Internet Protocol Security

From frogzie
Jump to navigation Jump to search

Internet Protocol Security (IPsec)

1 AIM

Configuring a Host-to-Host Virtual Private Network (VPN) with Internet Key Exchange (IKEv2) / Internet Protocol Security (IPsec) operated in Encapsulating Security Payload (ESP) Tunnel mode using the libreswan VPN software.

Note: In ESP tunnel mode, the entire original IP packets are encrypted and authenticated by IPsec.

Authentification: IKEv2 protocol using RSA (Rivest, Shamir, and Adelman) public-key encryption

Cryptographic algorithms

  • Secure Hash Algorithm (SHA): HMAC_SHA2_512
  • Cipher: AES_GCM_16_256  (256-bit AES-GCM with 128-bit ICV)

2 Nomenclature

AES Advanced Encryption Standard
ESP Encapsulating Security Payload
GCM Galois/Counter Mode
HMAC  Hash-based Message Authentication Code
ICV Integrity Check Value   (checksum)
IKE Internet Key Exchange
IPComp  IP Payload Compression Protocol
RFC Request For Comments
RSA Rivest–Shamir–Adleman cryptosystem
SHA Secure Hash Algorithm
VPN Virtual Private Network

3 Environment

Domain Name:   rshome.lan
Hosts IPv4 Hardware OS
cyber7 192.168.0.210 ThinkPad X230 CentOS 7.8
cyber8 192.168.0.53 ThinkPad X230 CentOS 8.1
Hosts IPv6 addresses
cyber7 2001:8003:22bc:1700:7787:2b17:cc6f:5b46
cyber8 2001:8003:22bc:1700:66be:1375:b866:a57b

Cryptographic policy   (as shown by command: update-crypto-policies --show)

  • Default

cf. RHEL-8 Security Hardening

The default system-wide cryptographic policy level offers secure settings for current threat models.

4 Host-to-Host IKE/IPsec VPN

Hereafter left refers to cyber7 and right to cyber8

4.1 Firewall

For both cyber7 and cyber8

  • firewall-cmd --add-service="ipsec"
  • firewall-cmd --runtime-to-permanent

4.2 VPN Software

For both cyber7 and cyber8

  • Install the VPN software
    • cyber7/CentOS-7:   yum install   libreswan
    • cyber8/CentOS-8:   dnf   install   libreswan
  • Start the IPsec service and enable it to automatically start at system boot
    • systemctl enable ipsec --now

4.3 RSA Key

  • On each cyber7 and cyber8, generate an RSA key pair
    ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets
  • Get the generated key’s ckaid from /etc/ipsec.d/hostkey.secrets and pass it to the following command
    cyber7:   ipsec showhostkey --left   --ckaid   ckaid
    cyber8:   ipsec showhostkey --right --ckaid   ckaid

4.4 IPv4

  • On each cyber7 and cyber8, create a file   /etc/ipsec.d/cyber-7-to-8.conf   as follows (include the RSA signature keys from the output of above ipsec showhostkey). This will define the IPsec tunnel rshometunnel
conn rshometunnel
#	auto=start	# create the tunnel when IPsec is started
	authby=rsasig
	leftid=cyber7@rshome.lan
	left=192.168.0.210
	leftrsasigkey=0sAwEAAb7a...lghDjX7l
	rightid=cyber8@rshome.lan
	right=192.168.0.53
	rightrsasigkey=0sAwEAAbQ...3xU1GcMZ
  • Activate the IPsec tunnel
    ipsec auto --add rshometunnel
    ipsec auto --up   rshometunnel
002 "rshometunnel" #55: initiating v2 parent SA
133 "rshometunnel" #55: initiate
133 "rshometunnel" #55: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "rshometunnel" #55: Received unauthenticated INVALID_KE_PAYLOAD response to DH DH19; resending with suggested DH MODP2048
133 "rshometunnel" #55: STATE_PARENT_I1: sent v2I1, expected v2R1
134 "rshometunnel" #56: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "rshometunnel" #56: IKEv2 mode peer ID is ID_USER_FQDN: 'cyber7@rshome.lan'
003 "rshometunnel" #56: Authenticated using RSA
002 "rshometunnel" #56: negotiated connection [192.168.0.53-192.168.0.53:0-65535 0] -> [192.168.0.210-192.168.0.210:0-65535 0]
004 "rshometunnel" #56: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xaf8e42ea <0x57661de3 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}

4.5 IPv6

  • On each cyber7 and cyber8, copy the file   /etc/ipsec.d/cyber-7-to-8.conf   to   /etc/ipsec.d/cyber-7-to-8-v6.conf
  • Edit the file
    • Change the connection name rshometunnel to rshometunnel6
    • Replace the left and right IPv4 adresses with their IPV6 counterparts
Note: the RSA signature keys are kept the same as for IPv4
conn rshometunnel6
#	auto=start	# create the tunnel when IPsec is started
	authby=rsasig
	leftid=cyber7@rshome.lan
	left=2001:8003:22bc:1700:7787:2b17:cc6f:5b46
	leftrsasigkey=0sAwEAAb7a...lghDjX7l
	rightid=cyber8@rshome.lan
	right=2001:8003:22bc:1700:66be:1375:b866:a57b
	rightrsasigkey=0sAwEAAbQ...3xU1GcMZ
  • Activate the IPsec tunnel
    ipsec auto --add rshometunnel6
    ipsec auto --up   rshometunnel6
002 "rshometunnel6" #57: initiating v2 parent SA
133 "rshometunnel6" #57: initiate
133 "rshometunnel6" #57: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "rshometunnel6" #57: Received unauthenticated INVALID_KE_PAYLOAD response to DH DH19; resending with suggested DH MODP2048
133 "rshometunnel6" #57: STATE_PARENT_I1: sent v2I1, expected v2R1
134 "rshometunnel6" #58: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "rshometunnel6" #58: IKEv2 mode peer ID is ID_USER_FQDN: 'cyber7@rshome.lan'
003 "rshometunnel6" #58: Authenticated using RSA
002 "rshometunnel6" #58: negotiated connection [2001:8003:22bc:1700:66be:1375:b866:a57b-2001:8003:22bc:1700:66be:1375:b866:a57b:0-65535 0] -> [2001:8003:22bc:1700:7787:2b17:cc6f:5b46-2001:8003:22bc:1700:7787:2b17:cc6f:5b46:0-65535 0]
004 "rshometunnel6" #58: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xe259f183 <0xee1e7c15 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}

5 Useful options and commands

5.1 Connection options

cf. ipsec.conf for the full list of configuration options

Some possible options to play with

auto=start Create the tunnel when IPsec is started (default: ignore).
compress=yes Propose IPComp compression of content on the connection (default: no).
phase2alg=enc‑auth  Specify the encryption/authentication algorithms for a phase2 negotiation (e.g. phase2alg=null-sha1 will specify an unencrypted VPN). The default is the recommended value by RFC 4106.
type=transport Type of the connection (default: tunnel).

5.2 Command line

  • Disable IPsec tunnels (to be done on each host)
    ipsec setup   restart     # (assuming "auto=start" hasn't been specified)
  • Enable IPsec tunnels (to be done on each host)
    ipsec auto --add   rshometunnel[6]
    ipsec auto   --up   rshometunnel[6]
  • Check the connection status (from any host)
    ipsec show
    ipsec trafficstatus
    ip xfrm state

More information

6 See also

Retrieved from "https://frogzie.duckdns.org/mediawiki/index.php?title=Internet_Protocol_Security&oldid=908"