/24110 172.16.2.0/24any any
  -P out ipsec esp/tunnel/a.b.c.d-x.y.z.r/require
• spdadd 172.16.2.0/24110 172.16.1.0/24any any
  -P in ipsec esp/tunnel/x.y.z.r-a.b.c.d/require

14
KAME configuration (III) routing and isakmp

• Be sure to add a routing entry to make the
  connected networks visible to each other
• route add -net 172.16.1.0 -interface
  ltipsec_if_xyzrgt
• route add -net 172.16.2.0 -interface
  ltipsec_if_abcdgt
• For IKE (racoon), you need to enable isakmp
  traffic (udp port 500)
• ipfw add allow udp from x.y.z.r isakmp to
  a.b.c.d isakmp via lteth_if_abcdgt
• ipfw add allow udp from a.b.c.d isakmp to
  x.y.z.r isakmp via lteth_if_xyzrgt

1/2
15
KAME configuration (IV)

• Files to consider
• /usr/local/etc/racoon/racoon.conf IKE
  configuration
• /usr/local/etc/racoon/psk.txt pre-shared keys
• /etc/rc.conf can put some of your
  configuration here
• so it is preserved across reboots
• /etc/ipsec.conf can contain spdadd etc.
  commands will be
• processed by setkey -C if you set
• ipsec_enableYES in ipsec.conf

16
FreeS/WAN basics

• FreeS/WAN is a an open source IPSec
  implementation for Linux
• FreeS/WAN KLIPS Pluto
• KLIPS Kernel-level IPSec routines
• Pluto IKE implementation

17
FreeS/WAN installation

• Install rpms (kernel module and utilities)
• freeswan-module-ltswan_vergt-ltyour_kernel_versiongt
  .i386.rpm
• freeswan-ltswan_vergt-ltyour_kernel_versiongt.i386.r
  pm
• Apply X.509 patch, if needed
• Allow isakmp (udp 500), as well as ESP (proto 50)
  and AH (protocol 51).
• rp_filter should be set to 0 on the interfaces
  FreeS/WAN uses
• echo 0 gt /proc/sys/net/ipv4/conf/eth0/rp_fil
  ter

18
FreeS/WAN configuration (I)

• Connections are described in /etc/ipsec.conf
• Below is an example of a Host-Host IPSec link
• ...
• conn abcd-xyzr
• authbyrsasig
• authesp
• lefta.b.c.d
• leftnexthopa.b.c.1
• leftid_at_abcd
• leftrsasigkey773EEKJKJs
• rightx.y.z.r
• rightnexthopx.y.z.1
• rightid_at_xyzr
• rightrsasigkey1wFK00efhhE
• autoadd

19
FreeS/WAN configuration (II)

• An example of a Network-Network IPSec link
• ...
• conn abcd-xyzr
• authbyrsasig
• authah
• lefta.b.c.d
• leftsubnet172.16.1.0/24
• leftnexthopa.b.c.1
• leftid_at_abcd
• leftrsasigkey773EEKJKJs
• rightx.y.z.r
• rightsubnet172.16.2.0/24
• rightnexthopx.y.z.1
• rightid_at_xyzr
• rightrsasigkey1wFK00efhhE
• autoadd

20
FreeS/WAN configuration (III)

• Connections can be either
• Manually keyed (using keys in /etc/ipsec.conf)
• Automatically keyed by Pluto
• Normally, FreeS/WAN adds route between peers
  automatically
• You can start the connection configured in
  /etc/ipsec.conf using
• ipsec auto --start abcd-xyzr

21
Opportunism (I)

• Opportunistic encryption -- currently, a unique
  feature of FreeS/WAN
• The idea is to enable connections to/from ANY
  potential IPSec peer (no prior knowledge)
• The concept relies on DNS to store public keys
  associated with domains
• Can be full (incoming requests allowed) or
  partial (initiate-only)

22
Opportunism (II) Fax effect

• Fax effect -- the value of your fax increases
  with every new fax machine installed in the
  world.
• As more machines support opportunism, the concept
  becomes more powerful

23
Opportunism (III) Examples

• DNS record containing the public key of x.y.z.r
• xyzr.com. 6835 IN KEY 16896 4 1
  AQO6DJc6LIwGq82ehvIGLKn4S
• Contents of /etc/ipsec.conf supporting
  opportunism
• conn abcd-opportunistic
• lefta.b.c.d
• leftnexthopdefaultroute
• leftid_at_abcd
• leftrsasigkeydnsondemand
• rightopportunistic
• keylife30m
• autoroute

24
reference

• O. Kolesnikov, B. Hatch, Building Linux Virtual
  Private Networks, New Riders, 2002.
  http//www.buildinglinuxvpns.net