Presentation is loading. Please wait.

Presentation is loading. Please wait.

11.06.2010, LinuxTag2010-strongSwan.odp 1 LinuxTag 2010 Berlin strongSwan News Prof. Dr. Andreas Steffen Martin Willi

Published byLionel McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "11.06.2010, LinuxTag2010-strongSwan.odp 1 LinuxTag 2010 Berlin strongSwan News Prof. Dr. Andreas Steffen Martin Willi"— Presentation transcript:

1 11.06.2010, LinuxTag2010-strongSwan.odp 1 LinuxTag 2010 Berlin strongSwan News Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org Martin Willi martin@strongswan.org

2 11.06.2010, LinuxTag2010-strongSwan.odp 2 Agenda What is strongSwan? News High Availability solution using Cluster IP Virtual IP pools and config attributes for IKEv1 and IKEv2 KDE 4 NM Plasma Applet and Android Port Outlook Sharing daemon functionality with libhydra: pluto inherits kernel netlink interface and dynamic routing EAP-TLS support and probably EAP-PEAP, EAP-TTLS, EAP-FAST Network Endpoint Assessment (NEA, RFC 5209) using IKEv2 EAP as a transport protocol Questions and discussion

3 11.06.2010, LinuxTag2010-strongSwan.odp 3 LinuxTag 2010 Berlin What is strongSwan?

4 11.06.2010, LinuxTag2010-strongSwan.odp 4 VPN Usage Scenarios Internet Head Quarters Subsidiary „Road Warrior“ VPN Tunnel VPN Gateway 11.22.33.44 VPN Gateway 55.66.77.88 VPN Client 10.1.0.0/1610.2.0.0/16 10.3.0.2 10.1.0.510.2.0.3 55.66.x.x ●strongSwan is an Internet Key Exchange daemon needed to automatically set up IPsec-based VPN connections.

5 11.06.2010, LinuxTag2010-strongSwan.odp 5 The FreeS/WAN Genealogy Super FreeS/WAN 2003 X.509 2.x Patch FreeS/WAN 2.x 1999 FreeS/WAN 1.x X.509 1.x Patch 2000 Openswan 1.x  2004 2004 strongSwan 2.xOpenswan 2.x 2005 ITA IKEv2 Project 2006 strongSwan 4.x 2007 IKEv1 & IKEv2 Openswan 2.6.x IKEv1 & partial IKEv2

6 11.06.2010, LinuxTag2010-strongSwan.odp 6 The strongSwan IKE Daemons ●IKEv1 - 6 messages for IKE SA Phase 1 Main Mode - 3 messages for IPsec SA Phase 2 Quick Mode ●IKEv2 - 4 messages for IKE SA and first IPsec SA IKE_SA_INIT/IKE_AUTH - 2 messages for each additional IPsec SA CREATE_CHILD_SA raw socket IKEv1IKEv2 ipsec starter ipsec whack ipsec stroke charonpluto LSF UDP/500 socket native IPsec Netlink XFRM socket Linux 2.6 kernel ipsec.conf stroke socketwhack socket

7 11.06.2010, LinuxTag2010-strongSwan.odp 7 LinuxTag 2010 Berlin Swans in a Cluster strongSwan High Availability Image by mozzercork @ flickr | cc-by

8 11.06.2010, LinuxTag2010-strongSwan.odp 8 ● Failure detection - On power loss, hardware failures, kernel oops or daemon crashes, remove node ● State synchronization - Always have IKE/IPsec state of every node synced to another ● Takeover - Detect node failure within 1-3 seconds ● Transparent migration - TCP or application sessions not interrupted ● Load sharing - Share load between all nodes, no idle backup node ● Reintegration - Integrate repaired node into running cluster, take over load ● Legacy clients - No protocol extension, any client benefits from HA functionality if connected to a cluster Requirements for a HA Solution

9 11.06.2010, LinuxTag2010-strongSwan.odp 9 corporate network ESP(spi, seq) state IKE(spis, seq) state clientserver IPsec and IKE State

10 11.06.2010, LinuxTag2010-strongSwan.odp 10 corporate network clientcluster Node X Node Y Adding Failover Node

11 11.06.2010, LinuxTag2010-strongSwan.odp 11 corporate network clientcluster Node X Node Y Failover

12 11.06.2010, LinuxTag2010-strongSwan.odp 12 corporate network clientcluster Synchronizing State - IKE

13 11.06.2010, LinuxTag2010-strongSwan.odp 13 corporate network client cluster switc h Synchronizing State – ESP Outgoing

14 11.06.2010, LinuxTag2010-strongSwan.odp 14 corporate network client cluster Synchronizing State – ESP Incoming

15 11.06.2010, LinuxTag2010-strongSwan.odp 15 corporate network cluster alice bob Going Active/Active – Multiple Clients

16 11.06.2010, LinuxTag2010-strongSwan.odp 16 corporate network clientcluster switc h Going Active/Active – Single SA

17 11.06.2010, LinuxTag2010-strongSwan.odp 17 Node Y Node X switch virtual external IP virtual internal IP inner IP X inner IP Y SYNC/H B plai n cryp t ● 2 Nodes ● 4 Segments s (n = 4) ● X serves 1+2 ● Y serves 3+4 ● Anti-reorder mask: d = 16 ● Segment calculation outgoing: ● s = hash(spi, ip) % n ● Segment calculation incoming: ● s = hash(spi, ip, seq / d) % n ● Segment calculation IKE: ● s = hash(ip) % n ● SYNC: exchange IKE state using UDP messages, IPsec protected ● HB: Heartbeat, announces served segments outgoing incoming Setup with Segmentation

18 11.06.2010, LinuxTag2010-strongSwan.odp 18 Encrypt Decrypt All ESP INPUT Drop XFRM_I N ESP in resp. XFRM_ OUT PREROUTING tag as unicast cryp t plai n seq++ ESP out resp. Drop ● Introducing two new Netfilter hooks ● XFRM_IN: Before XFRM decryption ● XFRM_OUT: After policy lookup, before encryption ● Functionality implemented in ClusterIP IKE resp. Kernel Implementation

19 11.06.2010, LinuxTag2010-strongSwan.odp 19 LinuxTag 2010 Berlin Virtual IP Address Pools

20 11.06.2010, LinuxTag2010-strongSwan.odp 20 Volatile RAM-based IP Address Pools conn rw... right=%any rightsourceip=10.3.0.0/24 auto=add ●Configuration in ipsec.conf ipsec leases Leases in pool 'rw', usage: 2/255, 2 online 10.3.0.2 online 'dave@strongswan.org' 10.3.0.1 online 'carol@strongswan.org' ●Statistics conn rw1... right=%any rightsourceip=%rw auto=add ●Referencing and sharing a volatile pool

21 11.06.2010, LinuxTag2010-strongSwan.odp 21 Persistant SQL-based IP Address Pools I http://wiki.strongswan.org/repositories/entry/strongswan/ testing/hosts/default/etc/ipsec.d/tables.sql ●SQLite database table definitions # /etc/strongswan.conf - strongSwan configuration file libhydra { plugins { attr-sql { database = sqlite:///etc/ipsec.d/ipsec.db } ●Connecting to the SQLite database ●Creation of SQLite database cat /etc/ipsec.d/table.sql | sqlite3 /etc/ipsec.d/ipsec.db

22 11.06.2010, LinuxTag2010-strongSwan.odp 22 Persistant SQL-based IP Address Pools II conn rw... right=%any rightsourceip=%bigpool auto=add ●Configuration in ipsec.conf ipsec pool –-status name start end timeout size online usage bigpool 10.3.0.1 10.3.0.254 48h 254 1 ( 0%) 2 ( 0%) ipsec pool --leases --filter pool=bigpool name address status start end identity bigpool 10.3.0.1 online Oct 22 23:13:50 2009 carol@strongswan.org bigpool 10.3.0.2 valid Oct 22 23:14:11 2009 Oct 22 23:14:25 2009 dave@strongswan.org ●Statistics ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.0.254 --timeout 48 allocating 254 addresses... done. ●Pool creation

23 11.06.2010, LinuxTag2010-strongSwan.odp 23 Persistant SQL-based Config Attributes ●Add Unity Banners ●Statistics ipsec pool --addattr dns –server 62.2.17.60 ●Add DNS and NBNS Servers ipsec pool --addattr banner –string "Welcome to LinuxTag" ipsec pool –statusattr type description value 3 INTERNAL_IP4_DNS 62.2.17.60 3 INTERNAL_IP4_DNS 62.2.24.61 4 INTERNAL_IP4_NBNS 10.10.0.1 4 INTERNAL_IP4_NBNS 10.10.1.1 28672 UNITY_BANNER "Welcome to LinuxTag" 28676 UNITY_SPLIT_INCLUDE 10.10.0.0/255.255.0.0 ●Add Unity Split Subnetworks ipsec pool –addattr unity_split_include –-subnet 10.10.0.0/255.255.0.0

24 11.06.2010, LinuxTag2010-strongSwan.odp 24 LinuxTag 2010 Berlin Network Endpoint Assessment

25 11.06.2010, LinuxTag2010-strongSwan.odp 25 NEA Server NEA Client Network Endpoint Assessment (NEA) Posture Broker Client Posture Collectors (1.. N) Posture Collectors (1.. N) Posture Collectors (1.. N) Posture Broker Server Posture Collectors (1.. N) Posture Collectors (1.. N) Posture Validators (1.. N) Posture Transport Clients (1.. K) Posture Transport Clients (1.. K) Posture Transport Clients (1.. K) Posture Transport Clients (1.. K) Posture Transport Clients (1.. K) Posture Transport Servers (1.. K) PA PB PT IKEv2 EAP

Download ppt "11.06.2010, LinuxTag2010-strongSwan.odp 1 LinuxTag 2010 Berlin strongSwan News Prof. Dr. Andreas Steffen Martin Willi"

Similar presentations

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
strongSwan Workshop for Siemens

strongSwan Workshop for Siemens
1 © Talend 2014 Service Locator Talend ESB Training 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 Service Locator Talend ESB Training 2014 Jan Bernhardt Zsolt Beothy-Elo
Andreas Steffen, 29.06.2015, Siemens-5.pptx 1 strongSwan Workshop for Siemens Block 5 Building & Testing strongSwan Prof. Dr. Andreas Steffen

Andreas Steffen, , Siemens-5.pptx 1 strongSwan Workshop for Siemens Block 5 Building & Testing strongSwan Prof. Dr. Andreas Steffen
Network Address Translation (NAT) CS-480b Dick Steflik.

Network Address Translation (NAT) CS-480b Dick Steflik.
Module 13: Network Load Balancing Fundamentals. Server Availability and Scalability Overview Windows Network Load Balancing Configuring Windows Network.

Module 13: Network Load Balancing Fundamentals. Server Availability and Scalability Overview Windows Network Load Balancing Configuring Windows Network.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 1 LinuxTag 2008 Berlin strongSwan VPNs scalable and modularized! Prof. Dr. Andreas Steffen

Andreas Steffen, , LinuxTag2008.ppt 1 LinuxTag 2008 Berlin strongSwan VPNs scalable and modularized! Prof. Dr. Andreas Steffen

Similar presentations

Ads by Google