===================
 Linux IPsec setup
===================

:Date: |date|
:Authors: |authors|
:Contact: mattcen@gmail.com
:Abstract: An introduction to using IPsec (via the ipsec-tools and
    racoon packages) in Debian Squeeze

.. include:: ipsec-doc.meta
.. This file is marked up in reStructured Text format. Please
   familiarize yourself with the reST before making changes at
   http://docutils.sf.net/rst.html

   While perfectly readable in plain text, it looks much better when
   re-rendered as HTML or PDF. If you are so inclined, it can be converted at
   http://rst2a.com/create/file/ or using docutils.

.. contents::

Scenario
========

Let's assume that we have two routers, Alice and Bob, both of which have
one interface connected to a LAN (LAN A and LAN B respectively), and
a second interface connected to each other via Charlie which is
representative of the Internet.

Despite the use of private IP addresses, all networks in the 172.16/12
and 10/8 range below are routable. The managment network (192.168.12/24)
is simply so that I can easily log into each host for configuration;
Each host does have a default route to the real internet via that
network, but it shouldn't need to be used.

Note that the host I've labelled "Management" does NAT to the internet.

So we have the following scenario. I'll assume that all routing and IP
addressing is configured correctly as per the below diagram::

          +-------+
          | LAN A |
          +-------+
  172.16.1/24 |
              |
   172.16.1.1 |
          +-------+ 192.168.12.2
          | Alice |--------+
          +-------+         \
     10.0.1.2 |              \
              |               \
              |                \
      Alpha   |                 \
  (10.0.1/24) |                  \
              |                   \
              |                    \
     10.0.1.1 |                     \  192.168.12.1
         +---------+ 192.168.12.4    \+------------+   **********
         | Charlie |-----------------+| Management |--* Internet *
         +---------+                 /+------------+   **********
     10.0.2.1 |                     /
              |                    /
              |                   /
      Beta    |                  /
  (10.0.2/24) |                 /
              |                /
              |               /
     10.0.2.2 |              /
           +-----+          /
           | Bob |---------+
           +-----+ 192.168.12.4
   172.16.2.1 |
              |
  172.16.2/24 |
          +-------+
          | LAN B |
          +-------+

Objective
=========

Our objective is to ensure encrypted communication between all of LAN A
(including Alice) and all of LAN B (including Bob) such that Charlie
(which, in hindsight, should probably have been called Eve) can't snoop
the traffic.

Note that at present I have no firewall configured on any of the hosts.

Configuration
=============

#.  First off, Set up an x509 CA, and create keys and certs for both Alice
    and Bob::

      certtool --generate-privkey --outfile CA.key.pem
      cat > CA.info <<EOF
      cn = Example Company
      ca
      EOF
      certtool --generate-self-signed \
        --load-privkey CA.key.pem \
        --template CA.info \
        --outfile CA.cert.pem

      for host in alice bob
      do
        certtool --generate-privkey --outfile "$host".key.pem
        cat > "$host".info <<EOF
      organization = Example Company
      cn = "$host".example.com
              dns_name = "$host".example.com
              dns_name = "$host"
      tls_www_server
      encryption_key
      signing_key
      EOF
        certtool --generate-certificate \
          --load-privkey "$host".key.pem \
          --load-ca-certificate CA.cert.pem \
          --load-ca-privkey CA.key.pem \
          --template "$host".info \
          --outfile "$host".cert.pem
      done

    **NOTE:** Racoon was very picky about which certificates it
    accepted. I had a certificate with several other dns_name entries
    as well as an ip_address entry for 127.0.0.1, and Racoon wouldn't
    connect using it. I've only had this work using the two
    dns_entries above (FQDN and local). I'm not exactly sure what the
    trick it, whether it's an order problem or the existence of other
    entries at all, but at least I know what works and can tweak that
    to see when it breaks.

#.  Copy alice.{key,cert}.pem and CA.cert.pem to alice:/etc/racoon/certs
    (You'll probably have to create this directory), and do equivalent
    with Bob.

#.  On both on Alice and bob, while in /etc/racoon/certs, run::

      ln -s CA.cert.pem "$(openssl x509 -noout -hash -in CA.cert.pem).0"

    This command gets some hashed value out of the CA certificate, and
    uses it as the name for a symlink to the cert. This is apparently used
    as a kind of index to help follow the certificate heirarchy. racoon
    wouldn't work without this symlink.

#.  Create files as follows, which works for direct Alice <-> Bob
    communication, as well as traffic forwarded between Alice's and Bob's
    respective LANs::

      root@alice:~# grep -Ev '^[[:space:]]*(#|$)' /etc/racoon/racoon.conf
      path pre_shared_key "/etc/racoon/psk.txt";
      path certificate "/etc/racoon/certs";
      log notify;
      remote anonymous {
              proposal {
                      encryption_algorithm 3des;
                      hash_algorithm sha1;
                      authentication_method rsasig;
                      dh_group modp1024;
              }
              certificate_type x509 "alice.cert.pem" "alice.key.pem";
              my_identifier fqdn "alice.example.com";
              verify_identifier on;
              exchange_mode main;
      }
      remote 10.0.2.2 inherit anonymous {
              peers_identifier fqdn "bob.example.com";
      }
      sainfo anonymous {
              pfs_group modp1024;
              encryption_algorithm aes,3des;
              authentication_algorithm hmac_sha1,hmac_md5;
              compression_algorithm deflate;
      }
      root@alice:/etc# grep -Ev '^[[:space:]]*(#|$)' /etc/ipsec-tools.conf
      flush;
      spdflush;
      spdadd 10.0.1.2 10.0.2.2 any -P out ipsec
                 esp/transport//require
                 ah/transport//require;
      spdadd 10.0.2.2 10.0.1.2 any -P in ipsec
                 esp/transport//require
                 ah/transport//require;
      spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
                 esp/tunnel/10.0.1.2-10.0.2.2/require
                 ah/tunnel/10.0.1.2-10.0.2.2/require;
      spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
                 esp/tunnel/10.0.2.2-10.0.1.2/require
                 ah/tunnel/10.0.2.2-10.0.1.2/require;



      root@bob:~# grep -Ev '^[[:space:]]*(#|$)' /etc/racoon/racoon.conf
      path pre_shared_key "/etc/racoon/psk.txt";
      path certificate "/etc/racoon/certs";
      log notify;
      remote anonymous {
              proposal {
                      encryption_algorithm 3des;
                      hash_algorithm sha1;
                      authentication_method rsasig;
                      dh_group modp1024;
              }
              certificate_type x509 "bob.cert.pem" "bob.key.pem";
              my_identifier fqdn "bob.example.com";
              verify_identifier on;
              exchange_mode main;
      }
      remote 10.0.1.2 inherit anonymous {
              peers_identifier fqdn "alice.example.com";
      }
      sainfo anonymous {
              pfs_group modp1024;
              encryption_algorithm aes,3des;
              authentication_algorithm hmac_sha1,hmac_md5;
              compression_algorithm deflate;
      }
      root@bob:~# grep -Ev '^[[:space:]]*(#|$)' /etc/ipsec-tools.conf
      flush;
      spdflush;
      spdadd 10.0.2.2 10.0.1.2 any -P out ipsec
                 esp/transport//require
                 ah/transport//require;
      spdadd 10.0.1.2 10.0.2.2 any -P in ipsec
                 esp/transport//require
                 ah/transport//require;
      spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec
                 esp/tunnel/10.0.2.2-10.0.1.2/require
                 ah/tunnel/10.0.2.2-10.0.1.2/require;
      spdadd 172.16.1.0/24 172.16.2.0/24 any -P in ipsec
                 esp/tunnel/10.0.1.2-10.0.2.2/require
                 ah/tunnel/10.0.1.2-10.0.2.2/require;

    **NOTE:** setkey interprets 172.16.1/24 as 172.16.0.1/24, **NOT**
    172.16.1.0/24 as you might expect. Make sure you explicitly specify
    all 4 octets of the IP address to avoid confusion.

    **NOTE:** It looks like the role of setkey can also be played by
    the 'ip xfrm policy' subcommand [#f1]_.

    **FIXME:** Should racoon.conf have 'ca_type x509 "CA.cert.pem";'
    below the 'certificate_type x509' line? Also, it appears that
    turning on NAT-T ('nat_traversal on;') shouldn't hurt (currently
    untested) as it allegedly only activates when it detects a NAT
    between peers.

#.  Restart racoon and setkey::

      /etc/init.d/setkey restart
      /etc/init.d/racoon restart

#.  Perform a ping from alice to bob, or vice-versa, and on one of the two
    hosts, run a tcpdump to confirm that traffic is encrypted.

Note on IPsec in Windows 7
==========================

I've not worked out the nuances of getting IPsec in Windows 7 talking
to racoon, but I've found *some* information, so here it is:

* If you run mmc.exe as an Administrator and add the Certificates
  Snap-In for the Computer Account (as opposed to the User or Service
  accounts) you can import your CA certificate to the Trusted Root
  Certificate Authorities section, and import your private host key
  and certificate into the Personal section. I had to have the host
  key and certificate in P12 format [#f2]_, which I obtained using the
  following::

    cat "$host".{cert,key}.pem > "$host".cert
    openssl pkcs12 -export -in "$host".pem -out "$host".p12

  I tried to do this with the following command, but despite not
  setting a password, the Windows machine insisted that the password I
  was entering (the empty string) was incorrect. I tried setting a
  password but this made no difference. Of note is that the certtool
  variant yeilds an ASCII file, while the openssl varient does not::

    certtool --load-certificate "$host".cert.pem \
      --load-privkey "$host".key.pem --to-p12 \
      --outfile "$host".p12

* Once you've got a certificate, you can also use the MMC window to
  add in the IP Security Policies snap-in. I'm not sure what this
  affects yet, but it's something to remember exists.

* The video [#f3]_ I watched indicated that the Windows Firewall with
  Advanced Security section was the place to set up an IPsec-encrypted
  LAN connection (for example). I set a policy in the Connection
  Security Rules, but racoon had various complaints about it and I
  gave up.


References
==========

* http://www.debian-administration.org/articles/37
* http://wiki.debian.org/IPsec
* http://www.sherman.ca/archives/2004/11/21/linux-26-ipsec-vpns/
* http://ospkibook.sourceforge.net/
* http://www.fukt.bsnet.se/~teddy/debian-ipsec
* http://wiki.debian.org/HowTo/AndroidVPNServer

.. [#f1]  https://plus.google.com/u/1/101331249670615452206/posts/ERnLaSkz1dS
.. [#f2] http://www.thetfp.com/tfp/tilted-technology/140412-how-export-ssl-certificate-linux-windows-iis.html
.. [#f3] http://technet.microsoft.com/en-us/video/using-certificates-for-ipsec-authentication.aspx

..  This comment provides hints for editors about what kind of file
    this is, and conventions to adhere to when editing it.  The page break
    (^L) above helps Emacs quickly locate this metadata.

    The Emacs major mode is set twice so that if rst.el (a non-standard
    library) isn't installed, Emacs will fall back on text mode instead
    of fundamental mode.

    Local Variables:
    mode: text
    mode: rst
    coding: utf-8
    indent-tabs-mode: nil
    fill-column: 70
    tab-width: 2
    End:

    vim: ft=rst fenc=utf-8 sts=2 sw=2 ts=2 tw=70 et :