Академический Документы
Профессиональный Документы
Культура Документы
IPsec in Fedora
Contents
IP Security Overview Kernel IPsec implementation Comparison of Key Exchange Implementations Real World Conguration Examples
IPsec in Fedora
IP Security Overview
IPsec in Fedora
IPsec
IP Security IPsec Mandatory part of IPv6 stack, extension to IPv4 stack Network-layer packet encryption and authentication
IPsec in Fedora
IPsec provides
Security layer for network and transport protocols Data authentication, integrity and condentiality Mutual host and user authentication Security orthogonal to routing (with public IPv6 or IPv4) End-to-end secure communication (with public IP and DNSSEC)
IPsec in Fedora
IPsec essentials
Security policy database Security association database Encapsulated security payload Key exchange and conguration NAT traversal
IPsec in Fedora
IPsec in Fedora
Kernel IPsec support enabled The iproute package Firewall setup (for testing just disable rewall) Time and patience (or follow examples)
IPsec in Fedora
Mode: Transport Encapsulation: IPv6ESP Direction: alpha.example.net beta.example.net Addresses: 2001:db8::a 2001:db8::b Use the same commands for the reverse channel Suitable for secure end-to-end connectivity You can always use IPv4 addresses instead of IPv6. When testing with documentation address space, you may nd yourself separated from some public internet services.
IPsec in Fedora
beta.example.net
# ip address add 2001: db8 :: b /64 dev eth0 # ip xfrm policy add dir in \ src 2001: db8 :: a dst 2001: db8 :: b tmpl proto esp # ip xfrm state add \ src 2001: db8 :: a dst 2001: db8 :: b proto esp spi 1 \ enc cbc ( aes ) 0 x 3 e d 0 a f 4 0 8 c f 5 d c b f 5 d 5 d 9 a 5 f a 8 0 6 b 2 2 4 http://data.pavlix.net/devconf2012/
IPsec in Fedora
IPsec in Fedora
IPsec in Fedora
ESP tunnel
Mode: Tunnel Encapsulation: IPv6ESPIPv6 Routers: 2001:db8::a 2001:db8::b Networks: 2001:db8:a:a::/64 2001:db8:b:b::/64 Use the same commands for the other direction Suitable for secure links between two networks You can use IPv4 addresses instead of IPv6.
IPsec in Fedora
b.example.net
# ip address add 2001: db8 :: b /64 dev eth0 # ip address add 2001: db8 : b : b ::1/64 dev eth1 # ip xfrm policy add dir in \ src 2001: db8 :: a dst 2001: db8 :: b tmpl proto esp # ip xfrm state add \ src 2001: db8 :: a dst 2001: db8 :: b proto esp spi 1 \ enc cbc ( aes ) 0 x 3 e d 0 a f 4 0 8 c f 5 d c b f 5 d 5 d 9 a 5 f a 8 0 6 b 2 2 4
http://data.pavlix.net/devconf2012/
IPsec in Fedora
Mode: Tunnel Encapsulation: IPv4ESPIPv6 or IPv6ESPIPv4 Use the same commands as for IPv6ESPIPv6 tunnels Use IPv4 network or host addresses where appropriate Suitable for secure IPv4 links between IPv6 networks and vice versa
IPsec in Fedora
IPsec in Fedora
Racoon Openswan Racoon2 Strongswan There may be others. For example vpnc seems to be a specialized IPsec implementation used as a client to Cisco EasyVPN.
IPsec in Fedora
Racoon (ipsec-tools)
Included in Fedora as ipsec-tools Not in EPEL6 Limited to obsolete IKEv1 Very hard to congure for advanced scenarios Even road warrior scenario requires shell scripting It seems to support IPv6 except hybrid tunnels
IPsec in Fedora
Openswan
Included in Fedora and RHEL IKEv2 doesnt work with NAT traversal IKEv2 doesnt work in road warrior setup IPv6 doesnt work in road warrior setup IPv6 conguration and errors are confusing Hybrid tunnels arent supported Openswan gets confused by multiple IPs per interface Disclaimer: I may have missed some tricks or new development. Tested with openswan-2.6.33-1.fc15.x86_64.
IPsec in Fedora
Racoon2
Newly added to Fedora 16 and EPEL 6, please test Latest version from May 2010 Bad upstream makeles (patched) No starter daemon, separate spmd, iked (patched) KINK support disabled (dependency problems) Rather complicated conguration, but very exible Ready-to-use conguration examples Reportedly decent IKEv2, IKEv1 and IPv6 support
IPsec in Fedora
Strongswan
Newly added to Fedora 16 and EPEL 6, please test Active upstream, new release every few months Builds without change, systemd unit les included Renaming required to avoid conicts with Openswan IKEv2, IKEv1 and IPv6 support NAT-T, Mediation, MOBIKE and virtual IP support Various authentication mechanisms Easy and almost at conguration, similar to Openswan
IPsec in Fedora
IPsec in Fedora
We need to choose one key exchange implementation for IKEv2 and IKEv1 support IPv6 and IPv4 support Road warrior setup IPv4 NAT traversal All of the above working together
IPsec in Fedora
Evaluation
Racoon not suitable, lacks IKEv2 Openswan not suitable, broken IKEv2 as well as IPv6 Racoon2 suitable, but rather passive Strongswan suitable, actively developed The winner is Strongswan!
IPsec in Fedora
Mode: Transport Encapsulation: IPv6ESP Direction: alpha.example.net beta.example.net Addresses: 2001:db8::a 2001:db8::b Strongswan supports IPv6 and IPv4 addresses.
IPsec in Fedora
ipsec.conf
conn test auto = route type = transport left =2001: db8 :: a right =2001: db8 :: b authby = psk mobike = no http://data.pavlix.net/devconf2012/
IPsec in Fedora
IPsec in Fedora
ipsec.conf
conn test auto = add type = transport left =% any right =2001: db8 :: b authby = psk mobike = no
IPsec in Fedora
ipsec.conf
conn test auto = add type = transport left =% defaultroute leftid = @alpha . example . net right =2001: db8 :: b authby = psk mobike = no
IPsec in Fedora
Mode: Tunnel Encapsulation: IPv6ESPIPv6 Routers: 2001:db8::a 2001:db8::b Networks: 2001:db8:a:a::/64 2001:db8:b:b::/64 You can use IPv4 addresses for routers and networks. Strongswan supports hybrid IPv4/IPv6 tunnels.
IPsec in Fedora
ipsec.conf
conn test auto = route type = tunnel left =2001: db8 :: a leftsubnet =2001: db8 : a : a ::/64 right =2001: db8 :: b leftsubnet =2001: db8 : b : b ::/64 authby = psk mobike = no http://data.pavlix.net/devconf2012/
IPsec in Fedora
Notes
IPsec in Fedora
Questions?
http://data.pavlix.net/devconf2012/ pavlix@pavlix.net
IPsec in Fedora