Hello, Soon after Pete, Jake and I met last meeting I typed up a nice little intro to IPsec. For the lab we got an IPsec tunnel going full AH and ESP no IKE. We used snort, connected to the same hub as the two Gateways, to watch the Giberish communications going on port 51 :)
Here is gateway 192.168.1.201 setup script.
#!/usr/sbin/setkey -f
flush;
spdflush;
# SA - AH proticol setup
add 192.168.1.201 192.168.1.203 ah 11111 -m tunnel \
-A hmac-md5 0x320343a96076f89309f46e7a28f1be47;
add 192.168.1.203 192.168.1.201 ah 22222 -m tunnel \
-A hmac-md5 0x320343a96076f89309f46e7a28f1be47;
# SA - ESP proticol setup
add 192.168.1.201 192.168.1.203 esp 11112 -m tunnel \
-E 3des-cbc 0xc4e0aadc84cd417630638000271313a99a419ee5368f1ead;
add 192.168.1.203 192.168.1.201 esp 22223 -m tunnel \
-E 3des-cbc 0xc4e0aadc84cd417630638000271313a99a419ee5368f1ead;
spdadd 192.168.3.0/24 192.168.4.0/24 any -P out ipsec
esp/tunnel/192.168.1.201-192.168.1.203/require
ah/tunnel/192.168.1.201-192.168.1.203/require;
spdadd 192.168.4.0/24 192.168.3.0/24 any -P in ipsec
esp/tunnel/192.168.1.203-192.168.1.201/require
ah/tunnel/192.168.1.203-192.168.1.201/require;
#EOF
Attached : quick intro to Ipsec part 1 of 3
=====
Ted Katseres
|-----------------------------------------|
|---------signature here------------------|
|-----------------------------------------|
__________________________________
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250Title: IPSec
IPsec - Kame style
by Ted Katseres
part 1 of 3
IPsec is an extension of the IP protocol. It enables security for IP and upper-layer protocols. (RFC2401 IPsec Architecture) IPsec itself, is a collection of protocols AH, ESP, IPCOMP and IKE. *1 There are two distinct modes, transport or tunnel, in which to implement IPsec communication.
Transport mode allows for secure IP communication between two peers, by encrypting just the payload of the packet.
Tunnel mode allows for secure IP communication between two networks, by encapsulating and encrypting the original packet into a new IP packet.
flush;
spdflush;
# SA - AH protocol setup "presharedkey"
add 192.168.0.1 192.168.0.2 ah 11111 -A hmac-md5 0x320343a96076f89309f46e7a28f1be47;
add 192.168.0.2 192.168.0.1 ah 22222 -A hmac-md5 0x320343a96076f89309f46e7a28f1be47;
# SA - ESP protocol setup "anotherpresharedkey"
add 192.168.0.1 192.168.0.2 esp 11112 -E 3des-cbc \
0xc4e0aadc84cd417630638000271313a99a419ee5368f1ead;
add 192.168.0.2 192.168.0.1 esp 22223 -E 3des-cbc \
0xc4e0aadc84cd417630638000271313a99a419ee5368f1ead;
spdadd 192.168.0.1 192.168.0.2 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.0.2 192.168.0.1 any -P in ipsec
esp/transport//require
ah/transport//require;
#EOF
The `add` statements setup the SA's for communication between A(192.168.0.1) and B(192.168.0.1). Each describe what sending and receiving IP's do for each ipsec protocol.
For example,
AH communication from A to B will be signed using hmac-md5 using "presharedkey". The "11111" is a Security Parameter Index (SPI) basically used by the system to disallow IP replay attacks.
ESP communication from B to A will be encrypted with 3des-cbc using the "anotherpresharedkey" key. Again "22223" is a SPI used by the system to disallow IP replay attacks.
The `spdadd` statements setup the SP's for communication between A and B. These describe What type of communication we plan on doing. For example,
esp/transport//require
ah/transport//require;
The statement above declares that any type of communication from A to B will use IPsec (ESP and AH) in transport mode.
So, if the above script were to executed on Machine A, all communication between A and B must be ipsec(ESP and AH) using hmac-md5 for AH with a key of "preharedkey" and 3des-cbc for ESP with a key of "anotherpresharedkey". To get Machine B working with the same script you must reverse a couple of lines.
spdadd 192.168.0.2 192.168.0.1 any -P out ipsec
esp/transport//require
ah/transport//require;
#spdadd 192.168.0.2 192.168.0.1 any -P in ipsec
spdadd 192.168.0.1 192.168.0.2 any -P in ipsec
esp/transport//require
ah/transport//require;
Tunnel mode setup: Using the setkey program for Gateway A(192.168.0.1),
flush;
spdflush;
# SA - AH protocol setup "presharedkey"
add 192.168.0.1 192.168.0.2 ah 11111 -A hmac-md5 0x320343a96076f89309f46e7a28f1be47;
add 192.168.0.2 192.168.0.1 ah 22222 -A hmac-md5 0x320343a96076f89309f46e7a28f1be47;
# SA - ESP protocol setup "anotherpresharedkey"
add 192.168.0.1 192.168.0.2 esp 11112 -E 3des-cbc \
0xc4e0aadc84cd417630638000271313a99a419ee5368f1ead;
add 192.168.0.2 192.168.0.1 esp 22223 -E 3des-cbc \
0xc4e0aadc84cd417630638000271313a99a419ee5368f1ead;
spdadd 10.99.0.0/16 10.100.0.0/16 any -P out ipsec
esp/tunnel/192.168.0.1 192.168.0.2/require
ah/tunnel/192.168.0.1 192.168.0.2/require;
spdadd 10.100.0.0/16 10.99.0.0/16 any -P in ipsec
esp/tunnel/192.168.0.2 192.168.0.1/require
ah/tunnel/192.168.0.2 192.168.0.1/require;
#EOF
As you can see the SAD setup is exactly the same. [For testing purposes this is ok] The SPD setup is very different.
esp/tunnel/192.168.0.1 192.168.0.2/require
ah/tunnel/192.168.0.1 192.168.0.2/require;
The above statement sets an entry into the SPD declaring that any communication from Network X(10.99.0.0/16) to Network Y(10.100.0.0/16) will have ESP and AH in tunnel mode with ipsec communication from Gateway A(192.168.0.1 to Gateway B(192.168.0.2).
Quick Diagram : [ IPsec vs. Regular Packet ]| ip | tcp | data | <- regular packet | ||||
| ip | ah | tcp | data | <- transport mode | |||
| ip | ah | ip | tcp | data | <- transport mode | ||
*1 The NetBSD docs have a nice IPsec introduction.
-> http://www.netbsd.org/Documentation/network/ipsec/
*2 IPsec HOWTO for linux
-> http://www.ipsec-howto.org Copyright (c) 2003 Ralf Spenneberg
#
# generate hmac-md5 key
# and 3des-cbc key
######################
# 128 Bit long key
my $md5_key = `dd if=/dev/random count=16 bs=1 2>/dev/null | xxd -ps`;
# 192 Bit long key
my $des_key = `dd if=/dev/random count=24 bs=1 2>/dev/null | xxd -ps`;
print "\nhmac-md5 = 0x", $md5_key , "\n";
print "3des-cbc = 0x", $des_key , "\n";
exit(0);
#EOF
