Presentation is loading. Please wait.

Presentation is loading. Please wait.

strongSwan Workshop for Siemens

Published byElizabeth Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "strongSwan Workshop for Siemens"— Presentation transcript:

1 strongSwan Workshop for Siemens
Block 4 Linux IPsec Stack & Netfilter Prof. Dr. Andreas Steffen

2 IPsec Policies in the Linux Kernel
carol: ip -s xfrm policy src /24 dst /32 uid 0 dir in action allow index 800 priority lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add :34:37 use :34:39 tmpl src dst proto esp spi 0x (0) reqid 1(0x ) mode tunnel src /32 dst /24 uid 0 dir out action allow index 793 priority add :34:37 use :34:38 tmpl src dst

3 IPsec Policies in the Linux Kernel
moon: ip -s xfrm policy src /32 dst /24 uid 0 dir fwd action allow index 954 priority lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add :34:36 use :34:39 tmpl src dst proto esp spi 0x (0) reqid 1(0x ) mode tunnel src /24 dst /32 uid 0 dir out action allow index 937 priority tmpl src dst

4 IPsec Security Associations in the Kernel
carol: ip -s xfrm state src dst proto esp spi 0xc77ca4c3( ) reqid 1(0x ) mode tunnel replay-window 32 seq 0x flag 20 (0x ) auth hmac(sha1) 0x98fe271fd31ba795f158ae17487cb85f8682aefc (160 bits) enc cbc(aes) 0x3d0567d65694fcbbfd3257f55b497d6a (128 bits) lifetime config: limit: soft (bytes), hard (bytes) limit: soft (packets), hard (packets) expire add: soft 3065(sec), hard 3600(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 84(bytes), 1(packets) add :34:37 use :34:38 stats: replay-window 0 replay 0 failed 0 src dst proto esp spi 0xc46038e1( ) reqid 1(0x ) mode tunnel auth hmac(sha1) 0x4e2b044e d3f73bbf99289f369ae2d3ed5 (160 bits) enc cbc(aes) 0xd2d83f5d7e496ddc9483be57dbbb2757 (128 bits) ...

5 strongSwan Workshop for Siemens
NAT-Traversal, MOBIKE, Dead Peer Detection

6 NAT-Traversal alice behind NAT router moon is initiator:
06[IKE] initiating IKE_SA nat-t[1] to 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 06[NET] sending packet: from [500] to [500] 05[NET] received packet: from [500] to [500] 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 05[IKE] local host is behind NAT, sending keep alives 05[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ Idr ... ] 05[NET] sending packet: from [4500] to [4500] 04[NET] received packet: from [4500] to [4500] 04[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ... ] gateway sun is responder: 14[NET] received packet: from [1026] to [500] 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 14[IKE] is initiating an IKE_SA 14[IKE] remote host is behind NAT 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ... ] 14[NET] sending packet: from [500] to [1026] 15[NET] received packet: from [1026] to [4500] 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ ... ] 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ... ] 15[NET] sending packet: from [4500] to [1026]

7 ESP-in-UDP Encapsulation (RFC 3948)
UDP-Encapsulated ESP Header Format Src Port (4500) Dst Port (4500) UDP Header Length Checksum Security Parameters Index ESP Header IKE Header Format for Port 4500 Src Port (4500) Dst Port (4500) UDP Header Length Checksum 0x00 0x00 0x00 0x00 Non-ESP Marker IKE Header IKE Header NAT-Keepalive Packet Format Src Port (4500) Dst Port (4500) UDP Header Length Checksum 0xFF Keepalive Payload

8 IKEv2 Connection Setup with MOBIKE I
alice [eth1: fec0::5 eth0: fec1::10 ] 05[ENC] generating IKE_SA_INIT request [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 05[NET] sending packet: from [500] to [500] 06[NET] received packet: from [500] to [500] 06[ENC] parsed IKE_SA_INIT response [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 06[ENC] generating IKE_AUTH req [ IDi .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 06[NET] sending packet: from [4500] to [4500] 07[NET] received packet: from [4500] to [4500] 07[ENC] parsed IKE_AUTH response [IDr .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 07[IKE] peer supports MOBIKE sun [eth0: fec0::2 eth1: fec2::1 ] 05[NET] received packet: from [500] to [500] 05[ENC] parsed IKE_SA_INIT request [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 05[ENC] generating IKE_SA_INIT response [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 05[NET] sending packet: from [500] to [500] 06[NET] received packet: from [4500] to [4500] 06[ENC] parsed IKE_AUTH request [ IDi .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 06[IKE] peer supports MOBIKE 06[ENC] generating IKE_AUTH resp [ IDr .. N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR)+ ] 06[NET] sending packet: from [4500] to [4500] With mobike=yes , port floating to 4500 by default

9 IKEv2 Connection Setup with MOBIKE II
alice [eth1: fec0::5 eth0: fec1::10 ] 10[KNL] disappeared from eth1 10[KNL] fec0::5 disappeared from eth1 10[KNL] interface eth1 deactivated 06[IKE] old path is not available anymore, try to find another 06[IKE] requesting address change using MOBIKE 06[ENC] generating INFORMATIONAL request 2 [ ] 06[IKE] checking original path [4500] [4500] 06[NET] sending packet: from [4500] to [4500] 06[IKE] checking path [4500] [4500] 06[NET] sending packet: from [4500] to [4500] 06[IKE] checking path fec1::10[4500] - fec0::2[4500] 06[NET] sending packet: from fec1::10[4500] to fec0::2[4500] 06[IKE] checking path fec1::10[4500] - fec2::1[4500] 06[NET] sending packet: from fec1::10[4500] to fec2::1[4500] 08[NET] received packet: from [4500] to [4500] 08[ENC] parsed INFORMATIONAL response 2 [ ] 08[ENC] generating INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) N(ADD_6_ADDR) ] 08[NET] sending packet: from [4500] to [4500] 04[NET] received packet: from [4500] to [4500] 04[ENC] parsed INFORMATIONAL response 3 [ N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ] 04[IKE] local host is behind NAT, sending keep alives

10 Activation of Dead Peer Detection
#ipsec.conf for roadwarrior carol conn %default dpddelay=60 dpdaction=restart #ipsec.conf for gateway moon conn %default dpddelay=60 dpdaction=clear Oct 24 11:45:10 13[IKE] CHILD_SA home{1} established with SPIs c50810d9_i c8485f4a_o Oct 24 11:46:10 16[NET] received packet: from [500] to [500] Oct 24 11:46:10 16[ENC] parsed INFORMATIONAL request 0 [ ] Oct 24 11:46:10 16[ENC] generating INFORMATIONAL response 0 [ ] Oct 24 11:46:10 16[NET] sending packet: from [500] to [500] Oct 24 11:47:09 09[IKE] sending DPD request Oct 24 11:47:09 09[ENC] generating INFORMATIONAL request 2 [ ] Oct 24 11:47:09 09[NET] sending packet: from [500] to [500] Oct 24 11:47:13 03[IKE] retransmit 1 of request with message ID 2 Oct 24 11:47:13 03[NET] sending packet: from [500] to [500] Oct 24 11:47:20 11[IKE] retransmit 2 of request with message ID 2 Oct 24 11:47:20 11[NET] sending packet: from [500] to [500] Oct 24 11:47:33 08[IKE] retransmit 3 of request with message ID 2 Oct 24 11:47:33 08[NET] sending packet: from [500] to [500] Oct 24 11:47:56 12[IKE] retransmit 4 of request with message ID 2 Oct 24 11:47:56 12[NET] sending packet: from [500] to [500] Oct 24 11:48:38 14[IKE] retransmit 5 of request with message ID 2 Oct 24 11:48:38 14[NET] sending packet: from [500] to [500] Oct 24 11:49:54 16[IKE] giving up after 5 retransmits Oct 24 11:49:54 16[IKE] restarting CHILD_SA home Oct 24 11:49:54 16[IKE] initiating IKE_SA home[2] to

11 strongSwan IKEv2 Retransmission Scheme
# strongswan.conf charon { retransmit_tries = 5 retransmit_timeout = retransmit_base = 1.8 } relative timeout = retransmit_timeout * retransmit_base ^ (n-1) Retransmission n Formula Relative timeout Absolute timeout n = 1 4s * 1.8^0 after 4s 4s n = 2 4s * 1.8^1 after 7s 11s n = 3 4s * 1.8^2 after 13s 24s n = 4 4s * 1.8^3 after 23s 47s n = 5 4s * 1.8^4 after 42s 89s giving up 4s * 1.8^5 after 76s 165s

12 strongSwan Workshop for Siemens
Interworking with Linux Netfilter Firewall

13 NETKEY Hooks in Linux Netfilter

14 Full Integration with Linux Netfilter Firewall
carol Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination ACCEPT all eth0 * / policy match dir in pol ipsec reqid 1 proto 50 ACCEPT esp eth0 * / /0 ACCEPT udp eth0 * / /0 udp spt:500 dpt:500 Chain OUTPUT (policy DROP 0 packets, 0 bytes) ACCEPT all * eth / policy match dir out pol ipsec reqid 1 proto 50 ACCEPT esp * eth / /0 ACCEPT udp * eth / /0 udp spt:500 dpt:500 After the successful establishment/deletion of a CHILD_SA the updown plugin dynamically inserts and removes an INPUT and OUTPUT Netfilter IPsec ESP policy matching rule via the iptables command executed by the /usr/libexec/ipsec/_updown shell script.

15 Full Integration with Linux Netfilter Firewall
moon Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination ACCEPT esp eth0 * / /0 ACCEPT udp eth0 * / /0 udp spt:500 dpt:500 Chain FORWARD (policy DROP 0 packets, 0 bytes) ACCEPT all eth0 * policy match dir in pol ipsec reqid 2 proto 50 ACCEPT all * eth policy match dir out pol ipsec reqid 2 proto 50 ACCEPT all eth0 * /24 policy match dir in pol ipsec reqid 1 proto 50 ACCEPT all * eth / policy match dir out pol ipsec reqid 1 proto 50 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination ACCEPT esp * eth / /0 ACCEPT udp * eth / /0 udp spt:500 dpt:500 On gateways the updown plugin dynamically inserts and removes two FORWARD Netfilter IPsec ESP policy matching rules per CHILD_SA. lefthostaccess=yes additionally adds an input/output rule to access the GW itself.

16 Static IPsec ESP Policy Matching Rules
moon Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination ACCEPT esp eth0 * / /0 ACCEPT udp eth0 * / /0 udp spt:500 dpt:500 Chain FORWARD (policy DROP 0 packets, 0 bytes) ACCEPT all * * / / policy match dir in pol ipsec proto 50 ACCEPT all * * / / policy match dir out pol ipsec proto 50 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot in out source destination ACCEPT esp * eth / /0 ACCEPT udp * eth / /0 udp spt:500 dpt:500 leftfirewall=yes can be omitted and the updown plugin doesn‘t have to be built (./configure --disable-updown).

Download ppt "strongSwan Workshop for Siemens"

Similar presentations

Information Security 2 (InfSi2)

Information Security 2 (InfSi2)
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Header and Payload Formats

Header and Payload Formats
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Network Layer Security: IPSec

Network Layer Security: IPSec
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
1 IPsec Youngjip Kim 2004. 05. 24. 2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,

Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,

Similar presentations

Ads by Google