IPsec integration with switch mode GVPN based on Racoon IPSec Framework

Introduction

This article describes how to deploy IPsec/Racoon on an OpenWRT+IPOP device operating in L2-IPOP switch-mode. Due to the nature of L2 switching and IPsec being an IP-layer protocol, it is not possible to make configurations with IPOP endpoints and address space. Instead, it is possible to create certificates, and configure racoon with the routers public endpoints. This approach assumes routers have static public IP endpoints - to support scenarios where the router keeps moving and consequently changes its public endpoint, additional support needs to be developed. Additional methods introduced in the GroupVPN controller determine public endpoints of remote routers and deploy security policies on the local router automatically.

Installation and Configuration

Default installation of racoon puts the configuration file under '/etc/' folder. To make it work on OpenWRT, you need to install the packages referred below. Below commands are for OpenWRT.

opkg update
opkg install ipsec-tools
opkg install kmod-ipsec4

A reboot is required to insert the kernel modules. If deploying for containers in Linux environment racoon needs to be installed separately.

racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

listen
{   # public IP endpoint for self.
    isakmp 10.244.19.214 [500];
    isakmp_natt 10.244.19.214 [4500];
}

remote anonymous {
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
        dh_group modp1024;
        }
        certificate_type x509 "cert.pem" "key.pem";
        ca_type x509 "rootCA.pem" ;
        my_identifier asn1dn ;
        verify_identifier off;
        exchange_mode main;
        nat_traversal on;
}
sainfo anonymous {
     authentication_algorithm hmac_sha1;
     compression_algorithm deflate;
        pfs_group modp1024;
        encryption_algorithm 3des;
}

Creating certificates

Root key

 openssl genrsa -out rootCA.key 2048

Root certificate

openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

Once we have rootCA and rootCA-key, we can attest certificates for peers.
create a private key for the peer.

openssl genrsa -out key.pem 2048

create a certificate signing request.

openssl req -new -key key.pem -out device.csr

Point to be noted-- The CN (Common Name) should be your public IP endpoint, or your DNS Hostname. The entity owning the rootCA can than service this request and create a signed certificate

openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out cert.pem -days 500

Now place the rootCA.pem, peer certificate and key in "/etc/racoon/certs", create the path if it does not exist. It must look like:

root@OpenWrt:/etc/racoon# cd /etc/racoon/certs/
root@OpenWrt:/etc/racoon/certs# ls
cert.pem    key.pem     rootCA.pem
root@OpenWrt:/etc/racoon/certs#

To do manual security-association management, the script below script can be used. The controller will otherwise automatically take care of it.

#! /bin/bash
setkey -c << EOF
#flush ;
#spdflush ;
spdadd 10.244.19.214/32 10.244.19.196/32 any -P out ipsec esp/transport//require ;
spdadd 10.244.19.196/32 10.244.19.214/32 any -P in  ipsec esp/transport//require ;
EOF

Once the racoon daemon is running, you can use execute the script to add security associations. For "out" rule first field is local address range, followed by remote address range on which IPsec is to be enforced. For in the first field is remote followed by local. We use ESP-Transport mode. For Open-WRT replace "bash" by "sh" in the leading line. The above file should have permissions as shown below.

-rwx--x--x    1 root     root           219 May 13 14:38 setkey.sh

Deploying modified controller for supporting IPsec.

Assumptions

IPsec racoon daemon is already running, ensure that no un-wanted security associations are active. This can be done on command line by using

Start racoon in Foreground

 /usr/sbin/racoon -F

OR
Start racoon in background.

sudo /etc/init.d/racoon start

To check current security associations.

 setkey -DP

Once Racoon is running, you can start IPOP in the regular manner for switchmode Openwrt-switchmode ,modified controller code can be found here ->ipsec_gvpn_controller .Once started it will start initiating connections with remote peer and deploying policies for securing the traffic. The below IPsec logs depict successful set up of IPsec

2015-05-13 14:36:03: INFO: NAT not detected 
2015-05-13 14:36:03: INFO: ISAKMP-SA established 10.244.19.214[500]-10.244.19.196[500] spi:88459f361730319d:b53f694af8d584ff
2015-05-13 14:36:03: [10.244.19.196] INFO: received INITIAL-CONTACT
2015-05-13 14:47:27: INFO: unsupported PF_KEY message REGISTER
2015-05-13 14:47:27: INFO: initiate new phase 2 negotiation: 10.244.19.214[500]<=>10.244.19.196[500]
2015-05-13 14:47:30: INFO: respond new phase 2 negotiation: 10.244.19.214[500]<=>10.244.19.196[500]
2015-05-13 14:47:30: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=106805376(0x65db880)
2015-05-13 14:47:30: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=205230484(0xc3b9194)
2015-05-13 14:47:37: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=56292994(0x35af682)
2015-05-13 14:47:37: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=5110974(0x4dfcbe)

Note both the "ISAKMP-SA established 10.244.19.214[500]-10.244.19.196[500]" which denotes successful phase1 and "INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=56292994(0x35af682)" phase2 stages respectively.

tcp-dump output when sending ICMP messages between client nodes as captured on the router.

root@OpenWrt:/etc/racoon# tcpdump -ni any -v esp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:48:20.026689 IP (tos 0x0, ttl 64, id 13520, offset 0, flags [DF], proto ESP (50), length 176)
    10.244.19.196 > 10.244.19.214: ESP(spi=0x035af682,seq=0xd3), length 156
14:48:20.028262 IP (tos 0x0, ttl 64, id 50565, offset 0, flags [DF], proto ESP (50), length 128)
    10.244.19.214 > 10.244.19.196: ESP(spi=0x004dfcbe,seq=0xd5), length 108
14:48:20.500353 IP (tos 0x0, ttl 64, id 50566, offset 0, flags [DF], proto ESP (50), length 176)
    10.244.19.214 > 10.244.19.196: ESP(spi=0x004dfcbe,seq=0xd6), length 156
14:48:20.502025 IP (tos 0x0, ttl 64, id 13521, offset 0, flags [DF], proto ESP (50), length 128)
    10.244.19.196 > 10.244.19.214: ESP(spi=0x035af682,seq=0xd4), length 108
14:48:20.505987 IP (tos 0x0, ttl 64, id 13522, offset 0, flags [DF], proto ESP (50), length 176)
    10.244.19.196 > 10.244.19.214: ESP(spi=0x035af682,seq=0xd5), length 156
14:48:20.507442 IP (tos 0x0, ttl 64, id 50567, offset 0, flags [DF], proto ESP (50), length 128)
    10.244.19.214 > 10.244.19.196: ESP(spi=0x004dfcbe,seq=0xd7), length 108

Check Security associations--

root@OpenWrt:/etc/racoon# setkey -DP
10.244.19.196[any] 10.244.19.214[any] 255
	in ipsec
	esp/transport//require
	created: May 13 14:58:44 2015  lastused: May 13 14:59:04 2015
	lifetime: 0(s) validtime: 0(s)
	spid=56 seq=1 pid=2605
	refcnt=3
10.244.19.214[any] 10.244.19.196[any] 255
	out ipsec
	esp/transport//require
	created: May 13 14:58:44 2015  lastused: May 13 14:59:04 2015
	lifetime: 0(s) validtime: 0(s)
	spid=49 seq=2 pid=2605
	refcnt=3

##References:

Building the code
IPOP packages
- For Linux distros
Running SocialVPN nodes
- Linux
- Windows 7
- Android
- Raspberry Pi
Running GroupVPN nodes
Deploying OSN and NAT traversal services
Test and monitoring
- Test harness
- Ganglia monitoring
Extending the code
General documentation

Provide feedback

Saved searches

Use saved searches to filter your results more quickly