Ipsec with Linux and Windows 1 Introduction 2 Network Setting 3
Total Page:16
File Type:pdf, Size:1020Kb
MIECT: Advanced Network Security 2013-14 Practical Exercise: IPSec with Linux and Windows Due date: no date V 1.0 1 Introduction The goal of this work is to explore the functionalities of IPSec in several network settings involving Linux and Windows systems. To facilitate the deployment of the network setting out of the laboratory, we will use only Linux and Windows Server 2003 virtual machines for implementing it. In this guide we will consider only the exploitation of VirtualBox. 2 Network setting We will use the 3 network settings of Figure 1. In all settings we will use both Linux and Windows systems. Settings 2 and 3 should be deployed by pairs of students (one with the network part on the left of the Internet cloud, the other wih the network part on the right). The Corporate network should be an host-only VirtualBox network; VirtualBox already features by default one network of this kind (VirtualBox Host-Only Ethernet Adapter). Initiate the VirtualBox DHCP service for the host-only network with the addresses referred in Figure 1. Hereafter, for simplicity, we will refer each involved machine as VM 1, 2, 3 and 4, according to Figure 1. The interfaces of the virtual machines will also be named as eth??, according to the same figure (also for Windows system, irrespectively of being named differently in those systems). 3 Virtual machines 3.1 Linux virtual machines We will use a Linux live distribution for all Linux hosts. In this guide we will assume the Mint live distribution. Create the virtual machine for VM 1 and clone it to create the other two. Don't forget to remove the useless network interfaces, leaving only two: a 1 (1) (2) (3) Figure 1: Three conceptual network settings and their effective deployment using virtual machines 2 multi-purpose one (which can be either NAT or bridged, to connect to the outside world if required) and an host-only. For reducing the workload while execution many virtual machines si- multaneously, use only, if possible, the console interface of Linux hosts. For shutting down the graphical interface stop the graphical window manager service. In Mint we do so with the following command: service mdm stop 3.2 Windows virtual machines We will use a Windows Server 2003 virtual machine for all Windows hosts. The disk image for the virtual machine will be provided online in the sub- ject's Web page. The Administrator's password is naomelembro. 3.3 Network configuration All virtual machines will get their network interfaces configured by DHCP (IP address and netmask). However, default gateways and extra routes have to be set manually with the ifconfig command (or a similar one) in Linux machines, or with the network properties windows, in Windows (right click on any network icon on the task bar, chose Open Network Connections, right click on the proper network interface and chose Properties). 4 IPSec configuration Dealing with IPSec involves the configuration of two databases: Security Policy Database (SPD) and Security Association Database (SAD). SPD specifies the policies that determine the disposition of all IP traffic inbound or outbound from a host or a gateway. The SPD must be consulted during the processing of all traffic (both inbound and outbound), including non-IPSec traffic. The policy entries in SPD are totally ordered, and the first matched policy will be used to process the traffic. A policy has one or more policy contents, and each content corresponds to an IPSec protocol, either AH or ESP, or both. SAD is a security association table, containing parameters that are asso- ciated with each security association. An SA is generated according to the policy contents. Each SA is able to provide security service of either AH or ESP, but not both. Although possible, in this work we will not set up SAs by hand; we will use ISAKMP and IKE to create and manage them automatically. The work to be developed consists in the creation of agreement profiles for IKE SAs and IPSec SA, as well as policies for enforcing the exploitation of a kind of IPSec protection in a particular type of traffic. 3 4.1 Linux In Linux, IPSec is configured with the following tools (packages ipsec-tools and racoon): • setkey. This tool can be used to manipulate and dump the kernel Security Policy Database (SPD) and Security Association Database (SAD). • racoon. This is the Internet Key Exchange (IKE) daemon for auto- matically keying IPSec connections. • racoonctl. This is a shell-based control tool for racoon. When in- stalling the racoon package chose the option (when prompted to) that allows racoon to be configuration with this tool. 4.2 Windows In the Windows Server 2003 we should use the IP Security Monitor and the IP Security Policies to manage IPSec. These are implemented as MMC (Microsoft Management Console) snap-ins. To add these snap-ins, follow these steps: • Click Start, click Run, type mmc, and then click OK. • In the mmc window, click File, click Add/Remove Snap-in, and then click Add. • Click IP Security Monitor, and then click Add. • Click IP Security Policies, click Add, leave the default choice for the Local computer and click Finish. • Click Close, and then click OK. This console for managing IPSec (see Figure 2) can be saved into an MSC file, which can be executed whenever necessary to manage IPSec. 5 Host-to-Host IPSec in Transport Mode Set up the network topology 1 of figure 1. Hereafter we will assume that VM 1 has IP address addr1 and VM 2 has IP address addr2. Before proceeding, check if the two hosts can ping each other. In a separate console execute the following command (replace ethX by the appropriate interface name): tcpdump -n -i ethX In the subsequent steps we will use IKE services in both a Linux and a Windows with a common, pre-shared key (e.g. \naomelembro"). 4 Figure 2: Example of mmc with the IPSec-related snap-ins in a Windows. 5.1 IKE setup In VM 1 (Linux), create a root-owned bash console. Then edit the racoon key container (/etc/racoon/psk.txt) and add a pre-shared key for a host with IP address addr2 (follow the examples in the file contents). Now edit the file /etc/racoon/racoon.conf and add the following sec- tions to the end of it: remote anonymous { exchange_mode main,aggressive,base; passive off; proposal { dh_group modp1024; encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; lifetime time 20 min; } generate_policy off; } sainfo anonymous { pfs_group modp1024; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 5 min; } Once edited, stop the racoon daemon with racoon-tool stop and run the daemon in a separate console with the following command (to observe debug messages): racoon -F -d -v Then execute the following commands: setkey -P -D setkey -D 5 As you can see, there are no IPSec SAs defined (yet!) neither there are host-oriented policies to created them (with IKE). In VM 2, add a new IP security policy with the key shared with VM 1. Don't forget to check the boxes for selecting PFS for IKE SA's keys (master keys) and IPSec keys! 5.2 AH only The best way to configure IPSec policies is to put all configuration commands in a setkey command file, starting by a couple or commands that clear all IPSec databases (SPD and SAD). The following file contents set up AH protection in transport mode between VM 1 and VM 2: #!/usr/sbin/setkey-f # Flush all IPSec settings flush ; spdflush ; # Policies spdadd addr1 addr2 any -P out ipsec ah/transport//require; spdadd addr2 addr1 any -P in ipsec ah/transport//require; This configuration file creates two policies that state that all traffic to and from VM 2 must be protected with IPSec using AH in transport mode. Once executed this command file, VM 1 no longer can interact with VM 2 except with IPSec. Since the required IPSec SA's are not yet configured, the communication between VM 1 and VM 2 exploring IPSec SAs is at this point impossible; it requires an IKE negotiation to set up new IPSec SAs. Check it by executing a ping in VM 1 and observing the exchanged packets with tcpdump -n -i ethX. Notice the presence of ISAKMP packets (port UDP 500). 5.3 ESP only For configuring ESP in transport mode we do prety much the same in the Linux machine than we did for AH: #!/usr/sbin/setkey-f # Flush all IPSec settings flush ; spdflush ; # Policies spdadd addr1 addr2 any -P out ipsec esp/transport//require; spdadd addr2 addr1 any -P in ipsec esp/transport//require; 6 Execute this file and check with tcpdump the IPSec dialog and the traffic protection with ESP. 5.4 ESP and AH, simultaneously Add both ESP and AH directives to each spdadd directive, in order to get packets protected with both ESP and AH: #!/usr/sbin/setkey-f # Flush all IPSec settings flush ; spdflush ; # Policies spdadd addr1 addr2 any -P out ipsec esp/transport//require ah/transport//require; spdadd addr2 addr1 any -P in ipsec esp/transport//require ah/transport//require; Check with ping that you cannot interact with VM 2. The reason is that its IPSec policy does not allow the combined use of ESP and AH. Without stopping the ping, fix the IPSec configuration of VM 2 and verify that ping starts to work. Check the IPSec protection on the captured packets. Check the existing IPSec SA in VM 1 with the command setkey -D. In VM 2, check the existing SAs in the IP Security Monitor (Main Mode for IKE SAs and Quick Mode for IPSec SAs).