Difference between revisions of "IPSec / IPTables"

From ArmadeusWiki
Jump to: navigation, search
m (Linux)
m (Test IPTables on APF27 PPS)
 
(11 intermediate revisions by 3 users not shown)
Line 2: Line 2:
  
 
==IPSec==
 
==IPSec==
IPSec is a protocol that securizes IP communications by authenticating and crypting packets from IP address to another, over all computer ports.
+
IPSec is a protocol that securizes IP communications by authenticating and crypting packets from IP address to another, over all computer ports. Before trying to use the following instructions, please read [http://people.freebsd.org/~julian/IPSEC_4_Dummies.html IPSec for dummies], to better understand specific acronyms used further.
  
 
===Setup===
 
===Setup===
Line 12: Line 12:
 
</pre>
 
</pre>
  
* Give the file ''/etc/ipsec-tools.conf'' the access rights 700:
+
* Give the file ''/etc/ipsec-tools.conf'' the access rights "700" (== only accessible to root user):
 
<pre class="host">
 
<pre class="host">
 
  $ sudo chmod 700 /etc/ipsec-tools.conf
 
  $ sudo chmod 700 /etc/ipsec-tools.conf
Line 51: Line 51:
  
 
# Security policies  
 
# Security policies  
spdadd 192.168.0.211 192.168.0.208 any -P in ipsec  
+
spdadd 192.168.0.208 192.168.0.211 any -P in ipsec  
 
           esp/transport//require  
 
           esp/transport//require  
 
           ah/transport//require;  
 
           ah/transport//require;  
  
spdadd 192.168.0.208 192.168.0.211 any -P out ipsec  
+
spdadd 192.168.0.211 192.168.0.208 any -P out ipsec  
 
           esp/transport//require  
 
           esp/transport//require  
 
           ah/transport//require;  
 
           ah/transport//require;  
 
spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
 
          esp/transport//require
 
          ah/transport//require;
 
 
</pre>
 
</pre>
  
Line 67: Line 63:
  
 
{{Note|To generate a 192 bit key you can use the following command: <pre class="host">dd if=/dev/random count=24 bs=1| xxd -ps</pre>}}
 
{{Note|To generate a 192 bit key you can use the following command: <pre class="host">dd if=/dev/random count=24 bs=1| xxd -ps</pre>}}
 +
 +
{{Note|You can choose specific ports and protocols to securize with IPSec in the security policies like that:
 +
<pre class="host">
 +
spdadd 192.168.0.211/24[PORT_NUMBER] 192.168.0.208/24[PORT_NUMBER] PROTOCOL_NAME -P in ipsec
 +
          esp/transport//require
 +
          ah/transport//require;
 +
</pre>
 +
 +
For instance, if you want to encrypt on [[Telnet]] port only, on the server your security policies will be:
 +
<pre class="host">
 +
spdadd 0.0.0.0/0[any] 192.168.0.211/24[23] tcp -P in ipsec
 +
          esp/transport//require
 +
          ah/transport//require;
 +
 +
spdadd 192.168.0.211/24[23] 192.168.0.208/24[any] tcp -P out ipsec
 +
          esp/transport//require
 +
          ah/transport//require;
 +
</pre>
 +
 +
The keyword any means any protocols or any ports.
 +
}}
  
 
====Target (APF27)====
 
====Target (APF27)====
Line 75: Line 92:
 
* To configure Linux, go into the BSP directory and run the command:
 
* To configure Linux, go into the BSP directory and run the command:
 
<pre class="host">
 
<pre class="host">
  $ make linux26-menuconfig
+
  $ make linux-menuconfig
 
</pre>
 
</pre>
  
Line 105: Line 122:
 
* Then you can rebuild Linux like that:
 
* Then you can rebuild Linux like that:
 
<pre class="host">
 
<pre class="host">
  $ make linux26-clean
+
  $ make linux-clean
  $ make linux26
+
  $ make linux
 
  $ make
 
  $ make
 
</pre>
 
</pre>
Line 150: Line 167:
 
<pre class="host">
 
<pre class="host">
 
  $ make
 
  $ make
 +
</pre>
 +
 +
=====In the filesystem=====
 +
* You still have to put the following IPSec configuration file on the target in /etc/ipsec-tools.conf:
 +
<pre class="host">
 +
#!/usr/sbin/setkey -f
 +
 +
# NOTE: Do not use this file if you use racoon with racoon-tool
 +
# utility. racoon-tool will setup SAs and SPDs automatically using
 +
# /etc/racoon/racoon-tool.conf configuration.
 +
#
 +
 +
## Flush the SAD and SPD
 +
#
 +
flush;
 +
spdflush;
 +
 +
# Attention: Use this keys only for testing purposes!
 +
# Generate your own keys!
 +
 +
# AH SAs using 128 bit long keys
 +
add 192.168.0.211 192.168.0.208 ah 0x200 -A hmac-md5
 +
        0xc0291ff014dccdd03874d9e8e4cdf3e6;
 +
 +
add  192.168.0.208 192.168.0.211 ah 0x300 -A hmac-md5
 +
        0x96358c90783bbfa3d7b196ceabe0536b;
 +
 +
# ESP SAs using 192 bit long keys (168 + 24 parity)
 +
 +
add 192.168.0.211 192.168.0.208 esp 0x201 -E 3des-cbc
 +
        0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
 +
add 192.168.0.208 192.168.0.211 esp 0x301 -E 3des-cbc
 +
        0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
 +
 +
 +
# Security policies
 +
spdadd 192.168.0.211 192.168.0.208 any -P in ipsec
 +
          esp/transport//require
 +
          ah/transport//require;
 +
 +
spdadd 192.168.0.208 192.168.0.211 any -P out ipsec
 +
          esp/transport//require
 +
          ah/transport//require;
 
</pre>
 
</pre>
  
Line 203: Line 263:
 
* When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the ESP protocol and crypted datas.
 
* When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the ESP protocol and crypted datas.
  
{{Note|If you use an [[APF27 PPS]] configured board, you can use the script ''test_ipsec.sh'' to test the OpenSSH tunnel.}}
+
{{Note|If you use an [[APF27 PPS]] configured board, you can use the script ''test_ipsec.sh'' to test the IPSec authentication and encryption.}}
  
 
==IPTables==
 
==IPTables==
Line 214: Line 274:
 
* In the BSP directory, run this command to launch the Linux configuration menu:
 
* In the BSP directory, run this command to launch the Linux configuration menu:
 
<pre class="host">
 
<pre class="host">
  $ make linux26-menuconfig
+
  $ make linux-menuconfig
 
</pre>
 
</pre>
  
Line 267: Line 327:
 
}}
 
}}
 
</span>
 
</span>
 +
 +
{{Note|In order to use protocols like TFTP or FTP through the NAT router, you have to activate the support for the protocol you want in Netfilter.
 +
For instance with the TFTP protocol:
 +
<pre class="config">
 +
[*] Networking support --->
 +
    Networking options --->
 +
        [*] Network packet filtering framework (Netfilter) --->
 +
                Core Netfilter Configuration --->
 +
                    <M> Netfilter connection tracking support
 +
                    <M>  TFTP protocol support
 +
</pre>
 +
}}
  
 
{{Note|You can also add other IP tables like ''nat'' and ''mangle'' or new firewall rule options like ''LOG'' or ''REJECT'' in Netfilter page of the Linux configuration menu.}}
 
{{Note|You can also add other IP tables like ''nat'' and ''mangle'' or new firewall rule options like ''LOG'' or ''REJECT'' in Netfilter page of the Linux configuration menu.}}
Line 272: Line 344:
 
* Now you can rebuild Linux:
 
* Now you can rebuild Linux:
 
<pre class="host">
 
<pre class="host">
  $ make linux26-clean
+
  $ make linux-clean
  $ make linux26
+
  $ make linux
 
  $ make
 
  $ make
 
</pre>
 
</pre>
Line 303: Line 375:
 
To test IPTables on the target, we will implement a NAT router in the system and use it as a gateway through two computers.
 
To test IPTables on the target, we will implement a NAT router in the system and use it as a gateway through two computers.
  
* First you have to enable full NAT and masquerading functionalities in Linux Kernel for your target. Please refer to the [[#full NAT router|Note for full NAT installation]] to set up these options and then rebuild Linux:
+
* First you have to enable full NAT and masquerading functionalities in Linux Kernel for your target. Please refer to the [[#Full_NAT_router|Note for full NAT installation]] to set up these options and then rebuild Linux:
 
<pre class="host">
 
<pre class="host">
  $ make linux26-clean
+
  $ make linux-clean
  $ make linux26
+
  $ make linux
 
  $ make
 
  $ make
 
</pre>
 
</pre>

Latest revision as of 19:40, 4 September 2013

IPSec and IPTables are network tools that can be used together to create a VPN between two computers. IPSec securizes the connection as IPTables do the packets routing. The APF27 PPS board is optimized to use these tools.

IPSec

IPSec is a protocol that securizes IP communications by authenticating and crypting packets from IP address to another, over all computer ports. Before trying to use the following instructions, please read IPSec for dummies, to better understand specific acronyms used further.

Setup

Host PC (Ubuntu)

  • You need to install the ipsec-tools package on your host:
 $ sudo apt-get install ipsec-tools
  • Give the file /etc/ipsec-tools.conf the access rights "700" (== only accessible to root user):
 $ sudo chmod 700 /etc/ipsec-tools.conf
  • Then edit this file and define the IPSec keys like that:

#!/usr/sbin/setkey -f 

# NOTE: Do not use this file if you use racoon with racoon-tool 
# utility. racoon-tool will setup SAs and SPDs automatically using 
# /etc/racoon/racoon-tool.conf configuration. 
# 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

# Attention: Use this keys only for testing purposes! 
# Generate your own keys! 

# AH SAs using 128 bit long keys 
add 192.168.0.211 192.168.0.208	ah 0x200 -A hmac-md5 
        0xc0291ff014dccdd03874d9e8e4cdf3e6; 

add  192.168.0.208 192.168.0.211 ah 0x300 -A hmac-md5 
        0x96358c90783bbfa3d7b196ceabe0536b; 

# ESP SAs using 192 bit long keys (168 + 24 parity) 

add 192.168.0.211 192.168.0.208	esp 0x201 -E 3des-cbc 
        0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; 
add 192.168.0.208 192.168.0.211	esp 0x301 -E 3des-cbc 
        0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; 


# Security policies 
spdadd 192.168.0.208 192.168.0.211 any -P in ipsec 
           esp/transport//require 
           ah/transport//require; 

spdadd 192.168.0.211 192.168.0.208 any -P out ipsec 
           esp/transport//require 
           ah/transport//require; 
Note Note: In this example the host is 192.168.0.211 and the APF27 target is 192.168.0.208 but you must adapt the file to your configuration and create your own keys.


Note Note: To generate a 192 bit key you can use the following command:
dd if=/dev/random count=24 bs=1| xxd -ps


Note Note: You can choose specific ports and protocols to securize with IPSec in the security policies like that:
spdadd 192.168.0.211/24[PORT_NUMBER] 192.168.0.208/24[PORT_NUMBER] PROTOCOL_NAME -P in ipsec 
           esp/transport//require 
           ah/transport//require; 

For instance, if you want to encrypt on Telnet port only, on the server your security policies will be:

spdadd 0.0.0.0/0[any] 192.168.0.211/24[23] tcp -P in ipsec 
           esp/transport//require 
           ah/transport//require; 

spdadd 192.168.0.211/24[23] 192.168.0.208/24[any] tcp -P out ipsec 
           esp/transport//require 
           ah/transport//require; 

The keyword any means any protocols or any ports.


Target (APF27)

Linux

There are some drivers you need to install in Linux Kernel to make IPSec work.

  • To configure Linux, go into the BSP directory and run the command:
 $ make linux-menuconfig
  • Select the following drivers to install in Linux configuration menu:
[*] Networking support ---> 
    Networking options ---> 
        <*> Transformation user configuration interface

	<*> PF_KEY sockets

	<*>   IP: AH transformation                                                                                                     	
        <*>   IP: ESP transformation                                                                       
        <*>   IP: IPComp transformation                                                                    
        <*>   IP: IPsec transport mode                                                                     
        <*>   IP: IPsec tunnel mode                                                                          	
        <*>   IP: IPsec BEET mode 

[*] Cryptographic API --->
    <*>   Null algorithms

      *** Authenticated Encryption with Associated Data ***
    <*>   CCM support                          
    <*>   GCM/GMAC support 

    {*}   AES cipher algorithms     
  • Then you can rebuild Linux like that:
 $ make linux-clean
 $ make linux
 $ make
Buildroot

You must install flex and networking packages like OpenSSH, OpenSSL and IPSec-tools.

  • First run this command to open the Buildroot configuration menu:
 $ make menuconfig
  • Select the following packages in the menu:
Package Selection for the target  ---> 
    [*] flex      

    [*] Networking 
	[*]   ipsec-tools                                                                    
	[*]   Enable racoonctl(8).                                       
	[ ]   Enable NAT-Traversal            
	[*]   Enable IKE fragmentation.
	[*]   Enable statistics logging function.           
	[ ]   Enable IPv6 support                                   
	[ ]   Enable readline input support if available.      
	[*]   Install IPSec libraries under staging_dir/lib

        [*]   openssh
	-*-   openssl       
Note Note: If you want to use IPSec in a NAT router/firewall, you must enable the NAT-Traversal option:
Package Selection for the target  ---> 
    [*] Networking 
	[*]   ipsec-tools 
                                    
	[*]   Enable NAT-Traversal            


  • Then rebuild Buildroot:
 $ make
In the filesystem
  • You still have to put the following IPSec configuration file on the target in /etc/ipsec-tools.conf:
#!/usr/sbin/setkey -f 

# NOTE: Do not use this file if you use racoon with racoon-tool 
# utility. racoon-tool will setup SAs and SPDs automatically using 
# /etc/racoon/racoon-tool.conf configuration. 
# 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

# Attention: Use this keys only for testing purposes! 
# Generate your own keys! 

# AH SAs using 128 bit long keys 
add 192.168.0.211 192.168.0.208	ah 0x200 -A hmac-md5 
        0xc0291ff014dccdd03874d9e8e4cdf3e6; 

add  192.168.0.208 192.168.0.211 ah 0x300 -A hmac-md5 
        0x96358c90783bbfa3d7b196ceabe0536b; 

# ESP SAs using 192 bit long keys (168 + 24 parity) 

add 192.168.0.211 192.168.0.208	esp 0x201 -E 3des-cbc 
        0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; 
add 192.168.0.208 192.168.0.211	esp 0x301 -E 3des-cbc 
        0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; 


# Security policies 
spdadd 192.168.0.211 192.168.0.208 any -P in ipsec 
           esp/transport//require 
           ah/transport//require; 

spdadd 192.168.0.208 192.168.0.211 any -P out ipsec 
           esp/transport//require 
           ah/transport//require; 

Securize the connection

Once IPSec is installed and configured on both the system and the host, you have to launch it and activate the keys.

  • First on your Host (Ubuntu), you have to reboot the computer or to run the command:
 $ sudo /etc/init.d/setkey start
 * Flushing IPsec SA/SP database:                                                                    [ OK ]

If you want to see the generated keys:

 $ sudo setkey -D
  • On the target (APF27), you can run the command:
 # setkey -f /etc/ipsec-tools.conf

And you can check the keys with:

 # setkey -D

Test IPSec

  • To check that datas are correctly encrypted through the securized connection, launch Wireshark on your host PC and put a capture filter on your host address:
 $ sudo wireshark
  • Then you can try to establish a connection between the system and your host with Telnet.

Run the following command on the target:

 # telnet -l $USERNAME $HOST_IP

For instance if you want to connect to computer 192.168.0.225 with the user toto:

 # telnet -l toto 192.168.0.225

Entering character mode
Escape character is '^]'.

Password: 
Last login: Thu Dec 23 14:35:40 CET 2010 from localhost on pts/5
Linux laptop-jeremie-ubuntu 2.6.31-20-generic-pae #58-Ubuntu SMP Fri Mar 12 06:25:51 UTC 2010 i686

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/

You can also connect without the username. When you are asked to fill the username, it will also be encrypted.

  • When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the ESP protocol and crypted datas.
Note Note: If you use an APF27 PPS configured board, you can use the script test_ipsec.sh to test the IPSec authentication and encryption.


IPTables

IPTables is a command-line interface to configure Netfilter. It can allow you to set up the chains and rules of routing in the firewall of a computer. It can also be used to access a public domain from a private network by masquerading the private IP address.

Setup

If you want to use IPTables on your system, you have to configure both Buildroot and Linux.

Linux

  • In the BSP directory, run this command to launch the Linux configuration menu:
 $ make linux-menuconfig
  • In the menu, select the following drivers or modules:
[*] Networking support --->
    Networking options --->
        [*] TCP/IP networking
        [*]   IP: multicasting
        [*]   IP: advanced router
                Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure) (FIB_HASH) --->
        [ ]   IP: policy routing
        [ ]   IP: equal cost multipath
        [ ]   IP: verbose route monitoring

        [*] Network packet filtering framework (Netfilter) --->
            [*] Advanced netfilter configuration
            [*]   Bridged IP/ARP packets filtering
                Core Netfilter Configuration --->
                    {*} Netfilter Xtables support (required for ip_tables)

                IP: Netfilter Configuration --->
                    <M> IP tables support (required for filtering/masq/NAT)
                    
                    <M>   Packet filtering

                    <M> ARP tables support
                    <M>   ARP packet filtering
                    < >   ARP payload mangling

Note Note: If you want to use your target as a full NAT router and do masquerading, there are some advanced features you must add to Linux Kernel:
[*] Networking support --->
    Networking options --->
        [*] Network packet filtering framework (Netfilter) --->
                Core Netfilter Configuration --->
                    <M> Netfilter connection tracking support
                    <M>   "state" match support
               
                IP: Netfilter Configuration --->
                    <M> IPv4 connection tracking support (required for NAT)
                    [*]   proc/sysctl compatibility with old connectiion tracking

                    <M>   Full NAT
                    <M>     MASQUERADE target support
                    <M>     NETMAP target support
                    <M>     REDIRECT target support
                    < >     Basic SNMP-ALG support

Note Note: In order to use protocols like TFTP or FTP through the NAT router, you have to activate the support for the protocol you want in Netfilter.

For instance with the TFTP protocol:

[*] Networking support --->
    Networking options --->
        [*] Network packet filtering framework (Netfilter) --->
                Core Netfilter Configuration --->
                    <M> Netfilter connection tracking support
                    <M>   TFTP protocol support


Note Note: You can also add other IP tables like nat and mangle or new firewall rule options like LOG or REJECT in Netfilter page of the Linux configuration menu.


  • Now you can rebuild Linux:
 $ make linux-clean
 $ make linux
 $ make

Buildroot

  • In the BSP directory, launch the Buildroot configuration menu:
 $ make menuconfig
  • Select the following packages for IPTables to be installed on target:
Package selection for the target --->
    [*] Networking --->
        [*] iptables
  • Then rebuild Buildroot to generate the rootfs:
 $ make

IPTables usage

Test IPTables on APF27 PPS

To test IPTables on the target, we will implement a NAT router in the system and use it as a gateway through two computers.

  • First you have to enable full NAT and masquerading functionalities in Linux Kernel for your target. Please refer to the Note for full NAT installation to set up these options and then rebuild Linux:
 $ make linux-clean
 $ make linux
 $ make
  • Flash the new kernel and rootfs binaries on the target.
  • Connect an Ethernet cable from your host Linux to the Ethernet port of the target.

And connect the USB A-MiniA cable from your host Linux to your target USB OTG port.

  • Then you have to activate the target network interface for Ethernet and USB Gadget:
 # ifconfig eth0 192.168.0.208

 # modprobe -r smsc95xx
 # modprobe -r g_ether
 # modprobe g_ether
 # ifconfig usb0 192.168.2.251
 Freescale High-Speed USB SOC Device Controller driver (Apr 20, 2007)
 ULPI OTG Vendor ID 0x4cc    Product ID 0x1504
 g_ether gadget: using random self ethernet address
 g_ether gadget: using random host ethernet address
 usb0: MAC f6:cf:00:56:1b:64
 usb0: HOST MAC be:60:d1:56:89:fc
 g_ether gadget: Ethernet Gadget, version: Memorial Day 2008
 g_ether gadget: g_ether ready
 fsl-usb2-udc: bind to driver g_ether
 g_ether gadget: high speed config #1: CDC Ethernet (ECM)
  • As the USB gadget interface is connected, you must see the network Auto USB in your host's Network Connections.
    • If you want to make your APF27 PPS a gateway, you have to use two differents sub-networks for your private network (your computer and the USB gadget interface) and for the remote network (the remote computer and the Ethernet interface).
    • Edit then the Auto USB network to configure it:
      • The IP address must be in the same sub-network as the USB Gadget interface : for instance 192.168.2.225.
      • The Netmask : 255.255.255.0
      • The Gateway is your target's USB Gadget interface : here 192.168.2.251.
      • A DNS server: if you want to browse on Internet through the target. For instance 192.168.0.207.
      • Search domains: For instance armadeus-office.
    • Then disconnect your host PC and reconnect to the Auto USB network.
  • Add the default route to be able to go on the Internet:
 # route add default gw 192.168.0.1 eth0
  • Configure the IP Advanced router to be able to forward the packets through the target:
 # echo "1" > /proc/sys/net/ipv4/ip_forward
  • Then you have to create the rules for the NAT router/firewall with iptables:
 # iptables -P INPUT ACCEPT
 # iptables -F INPUT 
 # iptables -P OUTPUT ACCEPT
 # iptables -F OUTPUT 
 # iptables -P FORWARD DROP
 # iptables -F FORWARD 
 # iptables -t nat -F
 nf_conntrack version 0.5.0 (1024 buckets, 4096 max)

 # iptables -A FORWARD -i eth0 -o usb0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 # iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
 # iptables -A FORWARD -j LOG

 # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • To test the gateway is correctly working, you can ping on the different interface and on the remote computer from your host:
 $ ping 192.168.2.251
 PING 192.168.2.251 (192.168.2.251) 56(84) bytes of data.
 64 bytes from 192.168.2.251: icmp_seq=1 ttl=64 time=0.736 ms

 $ ping 192.168.0.208
 PING 192.168.0.208 (192.168.0.208) 56(84) bytes of data.
 64 bytes from 192.168.0.208: icmp_seq=1 ttl=64 time=0.719 ms

 $ ping 192.168.0.1
 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
 64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=1.60 ms

 $ ping REMOTE_ADDRESS
  • If you have configured your network with a DNS server, you can even ping or browse an URL address on the Internet:
 $ ping www.yahoo.fr
 PING any-rc.a01.yahoodns.net (87.248.120.148) 56(84) bytes of data.
 64 bytes from w2.rc.vip.ch1.yahoo.com (87.248.120.148): icmp_seq=1 ttl=49 time=90.3 ms
Note Note: If you have the IPSec activated on the remote computer and on your target, you can also securize the connection to the remote computer.

On the remote computer, put the file /etc/ipsec-tools.conf and run the command:

 $ sudo /etc/init.d/setkey start
 * Flushing IPsec SA/SP database:                                                                    [ OK ]

On your target, run:

 # setkey -f /etc/ipsec-tools.conf

Then you can check with Wireshark that all datas going through the securized connection are well encrypted.


Links