How to setup IPsec interoperable for Linux, OpenBSD and Kame/*BSD

Copyright 2000 - 2003 by Hans-Jörg Höxer
This document is always under construction and the information is partly untested and might be completely wrong.
Consider yourself warned.

Preface

This HOWTO is Copyrighted 2000 - 2003 by Hans-Jörg Höxer. It can be distributed freely. It cannot be modified. If you have any kind of suggestion, please send me an email (I will update the document if the suggestion proceeds). No liability for the contents of this document can be accepted. I have no responsability about the consequences of following the steps provided in this document. If you have questions, please contact me at Hans-Joerg.Hoexer@yerbouti.franken.de.

Content

  • Introduction
  • General Configuration
  • The sample Network
  • OpenBSD
  • GNU/Linux
  • Kame/NetBSD 1.6.1
  • Windows2000 (gateway)
  • WindowsME with PGPNet (road warrior)
  • Links
  • Summary

    Introduction

    It is the aim of this document to give some examples for setting up IPsec between different operating systems. Tested platforms were OpenBSD 3.3, GNU/Linux using Super-FreeS/WAN 1.99_kb4, Kame/NetBSD 1.6.1, Windows 2000 and PGPNet on WindowsME.

    FreeBSD was not tested, but configuration should be similar to NetBSD as both use Kame IPv6 and IPsec. The IPsec implementation of the upcoming Linux 2.6 release provides a Kame compatible userland-interface, so the here provided examples for NetBSD should be suitable as well.

    Given configuration files will be minimal and focused on an interoperable setup. Therefor a very simple LAN of severel boxes is used and only host-to-host connections will be covered.

    Extending the following examples to reallife VPN configurations, e.g. host-to-network or network-to-network, will not affect the basic setup concerning interoperability.

    UP

    General Configuration

    In the following examples all IPsec clients and gateways use the following main mode configuration:

  • 3DES encryption
  • SHA and MD5 hmacs
  • RSA-based authentication using X509 certificates
  • MODP 1024 for Diffie-Hellman exponentiations
  • 3600 seconds lifetime for IKE security associations

    These quick mode parameters are used:

  • tunnel mode
  • AES encryption
  • SHA and MD5 hmacs
  • perfect forward secrecy using MODP 1024
  • 600 secondes lifetime for IPsec security associations

    For all systems I present configuration for two typical applications:

  • VPN gateway with tunnels to other gateways and anonymous tunnels for road warriors.
  • Road warrior machine connecting to its home gateway.

    We will use X509 certificates to authenticate the quick mode exchanges. Therefore we need the following items:

  • The certificate of the certification authority (CA) which signes our client certificates.
  • For each machine (gateways and clients) one client certificate signed by the CA.
  • For each certificate the corresponding private key.

    In the examples, the file cacert.pem contains the PEM-encoded CA certificate. The certificates of the gateways and clients are called fqdn.pem and the private key fqdn.priv. By the way, make sure to set the permission of the privte keys to 0400.

    How these certificates and keys are generated is described in this document.

    UP

    The sample Network

    The sample network consists of the following machines (some of them are actually VMware guests):

  • openbsd1.as10.net (192.168.3.19, OpenBSD 3.3), gateway for the private network 192.168.233.0/24
  • linux1.as10.net (192.168.3.11, Debian GNU/Linux unstable with Super-FreeS/WAN 1.99_kb4), gateway for the private network 172.16.235.0/24
  • netbsd1.as10.net (192.168.3.21, NetBSD 1.6.1), gateway for the private network 172.16.89.0/24
  • win2000.as10.net (192.168.3.64, Windows2000), no private network attached
  • roadwarrior[1234].as10.net (192.168.3.X (dynamic address), running WinMe with PGPNet, OpenBSD 3.3, Debian GNU/Linux with Super-FreeS/WAN and NetBSD 1.6.1)

    Openbsd1, linux1, netbsd1 and win2000 are gateways and are connected to each other using an IPsec tunnel. The roadwarrior[1234].as10.net machines obtain arbitrary dynamic IP adresses and also connect to the gateways using IPsec tunnels.

    UP

    OpenBSD 3.3

    The ISAKMP/IKE-daemon of OpenBSD ist called isakmpd and all necessary configuration files are located in /etc/isakmpd: 
       # ls /etc/isakmpd
   ca/             crls/           isakmpd.policy  private/
   certs/          isakmpd.conf    keynote/
    The CA certificate is stored in ca/, the machines certificate in certs/ and the private key in private/: 
       # ls -l ca/ certs/ private/
   ca/:
   total 4
   -r--r--r--  1 root  wheel  1379 Jun 16 21:21 cacert.pem

   certs/:
   total 10
   -r--r--r--  1 root  wheel  4312 Jun 16 21:21 openbsd1.as10.net.pem

   private/:
   total 4
   -r--------  1 root  wheel  1679 Jun 16 21:21 openbsd1.as10.net.priv
    Note the permissions for the private key!

    There are two configuration files for isakmpd: isakmpd.conf and isakmpd.policy. isakmpd.conf is the main configuartion file and isakmpd.policy defines rules for authenticating quick mode exchanges. 

       # Incoming phase 1 negotiations are multiplexed on the source IP address
   [Phase 1]
   Default=	ISAKMP-peer-void

   # These connections are walked over after config file parsing and told
   # to the application layer so that it will inform us when traffic wants to
   # pass over them.  This means we can do on-demand keying.
   [Phase 2]
   Connections=IPsec-openbsd1-gate

   # The peers
   [ISAKMP-peer-void]
   Phase=		1
   Transport=		udp
   Local-address=	192.168.3.19
   Configuration=	Default-main-mode
   ID=			openbsd1-ID

   [ISAKMP-peer-linux1]
   Phase=		1
   Transport=		udp
   Local-address=	192.168.3.19
   Address=		192.168.3.11
   Configuration=	Default-main-mode
   ID=			openbsd1-ID
   Remote-ID=		gate-ID

   [ISAKMP-peer-netbsd1]
   Phase=		1
   Transport=		udp
   Local-address=	192.168.3.19
   Address=		192.168.3.21
   Configuration=	Default-main-mode
   ID=			openbsd1-ID
   Remote-ID=		netbsd1-ID

   [ISAKMP-peer-win2000]
   Phase=		1
   Transport=		udp
   Local-address=	192.168.3.19
   Address=		192.168.3.64
   Configuration=	Default-main-mode
   ID=			openbsd1-ID
   Remote-ID=		win2000-ID

   [openbsd1-ID]
   ID-type=		FQDN
   Name=		openbsd1.as10.net

   [linux1-ID]
   ID-type=		FQDN
   Name=		linux1.as10.net

   [netbsd1-ID]
   ID-type=		FQDN
   Name=		netbsd1.as10.net

   [win2000-ID]
   ID-type=		FQDN
   Name=		win2000.as10.net

   # The connections
   [IPsec-openbsd1-void]
   Phase=		2
   Configuration=	Default-quick-mode
   Local-ID=		Net-default
   Remote-ID=		Net-remote

   [IPsec-openbsd1-linux1]
   Phase=		2
   ISAKMP-peer=		ISAKMP-peer-gate
   Configuration=	Default-quick-mode
   Local-ID=		Host-openbsd1
   Remote-ID=		Host-linux1

   [IPsec-openbsd1-netbsd1]
   Phase=		2
   ISAKMP-peer=		ISAKMP-peer-gate
   Configuration=	Default-quick-mode
   Local-ID=		Host-openbsd1
   Remote-ID=		Host-netbsd1

   [IPsec-openbsd1-win2000]
   Phase=		2
   ISAKMP-peer=		ISAKMP-peer-gate
   Configuration=	Default-quick-mode
   Local-ID=		Host-openbsd1
   Remote-ID=		Host-win2000

   # The networks
   [Net-default]
   ID-type=	IPV4_ADDR
   Address=	0.0.0.0

   [Net-remote]
   ID-type=	IPV4_ADDR
   Address=	0.0.0.0

   [Host-openbsd1]
   ID-type=	IPV4_ADDR
   Address=	192.168.3.19

   [Host-linux1]
   ID-type=	IPV4_ADDR
   Address=	192.168.3.11

   [Host-netbsd1]
   ID-type=	IPV4_ADDR
   Address=	192.168.3.21

   [Host-win2000]
   ID-type=	IPV4_ADDR
   Address=	192.168.3.64

   # Main mode descriptions
   [Default-main-mode]
   EXCHANGE_TYPE=	ID_PROT
   Transforms=		3DES-SHA,3DES-MD5

   # Quick mode descriptions
   [Default-quick-mode]
   EXCHANGE_TYPE=	QUICK_MODE
   Suites=		QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE

   # #####################################################################

   [General]
   Policy-File=		/etc/isakmpd/isakmpd.policy
   Retransmits=		3
   Exchange-max-time=	120
   Listen-on=		192.168.3.19
   Renegotiate-on-HUP=  yes

   # KeyNote credential storage
   [KeyNote]
   Credential-directory=/etc/isakmpd/keynote/

   # Certificates stored in PEM format
   [X509-certificates]
   CA-directory=	/etc/isakmpd/ca/
   Cert-directory=	/etc/isakmpd/certs/
   Private-key=		/etc/isakmpd/private/openbsd1.as10.net.priv

   # Main mode transforms
   ######################

   # 3DES
   [3DES-SHA]
   ENCRYPTION_ALGORITHM=   3DES_CBC
   HASH_ALGORITHM=         SHA
   AUTHENTICATION_METHOD=  RSA_SIG
   GROUP_DESCRIPTION=      MODP_1024
   Life=                   LIFE_3600_SECS

   [3DES-MD5]
   ENCRYPTION_ALGORITHM=   3DES_CBC
   HASH_ALGORITHM=         MD5
   AUTHENTICATION_METHOD=  RSA_SIG
   GROUP_DESCRIPTION=      MODP_1024
   Life=                   LIFE_3600_SECS

   # Quick mode protection suites
   ##############################

   # AES
   [QM-ESP-AES-SHA-PFS-SUITE]
   Protocols=              QM-ESP-AES-SHA-PFS

   [QM-ESP-AES-MD5-PFS-SUITE]
   Protocols=              QM-ESP-AES-MD5-PFS

   # Quick mode protocols
   ######################

   # AES
   [QM-ESP-AES-SHA-PFS]
   PROTOCOL_ID=            IPSEC_ESP
   Transforms=             QM-ESP-AES-SHA-PFS-XF

   [QM-ESP-AES-MD5-PFS]
   PROTOCOL_ID=            IPSEC_ESP
   Transforms=             QM-ESP-AES-MD5-PFS-XF

   # Quick mode transforms
   #######################

   # AES
   [QM-ESP-AES-SHA-PFS-XF]
   TRANSFORM_ID=            AES
   ENCAPSULATION_MODE=      TUNNEL
   AUTHENTICATION_ALGORITHM=HMAC_SHA
   GROUP_DESCRIPTION=       MODP_1024
   Life=                    LIFE_600_SECS

   [QM-ESP-AES-SHA-MD5-XF]
   TRANSFORM_ID=            AES
   ENCAPSULATION_MODE=      TUNNEL
   AUTHENTICATION_ALGORITHM=HMAC_MD5
   GROUP_DESCRIPTION=       MODP_1024
   Life=                    LIFE_600_SECS

   # Lifetimes
   ###########

   [LIFE_600_SECS]
   LIFE_TYPE=              SECONDS
   LIFE_DURATION=          600,450:720

   [LIFE_3600_SECS]
   LIFE_TYPE=              SECONDS
   LIFE_DURATION=          3600,1800:7200

    UP

    GNU/Linux

    /etc/ipsec.conf 
       # /etc/ipsec.conf - FreeS/WAN IPsec configuration file

   # basic configuration
   config setup
	   interfaces=%defaultroute
	   klipsdebug=none
	   plutodebug=none
	   plutoload=%search
	   plutostart=%search
	   uniqueids=yes

   # defaults for subsequent connection descriptions
   conn %default
	   keyingtries=0
	   ikelifetime=1h
	   rekeymargin=2m
	   keylife=10m
	   disablearrivalcheck=no
	   esp=aes128-sha1
	   authby=rsasig
	   left=192.168.3.11
	   leftnexthop=%defaultroute
	   leftcert=linux1.as10.net.pem
	   leftid=@linux1.as10.net
	   rightrsasigkey=%cert
	   auto=start

   conn linux1-void
	   auto=add
	   right=@any

   conn linux1-openbsd1
	   auto=start
	   right=192.168.3.19
	   rightid=@openbsd1.as10.net

   conn linux1-netbsd1
	   auto=start
	   right=192.168.3.21
	   rightid=@netbsd1.as10.net

   conn linux1-win2000
	   auto=start
	   right=192.168.3.64
	   rightid=@win2000.as10.net
    /etc/ipsec.secrets 
       : RSA linux1.as10.net.priv
    Files in /etc 
       # ls /etc/ipsec.d
   cacerts/  crls/  linux1.as10.net.pem  private/

   # ls /etc/ipsec.d/cacerts
   cacert.pem

   # ls -l /etc/ipsec.d/private/
   total 4
   -r--------    1 root     root         1679 Jun 22 20:26 linux1.as10.net.priv

    UP

    Kame/NetBSD 1.6.1

    The stock NetBSD kernel has no IPsec enabled. Therefore you have to compile your own kernel (for details see the NetBSD Kernel FAQ). Uncomment these lines in the configuration file for the generic kernel (/usr/src/sys/arch/i386/conf/GENERIC): 
       options 	IPSEC		# IP security
   options 	IPSEC_ESP	# IP security (encryption part; define w/IPSEC)
    Then recompile and after a reboot IPsec is enabled.

    With NetBSD/KAME the IPsec SAs are configured using the setkey (8) command. As soon as some IP packets are bound to use these SAs, the ISAKMP/IKE daemon called racoon (8) is notified and the keys for IPsec SAs are negotiated.

    To install IPsec SAs and start the racoon (8) automatically on system startup add these to lines to /etc/rc.conf: 

       # tail -2 /etc/rc.conf
   ipsec=yes
   racoon=YES
    The file /etc/ipsec.conf contains the arguments for setkey (8): 
       # netbsd1.as10.net - openbsd1.as10.net
   spdadd 172.16.89.0/24 192.168.233.0/24 any -P out ipsec
	   esp/tunnel/192.168.3.21-192.168.3.19/require;
   spdadd 192.168.233.0/24 172.16.89.0/24 any -P in  ipsec
	   esp/tunnel/192.168.3.19-192.168.3.21/require;

   # netbsd1.as10.net - linux1.as10.net
   spdadd 172.16.89.0/24 172.16.235.0/24 any -P out ipsec
	   esp/tunnel/192.168.3.21-192.168.3.11/require;
   spdadd 172.16.235.0/24 172.16.89.0/24 any -P in  ipsec
	   esp/tunnel/192.168.3.11-192.168.3.21/require;
    As IPsec SAs are unidirectional we have to define two SAs for each tunnel: One outgoing and one incoming SA. spdadd adds a new SA to the kernel.

    Let's have a closer look on the tunnel between netbsd1 and openbsd1: The first two arguments for spdadd are the source and destination addresses of IP datagrams which shall use this SA. The private networks attached to netbsd1 and openbsd1 are 172.16.89.0/24 and 192.168.233.0/24 respectively. Thus on netbsd1 the source address for the outgoing SA is 172.16.89.0/24 and the destination address is 192.168.233.0/24. The third argument "any" tells the kernel to send any protocol type through this SA. For example we could say "tcp" to send only TCP segments through this SA.

    With "-P" we define the policy for this SA: "out ipsec" tells the kernel that this is an outgoing SA and "in ipsec" an incoming SA. The last -- rather long argument -- describes the IPsec protocol to be applied for this policy. For the outgoing SA this is ESP in tunnel mode between netbsd1 and openbsd1. The "require" keyword tells the kernel to drop any packet, which matches this SA but is not protected by IPsec. This is important! If we would use the keyword "use", the kernel would also accept non-protected packets. For our VPN-scenario this is not acceptable.

    Before we can use racoon (8) we have to prepare our certificates and the private key. All these items are stored in the directory /etc/openssl/certs: 

       # ls /etc/openssl
   certs/   misc/    private/

   # ls -l /etc/openssl/certs
   total 9
   lrwxr-xr-x  1 root  wheel    10 Aug 13 01:38 938565a9.0 -> cacert.pem
   -r--r--r--  1 root  wheel  1379 Aug 13 01:37 cacert.pem
   -r--r--r--  1 root  wheel  4305 Aug 13 01:36 netbsd1.as10.net.pem
   -r--------  1 root  wheel  1679 Aug 13 01:36 netbsd1.as10.net.priv
    Again, make sure to keep the private key readable only for root! racoon (8) uses the hash of the CA certificate to identify the file which contains this certificate and expects this file to be named "hashvalue.0". Use this command to create an appropriately named link to cacert.pem: 
       ln -sf cacert.pem `openssl x509 -noout -hash -infile cacert.pem`.0

    The configuration file for racoon is /etc/racoon/racoon.conf: 

       path certificate "/etc/openssl/certs" ;
   log notify;

   # phase 1 proposals (for IKE SA)
   # openbsd1.as10.net
   remote 192.168.3.19
   {
	   exchange_mode main;
	   my_identifier fqdn "netbsd1.as10.net";
	   peers_identifier fqdn "openbsd1.as10.net";
	   certificate_type x509 "netbsd1.as10.net.pem" "netbsd1.as10.net.priv" ;
	   lifetime time 1 hour ;	# sec,min,hour
	   passive off ;
	   proposal {
		   encryption_algorithm 3des;
		   hash_algorithm sha1;
		   authentication_method rsasig ;
		   dh_group 2 ;
	   }
	   proposal {
		   encryption_algorithm 3des;
		   hash_algorithm md5;
		   authentication_method rsasig ;
		   dh_group 2 ;
	   }
	   proposal_check obey;
   }

   # linux1.as10.net
   remote 192.168.3.11
   {
	   exchange_mode main;
	   my_identifier fqdn "netbsd1.as10.net";
	   peers_identifier fqdn "linux1.as10.net";
	   certificate_type x509 "netbsd1.as10.net.pem" "netbsd1.as10.net.priv" ;
	   lifetime time 1 hour ;	# sec,min,hour
	   passive off ;
	   proposal {
		   encryption_algorithm 3des;
		   hash_algorithm sha1;
		   authentication_method rsasig ;
		   dh_group 2 ;
	   }
	   proposal {
		   encryption_algorithm 3des;
		   hash_algorithm md5;
		   authentication_method rsasig ;
		   dh_group 2 ;
	   }
	   proposal_check obey;
   }

   # from the void
   remote anonymous
   {
	   exchange_mode main;
	   my_identifier fqdn "netbsd1.as10.net";
	   certificate_type x509 "netbsd1.as10.net.pem" "netbsd1.as10.net.priv" ;
	   lifetime time 1 hour ;	# sec,min,hour
	   passive on;
	   generate_policy on;
	   proposal {
		   encryption_algorithm 3des;
		   hash_algorithm sha1;
		   authentication_method rsasig ;
		   dh_group 2 ;
	   }
	   proposal {
		   encryption_algorithm 3des;
		   hash_algorithm md5;
		   authentication_method rsasig ;
		   dh_group 2 ;
	   }
	   proposal_check obey;
   }

   # phase 2 proposal (for IPsec SA).
   # quick mode description for all connections
   sainfo anonymous
   {
	   pfs_group 2;
	   lifetime time 10 min ;
	   encryption_algorithm rijndael;
	   authentication_algorithm hmac_sha1, hmac_md5 ;
	   compression_algorithm deflate ;
   }

    UP

    Windows2000 (gateway)

    UP

    WindowsME with PGPNet (road warrior)

    UP

    Links

    Some useful links:
  • http://www.openbsd.org/ -- OpenBSD
  • very detailed german documentation for replacing WEP with IPsec from the guys at http://www.openbsd.de/
  • http://www.kame.net/ -- The Kame Stack
  • http://www.freeswan.org/ -- FreeS/WAN
  • http://www.freeswan.ca/ -- Super FreeS/WAN, a patched up FreeS/WAN
  • examples by Johan Allard
  • an overview of IPsec implementations for Linux by Nico Schottelius

    UP

    Summary

    Enjoy!

    UP

    $Id: HOWTO.html,v 1.16 2003/08/17 09:22:23 hshoexer Exp $