IPSec / IPTables
IPSec and IPTables are network tools that can be used together to create a VPN between two computers. IPSec securizes the connection as IPTables do the packets routing. The APF27 PPS board is optimized to use these tools.
Contents
IPSec
IPSec is a protocol that securizes IP communications by authenticating and crypting packets from IP address to another, over all computer ports.
Setup
Host PC (Ubuntu)
- You need to install the ipsec-tools package on your host:
$ sudo apt-get install ipsec-tools
- Give the file /etc/ipsec-tools.conf the access rights 700:
$ sudo chmod 700 /etc/ipsec-tools.conf
- Then edit this file and define the IPSec keys like that:
#!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; # Attention: Use this keys only for testing purposes! # Generate your own keys! # AH SAs using 128 bit long keys add 192.168.0.211 192.168.0.208 ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add 192.168.0.208 192.168.0.211 ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; # ESP SAs using 192 bit long keys (168 + 24 parity) add 192.168.0.211 192.168.0.208 esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; add 192.168.0.208 192.168.0.211 esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; # Security policies spdadd 192.168.0.211 192.168.0.208 any -P in ipsec esp/transport//require ah/transport//require; spdadd 192.168.0.208 192.168.0.211 any -P out ipsec esp/transport//require ah/transport//require; spdadd 192.168.2.100 192.168.1.100 any -P in ipsec esp/transport//require ah/transport//require;
Note: In this example the host is 192.168.0.211 and the APF27 target is 192.168.0.208 but you must adapt the file to your configuration and create your own keys. |
Note: To generate a 192 bit key you can use the following command: dd if=/dev/random count=24 bs=1| xxd -ps |
Target (APF27)
Linux
There are some drivers you need to install in Linux Kernel to make IPSec work.
- To configure Linux, go into the BSP directory and run the command:
$ make linux26-menuconfig
- Select the following drivers to install in Linux configuration menu:
[*] Networking support ---> Networking options ---> <*> Transformation user configuration interface <*> PF_KEY sockets <*> IP: AH transformation <*> IP: ESP transformation <*> IP: IPComp transformation <*> IP: IPsec transport mode <*> IP: IPsec tunnel mode <*> IP: IPsec BEET mode [*] Cryptographic API ---> <*> Null algorithms *** Authenticated Encryption with Associated Data *** <*> CCM support <*> GCM/GMAC support {*} AES cipher algorithms
- Then you can rebuild Linux like that:
$ make linux26-clean $ make linux26 $ make
Buildroot
You must install flex and networking packages like OpenSSH, OpenSSL and IPSec-tools.
- First run this command to open the Buildroot configuration menu:
$ make menuconfig
- Select the following packages in the menu:
Package Selection for the target ---> [*] flex [*] Networking [*] ipsec-tools [*] Enable racoonctl(8). [ ] Enable NAT-Traversal [*] Enable IKE fragmentation. [*] Enable statistics logging function. [ ] Enable IPv6 support [ ] Enable readline input support if available. [*] Install IPSec libraries under staging_dir/lib [*] openssh -*- openssl
Note: If you want to use IPSec in a NAT router/firewall, you must enable the NAT-Traversal option:
Package Selection for the target ---> [*] Networking [*] ipsec-tools [*] Enable NAT-Traversal |
- Then rebuild Buildroot:
$ make
In the filesystem
- You still have to put the following IPSec configuration file on the target in /etc/ipsec-tools.conf:
#!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; # Attention: Use this keys only for testing purposes! # Generate your own keys! # AH SAs using 128 bit long keys add 192.168.0.211 192.168.0.208 ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add 192.168.0.208 192.168.0.211 ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; # ESP SAs using 192 bit long keys (168 + 24 parity) add 192.168.0.211 192.168.0.208 esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; add 192.168.0.208 192.168.0.211 esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; # Security policies spdadd 192.168.0.211 192.168.0.208 any -P in ipsec esp/transport//require ah/transport//require; spdadd 192.168.0.208 192.168.0.211 any -P out ipsec esp/transport//require ah/transport//require;
Securize the connection
Once IPSec is installed and configured on both the system and the host, you have to launch it and activate the keys.
- First on your Host (Ubuntu), you have to reboot the computer or to run the command:
$ sudo /etc/init.d/setkey start * Flushing IPsec SA/SP database: [ OK ]
If you want to see the generated keys:
$ sudo setkey -D
- On the target (APF27), you can run the command:
# setkey -f /etc/ipsec-tools.conf
And you can check the keys with:
# setkey -D
Test IPSec
- To check that datas are correctly encrypted through the securized connection, launch Wireshark on your host PC and put a capture filter on your host address:
$ sudo wireshark
- Then you can try to establish a connection between the system and your host with Telnet.
Run the following command on the target:
# telnet -l $USERNAME $HOST_IP
For instance if you want to connect to computer 192.168.0.225 with the user toto:
# telnet -l toto 192.168.0.225 Entering character mode Escape character is '^]'. Password: Last login: Thu Dec 23 14:35:40 CET 2010 from localhost on pts/5 Linux laptop-jeremie-ubuntu 2.6.31-20-generic-pae #58-Ubuntu SMP Fri Mar 12 06:25:51 UTC 2010 i686 To access official Ubuntu documentation, please visit: http://help.ubuntu.com/
You can also connect without the username. When you are asked to fill the username, it will also be encrypted.
- When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the ESP protocol and crypted datas.
Note: If you use an APF27 PPS configured board, you can use the script test_ipsec.sh to test the OpenSSH tunnel. |
IPTables
IPTables is a command-line interface to configure Netfilter. It can allow you to set up the chains and rules of routing in the firewall of a computer. It can also be used to access a public domain from a private network by masquerading the private IP address.
Setup
If you want to use IPTables on your system, you have to configure both Buildroot and Linux.
Linux
- In the BSP directory, run this command to launch the Linux configuration menu:
$ make linux26-menuconfig
- In the menu, select the following drivers or modules:
[*] Networking support ---> Networking options ---> [*] TCP/IP networking [*] IP: multicasting [*] IP: advanced router Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure) (FIB_HASH) ---> [ ] IP: policy routing [ ] IP: equal cost multipath [ ] IP: verbose route monitoring [*] Network packet filtering framework (Netfilter) ---> [*] Advanced netfilter configuration [*] Bridged IP/ARP packets filtering Core Netfilter Configuration ---> {*} Netfilter Xtables support (required for ip_tables) IP: Netfilter Configuration ---> <M> IP tables support (required for filtering/masq/NAT) <M> Packet filtering <M> ARP tables support <M> ARP packet filtering < > ARP payload mangling
Note: You can also add other IP tables like nat and mangle or new firewall rule options like LOG or REJECT in Netfilter page of the Linux configuration menu. |
- Now you can rebuild Linux:
$ make linux26-clean $ make linux26 $ make
Buildroot
- In the BSP directory, launch the Buildroot configuration menu:
$ make menuconfig
- Select the following packages for IPTables to be installed on target:
Package selection for the target ---> [*] Networking ---> [*] iptables
- Then rebuild Buildroot to generate the rootfs:
$ make
IPTables usage
- To learn how to use IPTables to define firewall chains and rules, please refer to the Linux Ubuntu Documentation - IPTables.
- You may also want to define routing rules with the command route. You can refer to the Linux Ubuntu Documentation - routage to use it.
Test IPTables on APF27 PPS
To test IPTables on the target, we will implement a NAT router in the system and use it as a gateway through two computers.
- First you have to enable full NAT and masquerading functionalities in Linux Kernel for your target. Please refer to the Note for full NAT installation to set up these options and then rebuild Linux:
$ make linux26-clean $ make linux26 $ make
- Flash the new kernel and rootfs binaries on the target.
- Connect an Ethernet cable from your host Linux to the Ethernet port of the target.
And connect the USB A-MiniA cable from your host Linux to your target USB OTG port.
- Then you have to activate the target network interface for Ethernet and USB Gadget:
# ifconfig eth0 192.168.0.208 # modprobe -r smsc95xx # modprobe -r g_ether # modprobe g_ether # ifconfig usb0 192.168.2.251 Freescale High-Speed USB SOC Device Controller driver (Apr 20, 2007) ULPI OTG Vendor ID 0x4cc Product ID 0x1504 g_ether gadget: using random self ethernet address g_ether gadget: using random host ethernet address usb0: MAC f6:cf:00:56:1b:64 usb0: HOST MAC be:60:d1:56:89:fc g_ether gadget: Ethernet Gadget, version: Memorial Day 2008 g_ether gadget: g_ether ready fsl-usb2-udc: bind to driver g_ether g_ether gadget: high speed config #1: CDC Ethernet (ECM)
- As the USB gadget interface is connected, you must see the network Auto USB in your host's Network Connections.
- If you want to make your APF27 PPS a gateway, you have to use two differents sub-networks for your private network (your computer and the USB gadget interface) and for the remote network (the remote computer and the Ethernet interface).
- Edit then the Auto USB network to configure it:
- The IP address must be in the same sub-network as the USB Gadget interface : for instance 192.168.2.225.
- The Netmask : 255.255.255.0
- The Gateway is your target's USB Gadget interface : here 192.168.2.251.
- A DNS server: if you want to browse on Internet through the target. For instance 192.168.0.207.
- Search domains: For instance armadeus-office.
- Then disconnect your host PC and reconnect to the Auto USB network.
- Add the default route to be able to go on the Internet:
# route add default gw 192.168.0.1 eth0
- Configure the IP Advanced router to be able to forward the packets through the target:
# echo "1" > /proc/sys/net/ipv4/ip_forward
- Then you have to create the rules for the NAT router/firewall with iptables:
# iptables -P INPUT ACCEPT # iptables -F INPUT # iptables -P OUTPUT ACCEPT # iptables -F OUTPUT # iptables -P FORWARD DROP # iptables -F FORWARD # iptables -t nat -F nf_conntrack version 0.5.0 (1024 buckets, 4096 max) # iptables -A FORWARD -i eth0 -o usb0 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT # iptables -A FORWARD -j LOG # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- To test the gateway is correctly working, you can ping on the different interface and on the remote computer from your host:
$ ping 192.168.2.251 PING 192.168.2.251 (192.168.2.251) 56(84) bytes of data. 64 bytes from 192.168.2.251: icmp_seq=1 ttl=64 time=0.736 ms $ ping 192.168.0.208 PING 192.168.0.208 (192.168.0.208) 56(84) bytes of data. 64 bytes from 192.168.0.208: icmp_seq=1 ttl=64 time=0.719 ms $ ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=1.60 ms $ ping REMOTE_ADDRESS
- If you have configured your network with a DNS server, you can even ping or browse an URL address on the Internet:
$ ping www.yahoo.fr PING any-rc.a01.yahoodns.net (87.248.120.148) 56(84) bytes of data. 64 bytes from w2.rc.vip.ch1.yahoo.com (87.248.120.148): icmp_seq=1 ttl=49 time=90.3 ms