IPsec site-to-site tunnel: Difference between revisions

From SaruWiki
Jump to navigation Jump to search
(→‎IPsec preparations: added racoon-tool)
(reordering)
Line 4: Line 4:
=IPsec site-to-site tunneling=
=IPsec site-to-site tunneling=


 
==IPsec general preparations==
==Starting point: two sites==
 
==IPsec preparations==
First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):
First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):


Line 42: Line 39:
(*) This data is not mandatory, but it makes it easier to reference the machine in question.
(*) This data is not mandatory, but it makes it easier to reference the machine in question.


Furthermore, you'll need to decide if you are going to use the debian-specific tool ''racoon-tool'', or if you're going to configure ''racoon'' directly. If you don't know what the difference is, choosing will be quite hard. So here follows a little description of the tools, and what we see as the consequences of your choice.
Next, you'll need to decide if you are going to use the debian-specific tool ''racoon-tool'', or if you're going to configure ''racoon'' directly. If you don't know what the difference is, choosing will be quite hard. So here follows a little description of the tools, and what we see as the consequences of your choice.
* [http://www.kame.net/newsletter/20001119/ ''racoon''] is a daemon that can exchange keys with the other end of a prospective IPsec connection in a secure and automated way; it is part of the [http://ipsec-tools.sourceforge.net/ IPsec-tools package]. You are supposed to configure it by means of entering exactly the right data in ''/etc/racoon/racoon.conf''. Using ''racoon'' directly is the "standard" way of setting up an IPsec tunnel
* [http://www.kame.net/newsletter/20001119/ ''racoon''] is a daemon that can exchange keys with the other end of a prospective IPsec connection in a secure and automated way; it is part of the [http://ipsec-tools.sourceforge.net/ IPsec-tools package]. You are supposed to configure it by means of entering exactly the right data in ''/etc/racoon/racoon.conf''. Using ''racoon'' directly is the "standard" way of setting up an IPsec tunnel
* ''racoon-tool'' is a Debian-specific Perl script, that can perform your ''racoon'' configuration for you. Using this means that you're less likely to make typo's etcetera: it's plain easier. On the other hand, since this is Debian-specific, a lot of information on the Internet might get less usable for you, since that assumes you're using plain ''racoon''. This shortcoming is mitigated somewhat by the realization that ''racoon-tool'' generates a ''racoon.conf'' file just as you'd expect, but only in a different location (''/var/lib/racoon/racoon.conf'' instead of ''/etc/racoon/racoon.conf''). But then again, you might want to learn how to make IPsec tunnels in a way that can be used on non-Debian servers as well...
* ''racoon-tool'' is a Debian-specific Perl script, that can perform your ''racoon'' configuration for you. Using this means that you're less likely to make typo's etcetera: it's plain easier. On the other hand, since this is Debian-specific, a lot of information on the Internet might get less usable for you, since that assumes you're using plain ''racoon''. This shortcoming is mitigated somewhat by the realization that ''racoon-tool'' generates a ''racoon.conf'' file just as you'd expect, but only in a different location (''/var/lib/racoon/racoon.conf'' instead of ''/etc/racoon/racoon.conf''). But then again, you might want to learn how to make IPsec tunnels in a way that can be used on non-Debian servers as well...
We feel there is no compelling general reason to choose one way over the other, so we'll outline both ways here. You'll have to choose, though. Mind you, if you ever change your mind, you can easily switch from direct to ''racoon-tool'' or back by running ''dpkg-reconfigure racoon''...
We feel there is no compelling general reason to choose one way over the other, so we'll outline both ways here. You'll have to choose, though. Mind you, if you ever change your mind, you can easily switch from direct to ''racoon-tool'' or back by running ''dpkg-reconfigure racoon''...


Next up, we need the same data for the far side of every tunnel you'll be creating:
Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under ''Networking support > Networking options'':
* '''PF_KEY Sockets''': This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
* '''IP: ESP transformation''': This option ensures we can create IPsec networking packets in ESP mode.
* '''IP: IPsec tunnel mode''': This option enables the IPsec tunnel mode.
For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to ''Cryptographic API'', and select the algorithms you want. We would suggest the following algorithms:
* Null algorithms: useful for testing
* SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
* Blowfish cipher algorithm: fast and efficient
* AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure
If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.
 
Verify that your Linux server is not sitting behind a NATting device, like an ADSL modem/router. If it is, you'll need an extra feature (NAT-T, or Nat Traversal), not described in this procedure.
 
==IPsec installation==
The amount of software we need to realize an IPsec tunnel is limited, because most of the IPsec capabilities are now integrated in the Linux kernel. The packages we need are:
* ''ipsec-tools'', the package that contains the KAME IPsec tools with which we can control the IPsec implementation that's in the Linux kernel;
* ''racoon'', the Internet Key Exchange daemon;
* ''[[vim]]''(*), an improved version of the ''vi'' editor.
(*)Well we don't really need [[vim]], but if we install it, not only will we have a very powerful editor, but also will we be able to use the ''xxd'' command when generating strong encryption keys.
 
When using ''aptitude'' or ''apt-get install'' to install ''racoon'', we'll be asked for the desired "Configuration mode for racoon IKE daemon": direct or racoon-tool. Choose according to your preference.
 
That's it! No additional software is required. Your system is now ready to set up IPsec tunnels - all it requires is the right configuration (and a correctly configured endpoint for the other end of the tunnel).
 
=IPsec site-to-site tunnel configuration=
 
==IPsec tunnel-specific preparations==
When we start creating a tunnel, we need the relevant data for the far side of each tunnel we'll be creating, similar to what we've already gathered for our own side of the tunnel. Note that it is not necessary that the other endpoint is also a Linux server; it could just as well be an IPsec capable appliance like a ''Checkpoint FW1'' firewall or a Microsoft Windows server. The main difference between different endpoints is the set of encryption algorithms they'll be able to support. Therefor, the preferred encryption algorithm must be negotiated between you and your counterpart on the other side of the tunnel. In this example, the other side is a Debian server as well, and we've agreed to use SHA1 as algorithm for both the IKE phase and the actual tunnel. Furthermore, we've agreed on a secret key, needed for the initial IKE phase.


{| class="wikitable" style="text-align:center" border="1" cellspacing="0" cellpadding="5"
{| class="wikitable" style="text-align:center" border="1" cellspacing="0" cellpadding="5"
!width="150" style="background:#ffdead;"|Debian Server
!style="background:#ffdead;"|Debian Server
!width="150" style="background:#ffdead;"|Data  
!width="250" style="background:#ffdead;"|Data  
!width="150" style="background:#ffdead;"|Example
!style="background:#ffdead;"|Example
|-
|-
|Name(*)
|Name(*)
Line 73: Line 97:
|
|
|SHA1
|SHA1
|-
|PreShared Key
|
|0x383a94619b3d6a8f33a39f68b4d16594
|-
|-
|Preferred tunnel encryption
|Preferred tunnel encryption
Line 80: Line 108:
|}
|}


Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under ''Networking support > Networking options'':
So how do we generate a strong PSK? A quick way would be to execute this command:
* '''PF_KEY Sockets''': This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
dd if=/dev/random count=16 bs=1 | xxd -ps
* '''IP: ESP transformation''': This option ensures we can create IPsec networking packets in ESP mode.
This will output a strong key, like ''383a94619b3d6a8f33a39f68b4d16594''; you'll only have to prepend ''0x'' to signify that it's a hexadecimal key.
* '''IP: IPsec tunnel mode''': This option enables the IPsec tunnel mode.
For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to ''Cryptographic API'', and select the algorithms you want. We would suggest the following algorithms:
* Null algorithms: useful for testing
* SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
* Blowfish cipher algorithm: fast and efficient
* AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure
If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.


==IPsec installation==
Now with the data for the tunnel available, we can get going on the configuration of the tunnel itself. If you've selected using ''racoon-tool'', read on. If you've chosen ''direct'' (or if you're not on a Debian server but another Linux distribution), skip to the next section.
 
=IPsec site-to-site tunnel configuration=


==Method 1: using ''racoon-tool''==
==Method 1: using ''racoon-tool''==


==Method 2: direct ''racoon'' configuration==
==Method 2: direct ''racoon'' configuration==


==Extra configuration issues==
==Extra configuration issues==

Revision as of 12:37, 14 December 2008

IPsec tunneling theory

IPsec is very powerful, but also quite complicated and intricate. When starting on tunneling, you might want to start exploring the site ipsec-howto. It explains both the theory of IPsec, and describes how to create IPsec tunnels. However, after reviewing the theory, you might want to continue here for a more elaborate, Debian-specific, site-to-site only, howto on tunneling.

IPsec site-to-site tunneling

IPsec general preparations

First off, you'll have to inventory your prospective tunnel setup. We suggest you fill in the following table (filled here for the purpose of example):

Debian Server Data Example
Name(*) dworkin
Internet IP 212.238.151.172
Private IP 192.168.0.9
Network(s) 192.168.0.0/24
Default key exchange encryption 3DES
Default tunnel encryption 3DES

(*) This data is not mandatory, but it makes it easier to reference the machine in question.

Next, you'll need to decide if you are going to use the debian-specific tool racoon-tool, or if you're going to configure racoon directly. If you don't know what the difference is, choosing will be quite hard. So here follows a little description of the tools, and what we see as the consequences of your choice.

  • racoon is a daemon that can exchange keys with the other end of a prospective IPsec connection in a secure and automated way; it is part of the IPsec-tools package. You are supposed to configure it by means of entering exactly the right data in /etc/racoon/racoon.conf. Using racoon directly is the "standard" way of setting up an IPsec tunnel
  • racoon-tool is a Debian-specific Perl script, that can perform your racoon configuration for you. Using this means that you're less likely to make typo's etcetera: it's plain easier. On the other hand, since this is Debian-specific, a lot of information on the Internet might get less usable for you, since that assumes you're using plain racoon. This shortcoming is mitigated somewhat by the realization that racoon-tool generates a racoon.conf file just as you'd expect, but only in a different location (/var/lib/racoon/racoon.conf instead of /etc/racoon/racoon.conf). But then again, you might want to learn how to make IPsec tunnels in a way that can be used on non-Debian servers as well...

We feel there is no compelling general reason to choose one way over the other, so we'll outline both ways here. You'll have to choose, though. Mind you, if you ever change your mind, you can easily switch from direct to racoon-tool or back by running dpkg-reconfigure racoon...

Next, you'll have to verify if your kernel has been compiled with the necessary options. What you need at minimum are the following kernel options, that can be found under Networking support > Networking options:

  • PF_KEY Sockets: This option makes your kernel compatible with the KAME IPsec tools that we're going to use.
  • IP: ESP transformation: This option ensures we can create IPsec networking packets in ESP mode.
  • IP: IPsec tunnel mode: This option enables the IPsec tunnel mode.

For IPsec you need several cryptographic algorithms; the mandatory ones are already selected because you set the options above. But if you need or want additional ones (AES, Blowfish etc), then go to Cryptographic API, and select the algorithms you want. We would suggest the following algorithms:

  • Null algorithms: useful for testing
  • SHA224 and SHA256 digest algorithm: pretty secure and pretty well supported
  • Blowfish cipher algorithm: fast and efficient
  • AES cipher algorithms: AES is a well-known standard, that is still considered pretty secure

If you have any other cryptographic need, then most likely you'll have to satisfy it here as well. Then, after the usual compiling and installing of your new or updated kernel, you'll of course have to reboot to be able to use these features.

Verify that your Linux server is not sitting behind a NATting device, like an ADSL modem/router. If it is, you'll need an extra feature (NAT-T, or Nat Traversal), not described in this procedure.

IPsec installation

The amount of software we need to realize an IPsec tunnel is limited, because most of the IPsec capabilities are now integrated in the Linux kernel. The packages we need are:

  • ipsec-tools, the package that contains the KAME IPsec tools with which we can control the IPsec implementation that's in the Linux kernel;
  • racoon, the Internet Key Exchange daemon;
  • vim(*), an improved version of the vi editor.

(*)Well we don't really need vim, but if we install it, not only will we have a very powerful editor, but also will we be able to use the xxd command when generating strong encryption keys.

When using aptitude or apt-get install to install racoon, we'll be asked for the desired "Configuration mode for racoon IKE daemon": direct or racoon-tool. Choose according to your preference.

That's it! No additional software is required. Your system is now ready to set up IPsec tunnels - all it requires is the right configuration (and a correctly configured endpoint for the other end of the tunnel).

IPsec site-to-site tunnel configuration

IPsec tunnel-specific preparations

When we start creating a tunnel, we need the relevant data for the far side of each tunnel we'll be creating, similar to what we've already gathered for our own side of the tunnel. Note that it is not necessary that the other endpoint is also a Linux server; it could just as well be an IPsec capable appliance like a Checkpoint FW1 firewall or a Microsoft Windows server. The main difference between different endpoints is the set of encryption algorithms they'll be able to support. Therefor, the preferred encryption algorithm must be negotiated between you and your counterpart on the other side of the tunnel. In this example, the other side is a Debian server as well, and we've agreed to use SHA1 as algorithm for both the IKE phase and the actual tunnel. Furthermore, we've agreed on a secret key, needed for the initial IKE phase.

Debian Server Data Example
Name(*) darktower
Internet IP 82.161.20.13
Private IP 192.168.1.10
Network(s) 192.168.1.0/24
Preferred key exchange encryption SHA1
PreShared Key 0x383a94619b3d6a8f33a39f68b4d16594
Preferred tunnel encryption SHA1

So how do we generate a strong PSK? A quick way would be to execute this command:

dd if=/dev/random count=16 bs=1 | xxd -ps

This will output a strong key, like 383a94619b3d6a8f33a39f68b4d16594; you'll only have to prepend 0x to signify that it's a hexadecimal key.

Now with the data for the tunnel available, we can get going on the configuration of the tunnel itself. If you've selected using racoon-tool, read on. If you've chosen direct (or if you're not on a Debian server but another Linux distribution), skip to the next section.

Method 1: using racoon-tool

Method 2: direct racoon configuration

Extra configuration issues

setting the right routes

adapting your firewall configuration

DNS and WINS issues

IPsec diagnostics