strongSwan Workshop for Siemens

Slides:



Advertisements
Similar presentations
Information Security 2 (InfSi2)
Advertisements

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Header and Payload Formats
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Network Layer Security: IPSec
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
K. Salah1 Security Protocols in the Internet IPSec.
strongSwan Workshop for Siemens
Andreas Steffen, , Siemens-5.pptx 1 strongSwan Workshop for Siemens Block 5 Building & Testing strongSwan Prof. Dr. Andreas Steffen
Linux Kongress 2009 Dresden
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
Andreas Steffen, , LinuxTag2008.ppt 1 LinuxTag 2008 Berlin strongSwan VPNs scalable and modularized! Prof. Dr. Andreas Steffen
Automatic VPN Client Recovery from IPsec Pass-through Failures Dr. José Brustoloni Dept. Computer Science, University of Pittsburgh 210 S. Bouquet St.
Andreas Steffen, Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
TCP/IP Protocols Contains Five Layers
Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Introduction to Linux Firewall
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.
SEC406 IPsec And NATs: Finally In harmony? Steve Riley Product Manager Security Business Unit Microsoft Corporation.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Linux Firewall Iptables.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
FIREWALL configuration in linux
Hping2.
Internet and Intranet Fundamentals
Network Security: IPsec
IT443 – Network Security Administration Instructor: Bo Sheng
תרגול 11 – אבטחה ברמת ה-IP – IPsec
Setting Up Firewall using Netfilter and Iptables
Firewalls By conventional definition, a firewall is a partition made
From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)
Lecture 4a Mobile IP 1.
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

strongSwan Workshop for Siemens Block 4 Linux IPsec Stack & Netfilter Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

IPsec Policies in the Linux Kernel carol: ip -s xfrm policy src 10.1.0.0/24 dst 10.3.0.1/32 uid 0 dir in action allow index 800 priority 1760 ... lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2009-10-22 20:34:37 use 2009-10-22 20:34:39 tmpl src 192.168.0.1 dst 192.168.0.100 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel src 10.3.0.1/32 dst 10.1.0.0/24 uid 0 dir out action allow index 793 priority 1680 ... add 2009-10-22 20:34:37 use 2009-10-22 20:34:38 tmpl src 192.168.0.100 dst 192.168.0.1

IPsec Policies in the Linux Kernel moon: ip -s xfrm policy src 10.3.0.1/32 dst 10.1.0.0/24 uid 0 dir fwd action allow index 954 priority 1680 ... lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2009-10-22 20:34:36 use 2009-10-22 20:34:39 tmpl src 192.168.0.100 dst 192.168.0.1 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel src 10.1.0.0/24 dst 10.3.0.1/32 uid 0 dir out action allow index 937 priority 1760 ... tmpl src 192.168.0.1 dst 192.168.0.100

IPsec Security Associations in the Kernel carol: ip -s xfrm state src 192.168.0.100 dst 192.168.0.1 proto esp spi 0xc77ca4c3(3346834627) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag 20 (0x00100000) auth hmac(sha1) 0x98fe271fd31ba795f158ae17487cb85f8682aefc (160 bits) enc cbc(aes) 0x3d0567d65694fcbbfd3257f55b497d6a (128 bits) lifetime config: limit: soft 445929743(bytes), hard 500000000(bytes) limit: soft 871034(packets), hard 1000000(packets) expire add: soft 3065(sec), hard 3600(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 84(bytes), 1(packets) add 2009-10-22 20:34:37 use 2009-10-22 20:34:38 stats: replay-window 0 replay 0 failed 0 src 192.168.0.1 dst 192.168.0.100 proto esp spi 0xc46038e1(3294640353) reqid 1(0x00000001) mode tunnel auth hmac(sha1) 0x4e2b044e2835297d3f73bbf99289f369ae2d3ed5 (160 bits) enc cbc(aes) 0xd2d83f5d7e496ddc9483be57dbbb2757 (128 bits) ...

strongSwan Workshop for Siemens NAT-Traversal, MOBIKE, Dead Peer Detection

NAT-Traversal alice behind NAT router moon is initiator: 06[IKE] initiating IKE_SA nat-t[1] to 192.168.0.2 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 06[NET] sending packet: from 10.1.0.10[500] to 192.168.0.2[500] 05[NET] received packet: from 192.168.0.2[500] to 10.1.0.10[500] 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 05[IKE] local host is behind NAT, sending keep alives 05[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ Idr ... ] 05[NET] sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] 04[NET] received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] 04[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ... ] gateway sun is responder: 14[NET] received packet: from 192.168.0.1[1026] to 192.168.0.2[500] 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 14[IKE] 192.168.0.1 is initiating an IKE_SA 14[IKE] remote host is behind NAT 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ... ] 14[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[1026] 15[NET] received packet: from 192.168.0.1[1026] to 192.168.0.2[4500] 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ ... ] 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ... ] 15[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[1026]

ESP-in-UDP Encapsulation (RFC 3948) UDP-Encapsulated ESP Header Format Src Port (4500) Dst Port (4500) UDP Header Length Checksum Security Parameters Index ESP Header IKE Header Format for Port 4500 Src Port (4500) Dst Port (4500) UDP Header Length Checksum 0x00 0x00 0x00 0x00 Non-ESP Marker IKE Header IKE Header NAT-Keepalive Packet Format Src Port (4500) Dst Port (4500) UDP Header Length Checksum 0xFF Keepalive Payload

IKEv2 Connection Setup with MOBIKE I alice [eth1: 192.168.0.50 fec0::5 eth0: 10.1.0.10 fec1::10 ] 05[ENC] generating IKE_SA_INIT request [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 05[NET] sending packet: from 192.168.0.50[500] to 192.168.0.2[500] 06[NET] received packet: from 192.168.0.2[500] to 192.168.0.50[500] 06[ENC] parsed IKE_SA_INIT response [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 06[ENC] generating IKE_AUTH req [ IDi .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 06[NET] sending packet: from 192.168.0.50[4500] to 192.168.0.2[4500] 07[NET] received packet: from 192.168.0.2[4500] to 192.168.0.50[4500] 07[ENC] parsed IKE_AUTH response [IDr .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 07[IKE] peer supports MOBIKE sun [eth0: 192.168.0.2 fec0::2 eth1: 10.2.0.1 fec2::1 ] 05[NET] received packet: from 192.168.0.50[500] to 192.168.0.2[500] 05[ENC] parsed IKE_SA_INIT request [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 05[ENC] generating IKE_SA_INIT response [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 05[NET] sending packet: from 192.168.0.2[500] to 192.168.0.50[500] 06[NET] received packet: from 192.168.0.50[4500] to 192.168.0.2[4500] 06[ENC] parsed IKE_AUTH request [ IDi .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 06[IKE] peer supports MOBIKE 06[ENC] generating IKE_AUTH resp [ IDr .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 06[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.50[4500] With mobike=yes , port floating to 4500 by default

IKEv2 Connection Setup with MOBIKE II alice [eth1: 192.168.0.50 fec0::5 eth0: 10.1.0.10 fec1::10 ] 10[KNL] 192.168.0.50 disappeared from eth1 10[KNL] fec0::5 disappeared from eth1 10[KNL] interface eth1 deactivated 06[IKE] old path is not available anymore, try to find another 06[IKE] requesting address change using MOBIKE 06[ENC] generating INFORMATIONAL request 2 [ ] 06[IKE] checking original path 10.1.0.10[4500] - 192.168.0.2[4500] 06[NET] sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] 06[IKE] checking path 10.1.0.10[4500] - 10.2.0.1[4500] 06[NET] sending packet: from 10.1.0.10[4500] to 10.2.0.1[4500] 06[IKE] checking path fec1::10[4500] - fec0::2[4500] 06[NET] sending packet: from fec1::10[4500] to fec0::2[4500] 06[IKE] checking path fec1::10[4500] - fec2::1[4500] 06[NET] sending packet: from fec1::10[4500] to fec2::1[4500] 08[NET] received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] 08[ENC] parsed INFORMATIONAL response 2 [ ] 08[ENC] generating INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) N(ADD_6_ADDR) ] 08[NET] sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] 04[NET] received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] 04[ENC] parsed INFORMATIONAL response 3 [ N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ] 04[IKE] local host is behind NAT, sending keep alives

Activation of Dead Peer Detection #ipsec.conf for roadwarrior carol conn %default dpddelay=60 dpdaction=restart #ipsec.conf for gateway moon conn %default dpddelay=60 dpdaction=clear Oct 24 11:45:10 13[IKE] CHILD_SA home{1} established with SPIs c50810d9_i c8485f4a_o Oct 24 11:46:10 16[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] Oct 24 11:46:10 16[ENC] parsed INFORMATIONAL request 0 [ ] Oct 24 11:46:10 16[ENC] generating INFORMATIONAL response 0 [ ] Oct 24 11:46:10 16[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:09 09[IKE] sending DPD request Oct 24 11:47:09 09[ENC] generating INFORMATIONAL request 2 [ ] Oct 24 11:47:09 09[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:13 03[IKE] retransmit 1 of request with message ID 2 Oct 24 11:47:13 03[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:20 11[IKE] retransmit 2 of request with message ID 2 Oct 24 11:47:20 11[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:33 08[IKE] retransmit 3 of request with message ID 2 Oct 24 11:47:33 08[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:56 12[IKE] retransmit 4 of request with message ID 2 Oct 24 11:47:56 12[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:48:38 14[IKE] retransmit 5 of request with message ID 2 Oct 24 11:48:38 14[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:49:54 16[IKE] giving up after 5 retransmits Oct 24 11:49:54 16[IKE] restarting CHILD_SA home Oct 24 11:49:54 16[IKE] initiating IKE_SA home[2] to 192.168.0.1

strongSwan IKEv2 Retransmission Scheme # strongswan.conf charon { retransmit_tries = 5 retransmit_timeout = 4.0 retransmit_base = 1.8 } relative timeout = retransmit_timeout * retransmit_base ^ (n-1) Retransmission n Formula Relative timeout Absolute timeout n = 1 4s * 1.8^0 after 4s 4s n = 2 4s * 1.8^1 after 7s 11s n = 3 4s * 1.8^2 after 13s 24s n = 4 4s * 1.8^3 after 23s 47s n = 5 4s * 1.8^4 after 42s 89s giving up 4s * 1.8^5 after 76s 165s

strongSwan Workshop for Siemens Interworking with Linux Netfilter Firewall

NETKEY Hooks in Linux Netfilter

Full Integration with Linux Netfilter Firewall carol Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination 1 84 ACCEPT all eth0 * 10.1.0.0/24 10.3.0.1 policy match dir in pol ipsec reqid 1 proto 50 1 152 ACCEPT esp eth0 * 0.0.0.0/0 0.0.0.0/0 2 2069 ACCEPT udp eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 Chain OUTPUT (policy DROP 0 packets, 0 bytes) 1 84 ACCEPT all * eth0 10.3.0.1 10.1.0.0/24 policy match dir out pol ipsec reqid 1 proto 50 1 152 ACCEPT esp * eth0 0.0.0.0/0 0.0.0.0/0 2 2456 ACCEPT udp * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 After the successful establishment/deletion of a CHILD_SA the updown plugin dynamically inserts and removes an INPUT and OUTPUT Netfilter IPsec ESP policy matching rule via the iptables command executed by the /usr/libexec/ipsec/_updown shell script.

Full Integration with Linux Netfilter Firewall moon Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination 2 304 ACCEPT esp eth0 * 0.0.0.0/0 0.0.0.0/0 4 4896 ACCEPT udp eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 Chain FORWARD (policy DROP 0 packets, 0 bytes) 1 84 ACCEPT all eth0 * 10.3.0.2 10.1.0.20 policy match dir in pol ipsec reqid 2 proto 50 1 84 ACCEPT all * eth0 10.1.0.20 10.3.0.2 policy match dir out pol ipsec reqid 2 proto 50 1 84 ACCEPT all eth0 * 10.3.0.1 10.1.0.0/24 policy match dir in pol ipsec reqid 1 proto 50 1 84 ACCEPT all * eth0 10.1.0.0/24 10.3.0.1 policy match dir out pol ipsec reqid 1 proto 50 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination 2 304 ACCEPT esp * eth0 0.0.0.0/0 0.0.0.0/0 4 4138 ACCEPT udp * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 On gateways the updown plugin dynamically inserts and removes two FORWARD Netfilter IPsec ESP policy matching rules per CHILD_SA. lefthostaccess=yes additionally adds an input/output rule to access the GW itself.

Static IPsec ESP Policy Matching Rules moon Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination 2 304 ACCEPT esp eth0 * 0.0.0.0/0 0.0.0.0/0 4 4896 ACCEPT udp eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 Chain FORWARD (policy DROP 0 packets, 0 bytes) 2 168 ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50 2 168 ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination 2 304 ACCEPT esp * eth0 0.0.0.0/0 0.0.0.0/0 4 4138 ACCEPT udp * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 leftfirewall=yes can be omitted and the updown plugin doesn‘t have to be built (./configure --disable-updown).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.