###########
# IPsec VPN #
###########
Scenariu:
| Code: |
A.B.C.D X.Y.Z.T
[ Gateway A ] ---------- { INTERNET } ---------- [ Gateway B ]
| |
| 192.168.0.1 | 192.168.1.1
| |
| |
( LAN A ) ( LAN B )
192.168.0.0/24 192.168.1.1/24
|
Gateway A = FreeBSD sau OpenBSD
Gateway B = FreeBSD sau OpenBSD
*************************************
* Creare tunel intre LAN A si LAN B *
*************************************
+++++++++++++
+ Gateway A +
+++++++++++++
-------
FreeBSD
-------
Manual:
| Code: | ifconfig gif0 tunnel A.B.C.D X.Y.Z.T mtu 1500
ifconfig gif0 inet 192.168.0.1 192.168.1.1 netmask 255.255.255.255
route add -net 192.168.1.0/24 192.168.1.1
|
Automat:
In rc.conf se adauga:
| Code: | gifconfig_gif0="A.B.C.D X.Y.Z.T mtu 1500"
ifconfig_gif0="inet 192.168.0.1 192.168.1.1 netmask 0xffffffff"
static_routes="vpn"
route_vpn="192.168.1.0 192.168.1.1 netmask 0xffffff00"
|
-------
OpenBSD
-------
Manual:
| Code: | ifconfig gif0 tunnel A.B.C.D X.Y.Z.T mtu 1500
ifconfig gif0 inet 192.168.0.1 192.168.1.1 netmask 255.255.255.255
route add -net 192.168.1.0/24 192.168.1.1
|
Automat:
Se creaza in /etc fisierul hostname.gif0 si se adauga:
| Code: | up create
up tunnel A.B.C.D X.Y.Z.T mtu 1500
up inet 192.168.0.1 192.168.1.1 netmask 255.255.255.255
!/sbin/route add -net 192.168.1.0/24 192.168.1.1
|
+++++++++++++
+ Gateway B +
+++++++++++++
-------
FreeBSD
-------
Manual:
| Code: | ifconfig gif0 tunnel X.Y.Z.T A.B.C.D mtu 1500
ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 255.255.255.255
route add -net 192.168.0.0/24 192.168.0.1
|
Automat:
In rc.conf se adauga:
| Code: | gifconfig_gif0="X.Y.Z.T A.B.C.D mtu 1500"
ifconfig_gif0="inet 192.168.1.1 192.168.0.1 netmask 0xffffffff"
static_routes="vpn"
route_vpn="192.168.0.0 192.168.0.1 netmask 0xffffff00"
|
-------
OpenBSD
-------
Manual:
| Code: | ifconfig gif0 tunnel X.Y.Z.T A.B.C.D mtu 1500
ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 255.255.255.255
route add -net 192.168.0.0/24 192.168.0.1
|
Automat:
Se creaza in /etc fisierul hostname.gif0 si se adauga:
| Code: | up create
up tunnel X.Y.Z.T A.B.C.D mtu 1500
up inet 192.168.1.1 192.168.0.1 netmask 255.255.255.255
!/sbin/route add -net 192.168.0.0/24 192.168.0.1
|
*************************************
*(2) IPsec cu schimb manual de chei *
*************************************
Algoritmul de criptare a traficului este 3DES iar cel de autentificare a gateway-urilor intre ele
este SHA1.
+++++++++++++
+ Gateway A +
+++++++++++++
-------
FreeBSD
-------
Se creaza in /etc fisierul ipsec.conf si se adauga:
| Code: | # cheile de autentificare si criptare intre cele doua gateway-uri
add A.B.C.D X.Y.Z.T esp 0x1000 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;
add X.Y.Z.T A.B.C.D esp 0x1001 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;
# criptare IPsec a traficului LAN A - LAN B
# any inseamna criptare oricarui trafic ( tcp, udp, etc)
spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/A.B.C.D-X.Y.Z.T/require;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/X.Y.Z.T-A.B.C.D/require;
# criptare IPsec a traficului Gateway A - Gateway B
# any inseamna criptare oricarui trafic ( tcp, udp, etc)
spdadd A.B.C.D X.Y.Z.T any -P out ipsec esp/tunnel/A.B.C.D-X.Y.Z.T/require;
spdadd X.Y.Z.T A.B.C.D any -P in ipsec esp/tunnel/X.Y.Z.T-A.B.C.D/require;
|
Atentie !!!
CHEIE_CRIPTARE este un string format din 48 de litere si cifre (3DES foloseste o cheie pe 192 de biti = 48 * 4 biti)
CHEIE_AUTENTIFICARE este un string format din 40 de litere si cifre (SHA1 foloseste o cheie pe 160 de biti = 40 * 4 biti)
Ambele string-uri trebuie sa fie identice pe cele doua gateway-uri.
"0x" este folosit pentru compatibilitatea cu OpenBSD care foloseste cheile in sistem hexa decimal.
Pentru generarea cheilor se poate folosi openssl.
Generare CHEIE_CRIPTARE:
| Code: | | # openssl rand 24 | hexdump -e '24/1 "%02x"' |
Generare CHEIE_AUTENTIFICARE:
| Code: | | # openssl rand 20 | hexdump -e '20/1 "%02x"' |
Se adauga in /etc/rc.conf:
| Code: | ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
|
-------
OpenBSD
-------
Se creaza directorul ipsec in /etc in care se vor crea cheile de autentificare si criptare
si script-ul de creare a SAD-urilor si SPD-urilor.
| Code: | # mkdir /etc/ipsec
# chown root.wheel /etc/ipsec
# cd /etc/ipsec
# touch ipsec
# chmod 500 ipsec
|
In fisierul ipsec se adauga:
| Code: | /sbin/ipsecadm new esp -src A.B.C.D -dst X.Y.Z.T -forcetunnel -spi 1000 -enc 3des -auth sha1 \
-keyfile /etc/ipsec/enc_key \
-authkeyfile /etc/ipsec/auth_key
/sbin/ipsecadm new esp -src X.Y.Z.T -dst A.B.C.D -forcetunnel -spi 1001 -enc 3des -auth sha1 \
-keyfile /etc/ipsec/enc_key \
-authkeyfile /etc/ipsec/auth_key
/sbin/ipsecadm flow -transport esp -src A.B.C.D -dst X.Y.Z.T -bypass -out -addr A.B.C.D/32 X.Y.Z.T/32
/sbin/ipsecadm flow -transport esp -src A.B.C.D -dst X.Y.Z.T -bypass -in -addr X.Y.Z.T/32 A.B.C.D/32
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr A.B.C.D/32 X.Y.Z.T/32
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr X.Y.Z.T/32 A.B.C.D/32
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr A.B.C.D/32 192.168.1.0/24
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr 192.168.1.0/24 A.B.C.D/32
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr 192.168.0.0/24 X.Y.Z.T/32
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr X.Y.Z.T/32 192.168.0.0/24
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -out -addr 192.168.0.0/24 192.168.1.0/24
/sbin/ipsecadm flow -proto esp -src A.B.C.D -dst X.Y.Z.T -require -in -addr 192.168.1.0/24 192.168.0.0/24
|
Se genereaza cheile.
Generare cheie criptare:
| Code: | | # openssl rand 24 | hexdump -e '24/1 "%02x"' > /etc/ipsec/enc_key |
Generare cheie autentificare:
| Code: | | # openssl rand 20 | hexdump -e '20/1 "%02x"' > /etc/ipsec/auth_key |
Se seteaza permisiunile:
| Code: | # chown root.wheel /etc/ipsec/enc_key
# chown root.wheel /etc/ipsec/auth_key
# chmod 600 /etc/ipsec/enc_key
# chmod 600 /etc/ipsec/auth_key
|
Observatie !
Ca alternativa OpenBSD pune la dispozitie un script (/usr/share/ipsec/rc.vpn) ce seteaza la rulare SAD-urile si SPD-urile.
Acest script trebuie modificat conform nevoilor si va inlocui script-ul /etc/ipsec/ipsec creat anterior.
+++++++++++++
+ Gateway B +
+++++++++++++
-------
FreeBSD
-------
Se creaza in /etc fisierul ipsec.conf si se adauga:
| Code: | # cheile de autentificare si criptare intre cele doua gateway-uri
add A.B.C.D X.Y.Z.T esp 0x1000 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;
add X.Y.Z.T A.B.C.D esp 0x1001 -E 3des-cbc 0xCHEIE_CRIPTARE -A hmac-sha1 0xCHEIE_AUTENTIFICARE;
# criptare IPsec a traficului LAN B - LAN A
# any inseamna criptare oricarui trafic ( tcp, udp, etc)
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/X.Y.Z.T-A.B.C.D/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/A.B.C.D-X.Y.Z.T/require;
# criptare IPsec a traficului Gateway B - Gateway A
# any inseamna criptare oricarui trafic ( tcp, udp, etc)
spdadd X.Y.Z.T A.B.C.D any -P out ipsec esp/tunnel/X.Y.Z.T-A.B.C.D/require;
spdadd A.B.C.D X.Y.Z.T any -P in ipsec esp/tunnel/A.B.C.D-X.Y.Z.T/require;
|
Se adauga in /etc/rc.conf:
| Code: | ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
|
Atentie !!!
CHEIE_CRIPTARE si CHEIE_AUTENTIFICARE trebuie sa coincida cu cele de pe Gateway A.
0x1000 si 0x1001 reprezinta parametri SPI si trebuie sa coincida cu cei de pe Gateway A pentru
aceeasi directie a treficului (de ex. 0x1000 pentru Gateway A - Gateway B si 0x1001 invers).
-------
OpenBSD
-------
Se creaza directorul ipsec in /etc si fiserele ipsec, enc_key si auth_key.
| Code: | # mkdir /etc/ipsec
# chown root.wheel /etc/ipsec
# cd /etc/ipsec
# touch ipsec enc_key auth_key
# chmod 500 ipsec
|
In fisierul ipsec se adauga:
| Code: | /sbin/ipsecadm new esp -src X.Y.Z.T -dst A.B.C.D -forcetunnel -spi 1001 -enc 3des -auth sha1 \
-keyfile /etc/ipsec/enc_key \
-authkeyfile /etc/ipsec/auth_key
/sbin/ipsecadm new esp -src A.B.C.D -dst X.Y.Z.T -forcetunnel -spi 1000 -enc 3des -auth sha1 \
-keyfile /etc/ipsec/enc_key \
-authkeyfile /etc/ipsec/auth_key
/sbin/ipsecadm flow -transport esp -src X.Y.Z.T -dst A.B.C.D -bypass -out -addr X.Y.Z.T/32 A.B.C.D/32
/sbin/ipsecadm flow -transport esp -src X.Y.Z.T -dst A.B.C.D -bypass -in -addr A.B.C.D/32 X.Y.Z.T/32
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr X.Y.Z.T/32 A.B.C.D/32
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr A.B.C.D/32 X.Y.Z.T/32
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr X.Y.Z.T/32 192.168.0.0/24
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr 192.168.0.0/24 X.Y.Z.T/32
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr 192.168.1.0/24 A.B.C.D/32
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr A.B.C.D/32 192.168.1.0/24
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -out -addr 192.168.1.0/24 192.168.0.0/24
/sbin/ipsecadm flow -proto esp -src X.Y.Z.T -dst A.B.C.D -require -in -addr 192.168.0.0/24 192.168.1.0/24
|
In enc_key si auth_key se adauga cheile create pe Gateway A.
Se seteaza permisiunile:
| Code: | # chown root.wheel /etc/ipsec/enc_key
# chown root.wheel /etc/ipsec/auth_key
# chmod 600 /etc/ipsec/enc_key
# chmod 600 /etc/ipsec/auth_key
|
Observatie !
Ca alternativa OpenBSD pune la dispozitie un script (/usr/share/ipsec/rc.vpn) ce seteaza la rulare SAD-urile si SPD-urile.
Acest script trebuie modificat conform nevoilor si va inlocui script-ul /etc/ipsec/ipsec creat anterior.
**************************************************************
* IPsec cu schimb automat de chei folosind daemon-ul isakmpd *
* cu autentificare pe baza de password *
**************************************************************
+++++++++++++
+ Gateway A +
+++++++++++++
-------
FreeBSD
-------
Instalam isakmpd din port-uri:
| Code: | # cd /usr/ports/security/isakmpd
# make install clean
# cd /usr/local/etc/
# mkdir isakmpd
# cd isakmpd
# touch isakmpd.conf isakmpd.policy
# chmod 600 isakmpd.conf isakmpd.policy
|
Fisierul de configurare este /usr/local/etc/isakmpd/isakmpd.conf.
Fisierul ce stabileste autentificarea intre gateway-uri este /usr/local/etc/isakmpd/isakmpd.policy.
isakmpd.conf:
| Code: | [General]
Listen-on= A.B.C.D
[Phase 1]
X.Y.Z.T= ISAKMP-peer-GatewayB
[Phase 2]
Connections= IPsec-LANA-LANB,IPsec-GatewayA-GatewayB
[ISAKMP-peer-GatewayB]
Phase= 1
Address= X.Y.Z.T
Configuration= Default-main-mode
Authentication= password
[IPsec-LANA-LANB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= LANA
Remote-ID= LANB
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[IPsec-GatewayA-GatewayB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= GatewayA
Remote-ID= GatewayB
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:password"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
Atentie !!!
password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.
In rc.conf trebuie modificat ipsec_enable="YES" in ipsec_enable="NO" deoarece
isakmpd seteaza automat atat SAD-urile cat si SPD-urile.
Cream un script de pornire pentru isakmpd:
| Code: | # cd /usr/local/etc/rc.d
# touch isakmpd.sh
# chown root:wheel isakmpd.sh
# chmod 500 isakmpd.sh
|
In isakmpd.sh adaugam:
| Code: | #!/bin/sh
# start
isakmpd_enable=${isakmpd_enable-"NO"}
isakmpd_flags=${isakmpd_flags-"-c /usr/local/etc/isakmpd/isakmpd.conf"}
isakmpd_pidfile=${isakmpd_pidfile-"/var/run/utility.pid"}
. /etc/rc.subr
name="isakmpd"
rcvar=`set_rcvar`
command="/usr/local/sbin/isakmpd"
load_rc_config $name
pidfile="${isakmpd_pidfile}"
start_cmd="echo \"Starting ${name}.\"; /usr/bin/nice -5 ${command} ${isakmpd_flags} ${command_args}"
run_rc_command "$1"
# end
|
Pentru a fi pornit la start-up e necesar sa adaugam in rc.conf isakmpd_enable="YES".
-------
OpenBSD
-------
OpenBSD vine cu isakmpd instalat default.
Fisierul de configurare este /etc/isakmpd/isakmpd.conf.
Fisierul ce stabileste autentificarea intre gateway-uri este /etc/isakmpd/isakmpd.policy.
isakmpd.conf:
| Code: | [General]
Listen-on= A.B.C.D
[Phase 1]
X.Y.Z.T= ISAKMP-peer-GatewayB
[Phase 2]
Connections= IPsec-LANA-LANB,IPsec-GatewayA-GatewayB
[ISAKMP-peer-GatewayB]
Phase= 1
Address= X.Y.Z.T
Configuration= Default-main-mode
Authentication= password
[IPsec-LANA-LANB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= LANA
Remote-ID= LANB
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[IPsec-GatewayA-GatewayB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= GatewayA
Remote-ID= GatewayB
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:password"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
Atentie !!!
password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.
+++++++++++++
+ Gateway B +
+++++++++++++
-------
FreeBSD
-------
Instalam isakmpd din port-uri:
| Code: | # cd /usr/ports/security/isakmpd
# make install clean
# cd /usr/local/etc/
# mkdir isakmpd
# cd isakmpd
# touch isakmpd.conf isakmpd.policy
# chmod 600 isakmpd.conf isakmpd.policy
|
Fisierul de configurare este /usr/local/etc/isakmpd/isakmpd.conf.
Fisierul ce stabileste autentificarea intre gateway-uri este /usr/local/etc/isakmpd/isakmpd.policy.
isakmpd.conf:
| Code: | [General]
Listen-on= X.Y.Z.T
[Phase 1]
A.B.C.D= ISAKMP-peer-GatewayA
[Phase 2]
Connections= IPsec-LANB-LANA,IPsec-GatewayB-GatewayA
[ISAKMP-peer-GatewayA]
Phase= 1
Address= A.B.C.D
Configuration= Default-main-mode
Authentication= password
[IPsec-LANB-LANA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= LANB
Remote-ID= LANA
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[IPsec-GatewayB-GatewayA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= GatewayB
Remote-ID= GatewayA
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:password"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
Atentie !!!
password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.
In rc.conf trebuie modificat ipsec_enable="YES" in ipsec_enable="NO" deoarece
isakmpd seteaza automat atat SAD-urile cat si SPD-urile.
Cream un script de pornire pentru isakmpd:
| Code: | # cd /usr/local/etc/rc.d
# touch isakmpd.sh
# chown root:wheel isakmpd.sh
# chmod 500 isakmpd.sh
|
In isakmpd.sh adaugam:
| Code: | #!/bin/sh
# start
isakmpd_enable=${isakmpd_enable-"NO"}
isakmpd_flags=${isakmpd_flags-"-c /usr/local/etc/isakmpd/isakmpd.conf"}
isakmpd_pidfile=${isakmpd_pidfile-"/var/run/utility.pid"}
. /etc/rc.subr
name="isakmpd"
rcvar=`set_rcvar`
command="/usr/local/sbin/isakmpd"
load_rc_config $name
pidfile="${isakmpd_pidfile}"
start_cmd="echo \"Starting ${name}.\"; /usr/bin/nice -5 ${command} ${isakmpd_flags} ${command_args}"
run_rc_command "$1"
# end
|
Pentru a fi pornit la start-up e necesar sa adaugam in rc.conf isakmpd_enable="YES".
-------
OpenBSD
-------
OpenBSD vine cu isakmpd instalat default.
Fisierul de configurare este /etc/isakmpd/isakmpd.conf.
Fisierul ce stabileste autentificarea intre gateway-uri este /etc/isakmpd/isakmpd.policy.
isakmpd.conf:
| Code: | [General]
Listen-on= X.Y.Z.T
[Phase 1]
A.B.C.D= ISAKMP-peer-GatewayA
[Phase 2]
Connections= IPsec-LANB-LANA,IPsec-GatewayB-GatewayA
[ISAKMP-peer-GatewayA]
Phase= 1
Address= A.B.C.D
Configuration= Default-main-mode
Authentication= password
[IPsec-LANB-LANA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= LANB
Remote-ID= LANA
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[IPsec-GatewayB-GatewayA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= GatewayB
Remote-ID= GatewayA
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:password"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
Atentie !!!
password (cel din isakmpd.conf trebuie sa fie identic cu cel din isakmpd.policy)
trebuie inlocuit cu un string de preferinta cat mai random ce trebuie sa fie acelasi
cu cel din isakmpd.conf si isakmpd.policy de pe GatewayB.
**************************************************************
* IPsec cu schimb automat de chei folosind daemon-ul isakmpd *
* cu autentificare pe baza de certificate x509 *
**************************************************************
+++++++++++++
+ Gateway A +
+++++++++++++
-------
FreeBSD
-------
Devenim Certificate Authority:
Generam cheia privata cu care vom semna certificatul:
| Code: | | # openssl genrsa -out private/ca.key 2048 |
Cream certification request:
| Code: | | # openssl req -new -key private/ca.key -out ca.csr |
Cream certificatul x509:
| Code: | | # openssl x509 -req -days 730 -in ca.csr -signkey private/ca.key -extfile x509v3.cnf -extensions x509v3_CA -out ca.crt |
| Code: | | # cd /usr/local/etc/isakmpd |
Generam cheia privata:
| Code: | # openssl genrsa -out private/local.key 2048
# chmod 400 private/local.key
|
Cream certification request:
| Code: | | # openssl req -new -key private/local.key -out private/A.B.C.D.csr |
Cream certificatul x509 pentru Gateway A:
| Code: | # openssl x509 -req -days 730 -in private/A.B.C.D.csr -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key -CAcreateserial -out \
certs/A.B.C.D.crt
|
Patch-uim certificatul:
| Code: | | # certpatch -i A.B.C.D -k /etc/ssl/private/ca.key certs/A.B.C.D.crt certs/A.B.C.D.crt |
Copiem ca.crt in /usr/local/etc/isakmpd/ca
| Code: | | # cp -p /etc/ssl/ca.crt ca/ |
isakmpd.conf:
| Code: | [X509-certificates]
CA-directory= /usr/local/etc/isakmpd/ca/
Cert-directory= /usr/local/etc/isakmpd/certs/
Private-key= /usr/local/etc/isakmpd/private/local.key
[General]
Listen-on= A.B.C.D
[Phase 1]
X.Y.Z.T= ISAKMP-peer-GatewayB
[Phase 2]
Connections= IPsec-LANA-LANB,IPsec-GatewayA-GatewayB
[ISAKMP-peer-GatewayB]
Phase= 1
Address= X.Y.Z.T
Configuration= Default-main-mode
Local-ID= GatewayA-ID
Remote-ID= GatewayB-ID
[GatewayA-ID]
ID-Type= IPV4_ADDR
Address= A.B.C.D
[GatewayB-ID]
ID-Type= IPV4_ADDR
Address= X.Y.Z.T
[IPsec-LANA-LANB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= LANA
Remote-ID= LANB
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[IPsec-GatewayA-GatewayB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= GatewayA
Remote-ID= GatewayB
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | Keynote-version: 2
Authorizer: "POLICY"
Licensees: "DN:xxx"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
unde xxx este inlocuit cu output-ul comenzii:
| Code: | | # openssl x509 -in /usr/local/etc/isakmpd/ca/ca.crt -noout -subject |
Atentie !!! Se inlocuieste numai ce este dupa subject= din output-ul de mai sus.
-------
OpenBSD
-------
Devenim Certificate Authority:
Generam cheia privata cu care vom semna certificatul:
| Code: | | # openssl genrsa -out private/ca.key 2048 |
Cream certification request:
| Code: | | # openssl req -new -key private/ca.key -out ca.csr |
Cream certificatul x509:
| Code: | | # openssl x509 -req -days 730 -in ca.csr -signkey private/ca.key -extfile x509v3.cnf -extensions x509v3_CA -out ca.crt |
Generam cheia privata:
| Code: | # openssl genrsa -out private/local.key 2048
# chmod 400 private/local.key
|
Cream certification request:
| Code: | | # openssl req -new -key private/local.key -out private/A.B.C.D.csr |
Cream certificatul x509 pentru Gateway A:
| Code: | # openssl x509 -req -days 730 -in private/A.B.C.D.csr -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key -CAcreateserial -out \
certs/A.B.C.D.crt
|
Patch-uim certificatul:
| Code: | | # certpatch -i A.B.C.D -k /etc/ssl/private/ca.key certs/A.B.C.D.crt certs/A.B.C.D.crt |
Copiem ca.crt in /etc/isakmpd/ca
| Code: | | # cp -p /etc/ssl/ca.crt ca/ |
isakmpd.conf:
| Code: | [X509-certificates]
CA-directory= /usr/local/etc/isakmpd/ca/
Cert-directory= /usr/local/etc/isakmpd/certs/
Private-key= /usr/local/etc/isakmpd/private/local.key
[General]
Listen-on= A.B.C.D
[Phase 1]
X.Y.Z.T= ISAKMP-peer-GatewayB
[Phase 2]
Connections= IPsec-LANA-LANB,IPsec-GatewayA-GatewayB
[ISAKMP-peer-GatewayB]
Phase= 1
Address= X.Y.Z.T
Configuration= Default-main-mode
Local-ID= GatewayA-ID
Remote-ID= GatewayB-ID
[GatewayA-ID]
ID-Type= IPV4_ADDR
Address= A.B.C.D
[GatewayB-ID]
ID-Type= IPV4_ADDR
Address= X.Y.Z.T
[IPsec-LANA-LANB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= LANA
Remote-ID= LANB
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[IPsec-GatewayA-GatewayB]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayB
Configuration= Default-quick-mode
Local-ID= GatewayA
Remote-ID= GatewayB
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | Keynote-version: 2
Authorizer: "POLICY"
Licensees: "DN:xxx"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
unde xxx este inlocuit cu output-ul comenzii:
| Code: | | # openssl x509 -in /etc/isakmpd/ca/ca.crt -noout -subject |
Atentie !!! Se inlocuieste numai ce este dupa subject= din output-ul de mai sus.
+++++++++++++
+ Gateway B +
+++++++++++++
-------
FreeBSD
-------
Se copiaza /etc/ssl/ca.crt si /etc/ssl/private/local.key de pe Gateway A in /etc/ssl/ si respectiv /etc/ssl/private.
| Code: | | # cd /usr/local/etc/isakmpd |
Generam cheia privata:
| Code: | # openssl genrsa -out private/local.key 2048
# chmod 400 private/local.key
|
Cream certification request:
| Code: | | # openssl req -new -key private/local.key -out private/X.Y.Z.T.csr |
Cream certificatul x509 pentru Gateway B:
| Code: | # openssl x509 -req -days 730 -in private/X.Y.Z.T.csr -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key -CAcreateserial -out \
certs/X.Y.Z.T.crt
|
Patch-uim certificatul:
| Code: | | # certpatch -i X.Y.Z.T -k /etc/ssl/private/ca.key certs/X.Y.Z.T.crt certs/X.Y.Z.T.crt |
Copiem ca.crt in /usr/local/etc/isakmpd/ca
| Code: | | # cp -p /etc/ssl/ca.crt ca/ |
isakmpd.conf:
| Code: | [X509-certificates]
CA-directory= /usr/local/etc/isakmpd/ca/
Cert-directory= /usr/local/etc/isakmpd/certs/
Private-key= /usr/local/etc/isakmpd/private/local.key
[General]
Listen-on= X.Y.Z.T
[Phase 1]
A.B.C.D= ISAKMP-peer-GatewayA
[Phase 2]
Connections= IPsec-LANB-LANA,IPsec-GatewayB-GatewayA
[ISAKMP-peer-GatewayA]
Phase= 1
Address= A.B.C.D
Configuration= Default-main-mode
Local-ID= GatewayB-ID
Remote-ID= GatewayA-ID
[GatewayB-ID]
ID-Type= IPV4_ADDR
Address= X.Y.Z.T
[GatewayA-ID]
ID-Type= IPV4_ADDR
Address= A.B.C.D
[IPsec-LANB-LANA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= LANB
Remote-ID= LANA
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[IPsec-GatewayB-GatewayA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= GatewayB
Remote-ID= GatewayA
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | Keynote-version: 2
Authorizer: "POLICY"
Licensees: "DN:xxx"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
unde xxx este inlocuit cu output-ul comenzii:
| Code: | | # openssl x509 -in /usr/local/etc/isakmpd/ca/ca.crt -noout -subject |
Atentie !!! Se inlocuieste numai ce este dupa subject= din output-ul de mai sus.
-------
OpenBSD
-------
Se copiaza /etc/ssl/ca.crt si /etc/ssl/private/local.key de pe Gateway A in /etc/ssl/ si respectiv /etc/ssl/private.
Generam cheia privata:
| Code: | # openssl genrsa -out private/local.key 2048
# chmod 400 private/local.key
|
Cream certification request:
| Code: | | # openssl req -new -key private/local.key -out private/X.Y.Z.T.csr |
Cream certificatul x509 pentru Gateway B:
| Code: | # openssl x509 -req -days 730 -in private/X.Y.Z.T.csr -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key -CAcreateserial -out \
certs/X.Y.Z.T.crt
|
Patch-uim certificatul:
| Code: | | # certpatch -i X.Y.Z.T -k /etc/ssl/private/ca.key certs/X.Y.Z.T.crt certs/X.Y.Z.T.crt |
Copiem ca.crt in /etc/isakmpd/ca
| Code: | | # cp -p /etc/ssl/ca.crt ca/ |
isakmpd.conf:
| Code: | [X509-certificates]
CA-directory= /usr/local/etc/isakmpd/ca/
Cert-directory= /usr/local/etc/isakmpd/certs/
Private-key= /usr/local/etc/isakmpd/private/local.key
[General]
Listen-on= X.Y.Z.T
[Phase 1]
A.B.C.D= ISAKMP-peer-GatewayA
[Phase 2]
Connections= IPsec-LANB-LANA,IPsec-GatewayB-GatewayA
[ISAKMP-peer-GatewayA]
Phase= 1
Address= A.B.C.D
Configuration= Default-main-mode
Local-ID= GatewayB-ID
Remote-ID= GatewayA-ID
[GatewayB-ID]
ID-Type= IPV4_ADDR
Address= X.Y.Z.T
[GatewayA-ID]
ID-Type= IPV4_ADDR
Address= A.B.C.D
[IPsec-LANB-LANA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= LANB
Remote-ID= LANA
[LANB]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[LANA]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
[IPsec-GatewayB-GatewayA]
Phase= 2
ISAKMP-peer= ISAKMP-peer-GatewayA
Configuration= Default-quick-mode
Local-ID= GatewayB
Remote-ID= GatewayA
[GatewayB]
ID-type= IPV4_ADDR
Address= X.Y.Z.T
[GatewayA]
ID-type= IPV4_ADDR
Address= A.B.C.D
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
|
isakmpd.policy:
| Code: | Keynote-version: 2
Authorizer: "POLICY"
Licensees: "DN:xxx"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "3des" &&
esp_auth_alg == "hmac-sha" -> "true";
|
unde xxx este inlocuit cu output-ul comenzii:
| Code: | | # openssl x509 -in /etc/isakmpd/ca/ca.crt -noout -subject |
Atentie !!! Se inlocuieste numai ce este dupa subject= din output-ul de mai sus.
|
