3.5. IPSec
IPSec is a new protocol that sits on top of IP that provides ad-hoc encrypted links between 2 hosts on the Internet. The IPSec implementation is mandatory for IPv6 and can be added to IPv4. If IPSec is part of IPv6, it does not mean that it is deployed by network managers. IPSec is not simple to implement due to the difficulty of having mechanisms to exchange keys automatically between machines. DNS can help, but it is not mainstream, and well known Certificate Authorities do not yet deliver adequate certification facilities for a wide deployement in the enterprise.
3.5.1. FreeS/WAN
FreeS/WAN is a popular implementation of IPSec for GNU/Linux. At its current version (1.9.7) it needs to be patched to incorporate X.509 capability. You can find a patched version on this site. Some GNU/Linux distrubutions have applied the patch for you so check your package. The advantage of this version is that you can use openssl to create certificates to use with FreeS/WAN and DNS CERT records, but more specifically you can interact with the Microsoft Implementation of IPSec. For more information check Nate's page.
3.5.1.1. FreeS/WAN gateway machine
Generate a certificate with the CN beeing the fully qualified domain name of your IPSec gateway: host.example.com. Do not forget to sign the certificate. You have two files newcert.pem and newreq.pem. The file newreq.pem contains the private key and some extra information therefore needs to be edited to contain only the private key. Delete everything outside the --BEGIN RSA PRIVATE KEY-- and --END RSA PRIVATE KEY--. Move the files to the appropriate locations on your gateway machine. Make sure that you do that securely. On my distribution all configuration files for FreeS/WAN are located in /etc/freeswan, it could be different in yours.
mv newreq.pem /etc/freeswan/ipsec.d/private/host.example.com.key mv newcert.pem /etc/freeswan/ipsec.d/host.example.com.pem |
Copy also your root certificate to the FreeS/WAN configuration directory. Copy only the certificate, not the key.
mv cacert.pem /etc/freeswan/ipsec.d/cacerts |
Generate a certificate revocation list or copy yours to the right location.
openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem |
Still on the gateway machine, configure the ipsec.secrets file by including the line:
: RSA host.example.com.key “password” |
The password being the one used to generate the key pair. Configure ipsec.conf as following:
config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=1 compress=yes disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn roadwarrior-net leftsubnet=<your_subnet>/<your_netmask> also=roadwarrior conn roadwarrior right=%any left%defaultroute leftcert=host.example.com.pem auto=add pfs=yes |
As you can see there are 2 connections beeing established, one to the gateway machine and one to the network behind the gateway machine. This is particulary useful if you are operating some kind of firewall/NAT on your gateway machine. The configuration is such that anybody with a valid certificate will be able to connect to the gateway machine.
3.5.1.2. FreeS/WAN client machine
The procedure is similar, you need to generate a certificate for the client machine with the CN being the fully qualified domain name of the client machine, for instance clienthost.example.com. This certificate must be signed by the same signing authorithy as the gateway certificate. This is how the link will be authorised.
As with the gateway copy the following files securely to the configuration directories:
mv newreq.pem /etc/freeswan/ipsec.d/private/clienthost.example.com.key mv newcert.pem /etc/freeswan/ipsec.d/clienthost.example.com.pem |
Copy also your root certificate to the FreeS/WAN configuration directory. Copy only the certificate, not the key.
mv cacert.pem /etc/freeswan/ipsec.d/cacerts |
Generate a certificate revocation list or copy yours to the right location.
openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem |
Finally you need to copy also the certificate (not the private key) of your gateway machine
mv host.example.com.pem /etc/fresswan/ipsec.d/host.example.com.pem |
Similarly edit your ipsec.secrets file to load the client private key
: RSA clienthost.example.com.key “password” |
and edit the ipsec.conf as follows to enable the connection:
config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 compress=yes disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn roadwarrior-net left=(ip of host) leftsubnet=(gateway_host_subnet)/(gateway_host_netmask) also=roadwarrior conn roadwarrior left=(ip of host) leftcert=host.example.com.pem right=%defaultroute rightcert=clienthost.example.com.pem auto=add pfs=yes |
Now you can start the VPN link
ipsec auto --up roadwarrior ipsec auto --up roadwarrior-net |
To start the link automatically, replace in the configuration file 'auto=add' by 'auto=start'
3.5.1.3. MS Windows 2000/XP client machine
The procedure is the same as for the FreeS/WAN client. Generate a certificate with a CN of winhost.example.com, but you will have to convert this certificate into a .p12 file. Follow the procedure in the chapter “Using this certificate with MS-Outlook” but ensure that the .p12 file is bundled with the root CA certificate: winhost.example.com.p12
Additionally note the output of:
openssl x509 -in cacert.pem -noout -subject |
Copy this file securely to the MS-Windows machine.
You know need to install Marcus Muller's ipsec.exe utility in for instance c:\ipsec directory.
Open Microsoft Management Console (MMC), in 'Add/Remove Snap-in' click on 'Add' then click on 'Certificates', then 'Add' Select 'Computer Account', and 'Next'. Select 'Local computer', and 'Finish'. Click on 'IP Security Policy Management', and 'Add'. Select 'Local Computer', and 'Finish' click 'Close' then 'OK'
Now you can add the .p12 certificate
Click the plus arrow by 'Certificates (Local Computer)' then right-click 'Personal', and click 'All Tasks' then 'Import' click 'Next'. Type the path to the .p12 file (or browse and select the file), and click 'Next'. Type the export password, and click 'Next'. Select 'Automatically select the certificate store based on the type of certificate', and click 'Next'. Click 'Finish', and say yes to any prompts that pop up. Exit the MMC, and save it as a file so you don't have to re-add the Snap In each time.
Install ipsecpol.exe (Windows 2000) or ipseccmd.exe (Windows XP) as described in the documentation for the ipsec utility. Edit your ipsec.conf (on the windows machine), replacing the "RightCA" with the output of the 'openssl x509 -in cacert.pem -noout -subject'; reformatted as below (you need to change the /'s to commas, and change the name of some of the fields -- just follow the example below):
conn roadwarrior left=%any right=(ip_of_remote_system) rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root" network=auto auto=start pfs=yes conn roadwarrior-net left=%any right=(ip_of_remote_system) rightsubnet=(your_subnet)/(your_netmask) rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root" network=auto auto=start pfs=yes |
Start the link
Run the command 'ipsec.exe'. Here's example output:
C:\ipsec>ipsec IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller Getting running Config ... Microsoft's Windows XP identified Host name is: (local_hostname) No RAS connections found. LAN IP address: (local_ip_address) Setting up IPSec ... Deactivating old policy... Removing old policy... Connection roadwarrior: MyTunnel : (local_ip_address) MyNet : (local_ip_address)/255.255.255.255 PartnerTunnel: (ip_of_remote_system) PartnerNet : (ip_of_remote_system)/255.255.255.255 CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root... PFS : y Auto : start Auth.Mode : MD5 Rekeying : 3600S/50000K Activating policy... Connection roadwarrior-net: MyTunnel : (local_ip_address) MyNet : (local_ip_address)/255.255.255.255 PartnerTunnel: (ip_of_remote_system) PartnerNet : (remote_subnet)/(remote_netmask) CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root... PFS : y Auto : start Auth.Mode : MD5 Rekeying : 3600S/50000K Activating policy... C:\ipsec> |
Now, ping your gateway host. It should say 'Negotiating IP Security' a few times, and then give you ping responses. Note that this may take a few tries; from a T1 hitting a VPN server on a cable modem, it usually takes 3-4 pings. Do the same for the internal network on the remote end, and you should be up!