-
Notifications
You must be signed in to change notification settings - Fork 12
IPsec integration with switch mode GVPN based on Racoon IPSec Framework
This article describes how to deploy IPsec/Racoon on an OpenWRT+IPOP device operating in L2-IPOP switch-mode. Due to the nature of L2 switching and IPsec being an IP-layer protocol, it is not possible to make configurations with IPOP endpoints and address space. Instead, it is possible to create certificates, and configure racoon with the routers public endpoints. This approach assumes routers have static public IP endpoints - to support scenarios where the router keeps moving and consequently changes its public endpoint, additional support needs to be developed. Additional methods introduced in the GroupVPN controller determine public endpoints of remote routers and deploy security policies on the local router automatically.
Default installation of racoon puts the configuration file under '/etc/' folder. To make it work on OpenWRT, you need to install the packages referred below. Below commands are for OpenWRT.
opkg update
opkg install ipsec-tools
opkg install kmod-ipsec4
A reboot is required to insert the kernel modules. If deploying for containers in Linux environment racoon needs to be installed separately.
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen
{ # public IP endpoint for self.
isakmp 10.244.19.214 [500];
isakmp_natt 10.244.19.214 [4500];
}
remote anonymous {
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
certificate_type x509 "cert.pem" "key.pem";
ca_type x509 "rootCA.pem" ;
my_identifier asn1dn ;
verify_identifier off;
exchange_mode main;
nat_traversal on;
}
sainfo anonymous {
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
encryption_algorithm 3des;
}
Root key
openssl genrsa -out rootCA.key 2048
Root certificate
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
Once we have rootCA and rootCA-key, we can attest certificates for peers.
create a private key for the peer.
openssl genrsa -out key.pem 2048
create a certificate signing request.
openssl req -new -key key.pem -out device.csr
Point to be noted-- The CN (Common Name) should be your public IP endpoint, or your DNS Hostname. The entity owning the rootCA can than service this request and create a signed certificate
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out cert.pem -days 500
Now place the rootCA.pem, peer certificate and key in "/etc/racoon/certs", create the path if it does not exist. It must look like:
root@OpenWrt:/etc/racoon# cd /etc/racoon/certs/
root@OpenWrt:/etc/racoon/certs# ls
cert.pem key.pem rootCA.pem
root@OpenWrt:/etc/racoon/certs#
To do manual security-association management, the script below script can be used. The controller will otherwise automatically take care of it.
#! /bin/bash
setkey -c << EOF
#flush ;
#spdflush ;
spdadd 10.244.19.214/32 10.244.19.196/32 any -P out ipsec esp/transport//require ;
spdadd 10.244.19.196/32 10.244.19.214/32 any -P in ipsec esp/transport//require ;
EOF
Once the racoon daemon is running, you can use execute the script to add security associations. For "out" rule first field is local address range, followed by remote address range on which IPsec is to be enforced. For in the first field is remote followed by local. We use ESP-Transport mode. For Open-WRT replace "bash" by "sh" in the leading line. The above file should have permissions as shown below.
-rwx--x--x 1 root root 219 May 13 14:38 setkey.sh
IPsec racoon daemon is already running, ensure that no un-wanted security associations are active. This can be done on command line by using
Start racoon in Foreground
/usr/sbin/racoon -F
OR
Start racoon in background.
sudo /etc/init.d/racoon start
To check current security associations.
setkey -DP
Once Racoon is running, you can start IPOP in the regular manner for switchmode Openwrt-switchmode ,modified controller code can be found here ->ipsec_gvpn_controller .Once started it will start initiating connections with remote peer and deploying policies for securing the traffic. The below IPsec logs depict successful set up of IPsec
2015-05-13 14:36:03: INFO: NAT not detected
2015-05-13 14:36:03: INFO: ISAKMP-SA established 10.244.19.214[500]-10.244.19.196[500] spi:88459f361730319d:b53f694af8d584ff
2015-05-13 14:36:03: [10.244.19.196] INFO: received INITIAL-CONTACT
2015-05-13 14:47:27: INFO: unsupported PF_KEY message REGISTER
2015-05-13 14:47:27: INFO: initiate new phase 2 negotiation: 10.244.19.214[500]<=>10.244.19.196[500]
2015-05-13 14:47:30: INFO: respond new phase 2 negotiation: 10.244.19.214[500]<=>10.244.19.196[500]
2015-05-13 14:47:30: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=106805376(0x65db880)
2015-05-13 14:47:30: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=205230484(0xc3b9194)
2015-05-13 14:47:37: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=56292994(0x35af682)
2015-05-13 14:47:37: INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=5110974(0x4dfcbe)
Note both the "ISAKMP-SA established 10.244.19.214[500]-10.244.19.196[500]" which denotes successful phase1 and "INFO: IPsec-SA established: ESP/Transport 10.244.19.214[500]->10.244.19.196[500] spi=56292994(0x35af682)" phase2 stages respectively.
tcp-dump output when sending ICMP messages between client nodes as captured on the router.
root@OpenWrt:/etc/racoon# tcpdump -ni any -v esp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:48:20.026689 IP (tos 0x0, ttl 64, id 13520, offset 0, flags [DF], proto ESP (50), length 176)
10.244.19.196 > 10.244.19.214: ESP(spi=0x035af682,seq=0xd3), length 156
14:48:20.028262 IP (tos 0x0, ttl 64, id 50565, offset 0, flags [DF], proto ESP (50), length 128)
10.244.19.214 > 10.244.19.196: ESP(spi=0x004dfcbe,seq=0xd5), length 108
14:48:20.500353 IP (tos 0x0, ttl 64, id 50566, offset 0, flags [DF], proto ESP (50), length 176)
10.244.19.214 > 10.244.19.196: ESP(spi=0x004dfcbe,seq=0xd6), length 156
14:48:20.502025 IP (tos 0x0, ttl 64, id 13521, offset 0, flags [DF], proto ESP (50), length 128)
10.244.19.196 > 10.244.19.214: ESP(spi=0x035af682,seq=0xd4), length 108
14:48:20.505987 IP (tos 0x0, ttl 64, id 13522, offset 0, flags [DF], proto ESP (50), length 176)
10.244.19.196 > 10.244.19.214: ESP(spi=0x035af682,seq=0xd5), length 156
14:48:20.507442 IP (tos 0x0, ttl 64, id 50567, offset 0, flags [DF], proto ESP (50), length 128)
10.244.19.214 > 10.244.19.196: ESP(spi=0x004dfcbe,seq=0xd7), length 108
Check Security associations--
root@OpenWrt:/etc/racoon# setkey -DP
10.244.19.196[any] 10.244.19.214[any] 255
in ipsec
esp/transport//require
created: May 13 14:58:44 2015 lastused: May 13 14:59:04 2015
lifetime: 0(s) validtime: 0(s)
spid=56 seq=1 pid=2605
refcnt=3
10.244.19.214[any] 10.244.19.196[any] 255
out ipsec
esp/transport//require
created: May 13 14:58:44 2015 lastused: May 13 14:59:04 2015
lifetime: 0(s) validtime: 0(s)
spid=49 seq=2 pid=2605
refcnt=3
##References:
- Building the code
- IPOP packages
- Running SocialVPN nodes
- Running GroupVPN nodes
- Deploying OSN and NAT traversal services
- Test and monitoring
- Extending the code
- General documentation