HowTo IPSec Roadwarrior using PSK

Transcription

1 HowTo IPSec Roadwarrior using PSK In this Example you see how two networks can be connected via IPSec using a preshared key. This scenario could be used to bind a branch office on a headquarter. Figure 1: Network plan example 1 Configure IPSec at the headquarter You can took it as read that at the headquarter there s an static IP on interface eth0. If you use an other interface you have to configure it under Networking > IPSec VPN > Global Settings. For that choose No in IPSec-Interface-Mappings Use ipsec0 as defaultroute and select the used interface at the dropdown Bind ipsec0 to. 1.1 Create template It is advisable to use templates when creating an IPSec configuration at the headquarter. Note Templates make a configuration more easier, because recurrent parameters can be set globally. Navigate to Networking > IPSec VPN and click the button[add Template] to create one. In this example the tamplate was created due to the screenshot and tables. Freigabe: Seite 1 von 11

2 Figure 2: IPSec Template Global Settings Connection-Name Action on Startup Connection Type roadwarrior Load/Add Tunnel Phase1(ISAKMP) Settings ISAKMP Method Our/Left IP-Address Peer/Right IP-Address Aggressive Mode %eth0 %any IKE Settings IKE algorithms Encryption: aes128 Authentication: sha1 MODP-Group: 1024 IKE Lifetime 8h Freigabe: Seite 2 von 11

3 1.1.3 Phase2 Settings Encapsulating Security Payload (ESP) Encryption: Authentication: PFS-Group: aes128 sha1 modp1024 SA Lifetime 8 hours To create the template press[create]. 1.2 Create IPSec connection with a template There are two possibilities to create a connection with templates. Either use the Add Connection link at the end oft he table row or choose the appropriate template at the dropdown next to the [Add Connection] button. Note There are no differences between the configuration- and template interface, but the parameters set in the template are grayed-out Global Settings Connection-Name offsite Phase1(ISAKMP) Settings Our/Left ID have to be unique for each tunnel PSK-Settings Pre-Shared-Key Confirm Pre-Shared-Key Insert the used PSK Verify the PSK Ersteller: Datum: Rev: Freigabe: 2.0 Seite 3 von 11

4 1.2.1 Phase2 Settings Local Subnet /16 Local Source IP Remote Subnet /16 Remote Source IP have to be unique for each endpoint have to be unique for each endpoint Press [Create] to save changes. 1.3 Start IPSec Server Start the server under Networking > IPSec VPN > [Start IPSec Server]. To active IPSec even after a reboot choose yes at [Start at boot time] and apply by pressing the button. 2 IPSec configuration branch office In this scenario the branch office is online via ppp0 using the connection-manager. The IPSec tunnel also uses the existing connection and is startet with the connection-manager. 2.1 IPSec Interface Mapping Set the parameter Use ipsec0 as defaultroute to Yes under Networking > IPSec VPN > Global Settings and save changes. 2.2 Create IPSec Verbindung (without template) By configurint the branch office it is not necessary to use templates, therefore templates are renounced at this example. Navigate to Networking > IPSec VPN and press [Add Connection] to create the connection. Ersteller: Datum: Rev: Freigabe: 2.0 Seite 4 von 11

5 2.2.1 Global Settings Connection-Name offsite1 Action on Startup Ignore Connection Type Tunnel Enable Dead Peer Detection Yes DPD Delay 30 DPD Timeout 120 DPD Action on Timeout Clear Phase1(ISAKMP) Settings ISAKMP Method Our/Left IP-Address Peer/Right IP-Address Our/Left ID Peer/Right ID Aggressive Mode %ppp0 Public IP PSK-Settings Pre-Shared-Key Confirm Pre-Shared-Key Insert the used PSK Verify the PSK IKE Settings IKE algorithms Encryption: aes128 Authentication: sha1 MODP-Group: 1024 IKE Lifetime 8h Phase2 Settings Local Subnet /16 have to be unique for each endpoint Ersteller: Datum: Rev: Freigabe: 2.0 Seite 5 von 11

6 Local Source IP Remote Subnet /16 Remote Source IP Encapsulating Security Payload (ESP) have to be unique for each endpoint Encryption: Authentication: PFS-Group: aes128 sha1 modp1024 SA Lifetime 8 hours Apply changes with [Create]. 2.3 Start IPSec with the Connection-Manager To start the IPSec connection with the Connection-Manager open the Connection-Manager entry that manages the ppp-interface. In this example you can find it under Networking > Connection Management > Connection-Manager > Index 1. Adapt the used interface with the parameter Use IPSec-Interface. Use IPSec-Interface ipsec0 as defaultroute At the end of this side under Logical Subordinated Connections press [Add Connection] to add a new connection. At the configuration page just chosse the created IPSec connection and put the parameter as following: Figure 3: Connection-Manager logical connection Power Up Delay 2 Maximum Negotiation 15 Timeout Save changes with[create]. Freigabe: Seite 6 von 11

7 3 Firewall rules For security reasons it is recommended to constrain access from the internet to the router. It is absolutly essential to allow access from the local interfaces! Otherwise you are locked out! Therefor go to Networking > Linux Firewall > Showing IPtable: Packet filtering (filter). In section Incoming packets (INPUT) create new rules with its parameters by clicking [Add Rule] and add them to the table with[create]. Action to take Comment Network protocol Accept Accept Accept Allow Encapsulating Security Payload (ESP) Allow Internet Key Exchange (IKE) Allow NAT traversal (NAT-T) Equal ESP Destination TCP or UDP port Equal UDP Port(s): 500 Equal UDP Port(s): 4500 Action to take Comment Incoming interface Accept Allow traffic on ipsec0 interface Equals other - ipsec0 After creating the rules press [Apply Configuration] to save the new adjustments. 3.1 Firewall adjustments at the headquarter A firewall that only uses protocols and ports used in IPSec could look like the following: Figure 4: Headquarter firewall Freigabe: Seite 7 von 11

8 3.2 Firewall adjustments at the branch office If the router is used as an internet gateway, too, the firewall needs an Established/Related and a Masquerading rule for the public interface, otherwise it is enough to allow the local interface Established/Related rule Under Networking > Linux Firewall > Showing IPtable: Packet filtering (filter) at Incoming packets (INPUT) add following rule with [Add Rule]: Action to take Comment Connection states Accept Allow traffic if established or related Equals ESTABLIED und RELATED Multiple Choice with [STRG]+Click Figure 5: Branch-Office-Router, simultaneously internet gateway Masquerading To configure the Masquerading, navigate to Networking > Linux Firewall > Showing IPtable: Network address translation (nat), section Packets after routing (POSTROUTING). Action to take Masquerade Outgoing interface Equals Other ppp0 (Insert used interface) Figure 6: Masquerading at the Branch-Office-Router 4 Finish configuration To finish the configuration procedure it is necessary to save all changes permanently. Therefore navigate to Permanent Save and press Save Config. Freigabe: Seite 8 von 11

9 Important! If this step is not performed, the settings are lost when the router is rebooted. 5 Logfile Logfiles after IPSec connection establishment: Dial-up branch office: Jan 21 10:11:12 C1500 pluto[5372]: added connection description "offsite1" Jan 21 10:11:12 C1500 pluto[5372]: "offsite1" #10: initiating Aggressive Mode #10, connection "offsite1" Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #10: received Vendor ID payload [Dead Peer Detection] Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #10: received Vendor ID payload [RFC 3947] method set to=109 Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #10: Aggressive mode peer ID is ID_FQDN: '@headquarter_id' Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #10: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #10: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2 Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #10: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=oakley_preared_key cipher=aes_128 prf=oakley_sha group=modp1024} Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #10: Dead Peer Detection (RFC 3706): enabled Jan 21 10:11:13 C1500 pluto[5372]: "offsite1" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#10 msgid:fe8d1e4a proposal=aes(12)_128-a1(2)_160 pfsgroup=oakley_group_modp1024} Jan 21 10:11:14 C1500 pluto[5372]: "offsite1" #11: Dead Peer Detection (RFC 3706): enabled Jan 21 10:11:14 C1500 pluto[5372]: "offsite1" #11: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Jan 21 10:11:14 C1500 pluto[5372]: "offsite1" #11: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x <0x881c46b2 xfrm=aes_128-hmac_a1 NATOA=none NATD=none DPD=enabled} Jan 21 10:11:15 C1500 Connection_Manager[30781]: Connection-Entry 1, Logical-Entry 1: IPSec-connection established successfully! Ersteller: Datum: Rev: Freigabe: 2.0 Seite 9 von 11

10 Dial-up headquarter: payload [Dead Peer Detection] payload [RFC 3947] method set to=109 payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109 payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109 payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109 payload [draft-ietf-ipsec-nat-t-ike-00] Jan 21 10:11:12 C1500 pluto[26437]: "offsite1"[1] #1: Aggressive mode peer ID is ID_FQDN: Jan 21 10:11:12 C1500 pluto[26437]: "offsite1"[1] #1: responding to Aggressive Mode, state #1, connection "offsite1" from Jan 21 10:11:12 C1500 pluto[26437]: "offsite1"[1] #1: enabling possible NATtraversal with method 4 Jan 21 10:11:12 C1500 pluto[26437]: "offsite1"[1] #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1 Jan 21 10:11:12 C1500 pluto[26437]: "offsite1"[1] #1: STATE_AGGR_R1: sent AR1, expecting AI2 Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #1: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2 Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #1: STATE_AGGR_R2: ISAKMP SA established {auth=oakley_preared_key cipher=aes_128 prf=oakley_sha group=modp1024} Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #1: Dead Peer Detection (RFC 3706): enabled Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #1: the peer proposed: /16:0/0 -> /16:0/0 Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: responding to Quick Mode proposal {msgid:d7e38d27} Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: us: /16=== <%eth0>[@headquarter_id,+S=C] Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: them: [@offsite1_id,+S=C]=== /16 Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: up-client output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change /16 dev ipsec0 src ' failed (RTNETLINK answers: No such file or directory) Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: Dead Peer Detection (RFC 3706): enabled Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jan 21 10:11:13 C1500 pluto[26437]: "offsite1"[1] #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x881c46b4 <0x20ec795f xfrm=aes_128-hmac_a1 NATOA=none NATD=none DPD=enabled} Ersteller: Datum: Rev: Freigabe: 2.0 Seite 10 von 11

11 Figure 7: IPSec established (headquarter-side) Freigabe: Seite 11 von 11