IPSEC using Linux Kernel 2.6

IPSEC using Linux Kernel 2.6 Tom Eastep 2004-08-15 2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. To use this support, your kernel and iptables must include the Netfilter+ipsec patches and policy match support and you must be running Shorewall 2.1.4 or later. As of this writing, the Netfilter+ipsec and policy match support are broken when used with a bridge device. The problem has been reported to the responsible Netfilter developer who has confirmed the problem.

IPSec Gateway on the Firewall System Suppose that we have the following sutuation: We want systems in the 192.168.1.0/24 sub-network to be able to communicate with systems in the 10.0.0.0/8 network. We assume that on both systems A and B, eth0 is the internet interface. To make this work, we need to do two things: Open the firewall so that the IPSEC tunnel can be established (allow the ESP and AH protocols and UDP Port 500). Allow traffic through the tunnel. Opening the firewall for the IPSEC tunnel is accomplished by adding an entry to the /etc/shorewall/tunnels file. In /etc/shorewall/tunnels on system A, we need the following

/etc/shorewall/tunnels — System A: #TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 134.28.54.2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/tunnels — System B: #TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 206.161.148.9 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

If either of the endpoints is behind a NAT gateway then the tunnels file entry on the other endpoint should specify a tunnel type of ipsecnat rather than ipsec and the GATEWAY address should specify the external address of the NAT gateway. You need to define a zone for the remote subnet or include it in your local zone. In this example, we'll assume that you have created a zone called vpn to represent the remote subnet.

/etc/shorewall/zones — Systems A and B: #ZONE DISPLAY COMMENTS net Internet The big bad internet vpn VPN Virtual Private Network #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Remember the assumption that both systems A and B have eth0 as their internet interface. You must define the vpn zone using the /etc/shorewall/hosts file.

/etc/shorewall/hosts — System A #ZONE HOSTS OPTIONS vpn eth0:10.0.0.0/8 ipsec #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/hosts — System B #ZONE HOSTS OPTIONS vpn eth0:192.168.1.0/24 ipsec #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Once you have these entries in place, restart Shorewall (type shorewall restart); you are now ready to configure IPSEC.

Mobile System (Road Warrior) Suppose that you have a laptop system (B) that you take with you when you travel and you want to be able to establish a secure connection back to your local network. Road Warrior VPN You need to define a zone for the laptop or include it in your local zone. In this example, we'll assume that you have created a zone called vpn to represent the remote host.

/etc/shorewall/zones — System A #ZONE DISPLAY COMMENTS net Internet The big bad internet vpn VPN Road Warriors #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, the following entry should be made:

#TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 0.0.0.0/0 vpn #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

the GATEWAY ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system. The VPN zone is defined using the /etc/shorewall/hosts file:

/etc/shorewall/hosts — System A: #ZONE HOSTS OPTIONS vpn eth0:0.0.0.0/0 ipsec #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

You will need to configure your through the tunnel policy as shown under the first example above.

Transport Mode In today's wireless world, it is often the case that individual hosts in a network need to establish secure connections with the other hosts in that network. In that case, IPSEC transport mode is an appropriate solution. Here's an example using the ipsec-tools package. The files shown are from host 192.168.20.10; the configuration of the other nodes is similar.

/etc/racoon/racoon.conf: path pre_shared_key "/etc/racoon/psk.txt" ; remote anonymous { exchange_mode aggressive ; my_identifier user_fqdn "teastep@shorewall.net" ; lifetime time 24 hour ; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, blowfish, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } /etc/racoon/setkey.conf: # First of all flush the SPD database spdflush; # Add some SPD rules spdadd 192.168.20.10/32 192.168.20.20/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.20/require; spdadd 192.168.20.20/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.20.20-192.168.20.10/require; spdadd 192.168.20.10/32 192.168.20.30/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.30/require; spdadd 192.168.20.30/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.20.30-192.168.20.10/require; spdadd 192.168.20.10/32 192.168.20.40/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.40/require; spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.20.40-192.168.20.10/require; /etc/racoon/psk.txt: teastep@shorewall.net <key>

Shorewall configuration goes as follows:

/etc/shorewall/zones: #ZONE DISPLAY COMMENTS loc Local Local Network net Net Internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter,dhcp,tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS loc eth0:192.168.20.0/24 ipsec #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE /etc/shorewall/policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw all ACCEPT loc fw ACCEPT net loc NONE loc net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Since there are no cases where net<->loc traffic should occur, NONE policies are used.