vpn - configuring the system for virtual private networks
A virtual private network is used to securely connect two or
more subnets
over the internet. For each subnet there is a security
gateway which is
linked via a cryptographically secured tunnel to the security gateway of
the other subnet. ipsec(4) is used to provide the necessary
network-layer
cryptographic services. This document describes the configuration
process for setting up a VPN.
Briefly, creating a VPN consists of the following steps:
1. Choose a key exchange method: manual keyed, or automated via
isakmpd(8).
2. For manual keying, create the Security Associations
(SA), one for
each endpoint.
3. For manual keying, create the appropriate IPsec flows.
4. For automated keying, create a configuration file for
the keying
daemon.
5. Configure your firewall rules appropriately.
Choosing a key exchange method [Toc] [Back]
There are currently two key exchange methods available:
+o manual (symmetric shared secret)
+o isakmpd(8)
Enabling Packet Forwarding [Toc] [Back]
For security gateways, proper operation often requires packet forwarding
to be enabled using sysctl(8):
# sysctl net.inet.ip.forwarding=1
# sysctl net.inet6.ip6.forwarding=1
Packet forwarding defaults to 'off'.
For more permanent operation, the appropriate option(s)
should be enabled
in your sysctl.conf(5).
Generating Manual Keys [manual keying]
The shared secret symmetric keys used to create a VPN can be
any hexadecimal
value, so long as both sides of the connection use the
same values.
Since the security of the VPN is based on these keys being
unguessable,
it is very important that the keys be chosen using a strong
random
source. One practical method of generating them is by using
the
random(4) device. To produce 160 bits (20 bytes) of randomness, for example,
do:
# openssl rand 20 | hexdump -e '20/1 "%02x"'
or:
# openssl rand 20 | perl -pe 's/./unpack("H2",$&)/ges'
Different cipher types may require different sized keys.
Cipher Key Length
DES 56 bits
3DES 168 bits
AES Variable (128 bits recommended)
BLF Variable (160 bits recommended)
CAST Variable (128 bits maximum and recommended)
SKIPJACK 80 bits
Use of DES or SKIPJACK as an encryption algorithm is not
recommended (except
for backwards compatibility) due to their short key
length. Furthermore,
recent attacks on SKIPJACK have shown severe weaknesses in its
structure.
Note that DES requires 8 bytes to form a 56-bit key and 3DES
requires 24
bytes to form its 168-bit key. This is because the most
significant bit
of each byte is ignored by both algorithms.
Creating Security Associations [manual keying]
Before the IPsec flows can be defined, two Security Associations (SAs)
must be defined on each end of the VPN, e.g.:
# ipsecadm new esp -spi $SPI_AB -src $GATEWAY_A
-dst $GATEWAY_B -forcetunnel -enc 3des -auth sha1
-keyfile $ENCRYPTION_KEY_FILE -authkeyfile $AUTHENTICATION_KEY_FILE
# ipsecadm new esp -spi $SPI_BA -src $GATEWAY_B
-dst $GATEWAY_A -forcetunnel -enc 3des -auth sha1
-keyfile $ENCRYPTION_KEY_FILE -authkeyfile $AUTHENTICATION_KEY_FILE
Note that the -key and -authkey options may be used to specify the keys
directly in the ipsecadm(8) command line. However, another
user could
view the keys by using the ps(1) command at the appropriate
time (or use
a program for doing so).
Creating IPsec Flows [manual keying]
Both IPsec gateways need to configure ipsec(4) routes with
the
ipsecadm(8) tool:
On the security gateway of subnet A:
# ipsecadm flow -out -require -proto esp
-src $GATEWAY_A -dst $GATEWAY_B -addr $NETWORK_A
$NETWORK_B
# ipsecadm flow -in -require -proto esp
-src $GATEWAY_A -dst $GATEWAY_B -addr $NETWORK_B
$NETWORK_A
and on the security gateway of subnet B:
# ipsecadm flow -out -require -proto esp
-src $GATEWAY_B -dst $GATEWAY_A -addr $NETWORK_B
$NETWORK_A
# ipsecadm flow -in -require -proto esp
-src $GATEWAY_B -dst $GATEWAY_A -addr $NETWORK_A
$NETWORK_B
Configure and run the keying daemon [automated keying]
Unless manual keying is used, both security gateways need to
start the
isakmpd(8) key management daemon. To make sure the daemon
is properly
configured to provide the required security services (typically, encryption
and authentication) start the daemon with debugging or
verbose output.
isakmpd(8) implements security policy using the KeyNote
trust management
system.
Configuring Firewall Rules [Toc] [Back]
pf(4) needs to be configured such that all packets from the
outside are
blocked by default. Only successfully IPsec-processed packets (from the
enc(4) interface), or key management packets (for isakmpd(8), UDP packets
with source and destination ports of 500) should be allowed
to pass.
The pf.conf(5) rules for a tunnel which uses encryption (the
ESP IPsec
protocol) and isakmpd(8) on security gateway A might look
like this:
GATEWAY_A = "192.168.1.254/32"
GATEWAY_B = "192.168.2.1/32"
NETWORK_A = "10.0.50.0/24"
NETWORK_B = "10.0.99.0/24"
# default deny
# ne0 is the only interface going to the outside.
block in log on { enc0, ne0 } all
block out log on { enc0, ne0 } all
# Passing in encrypted traffic from security gateways
pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B
# Need to allow ipencap traffic on enc0.
pass in on enc0 proto ipencap all
# Passing in traffic from the designated subnets.
pass in on enc0 from $NETWORK_B to $NETWORK_A
pass out on enc0 from $NETWORK_A to $NETWORK_B
# Passing in isakmpd(8) traffic from the security gateways
pass in on ne0 proto udp from $GATEWAY_B port = 500 to
$GATEWAY_A port = 500
pass out on ne0 proto udp from $GATEWAY_A port = 500 to
$GATEWAY_B port = 500
If there are no other pf.conf(5) rules, the "quick" clause
can be added
to the last four rules. NAT rules can also be used on the
enc(4) interface.
Note that it is strongly encouraged that instead of
detailed PF
rules, the SPD (IPsec flow database) be utilized to specify
security policy,
if only to avoid filtering conflicts.
/usr/share/ipsec/rc.vpn Sample VPN configuration file
/etc/isakmpd/isakmpd.conf isakmpd(8) configuration file
/etc/pf.conf Firewall configuration file
Manual keying
To create a manual keyed VPN between two class C networks
using 3DES encryption
and the following IP addresses:
GATEWAY_A = 192.168.1.254
NETWORK_A = 10.0.50.0/24
GATEWAY_B = 192.168.2.1
NETWORK_B = 10.0.99.0/24
1. Choose the shared secrets using a suitably random
method. The 3DES
encryption key needs 192 bits (3x64), or 24 bytes. The
SHA-1 authentication
key for needs 160 bits, or 20 bytes.
# openssl rand 24 | hexdump -e '24/1 "%02x"' > enc_key
# openssl rand 20 | hexdump -e '20/1 "%02x"' > auth_key
2. Create the Security Associations (on both endpoints):
# /sbin/ipsecadm new esp -src 192.168.2.1 -dst
192.168.1.254 -forcetunnel -spi 1000 -enc 3des -auth
sha1 -keyfile enc_key -authkeyfile auth_key
# /sbin/ipsecadm new esp -src 192.168.1.254 -dst
192.168.2.1 -forcetunnel -spi 1001 -enc 3des -auth
sha1 -keyfile enc_key -authkeyfile auth_key
3. Create the IPsec flows on machine A (the first is for
outbound
flows, the latter is the ingress filter for the incoming security
association):
# ipsecadm flow -out -require -proto esp
-src 192.168.1.254 -dst 192.168.2.1 -addr
10.0.50.0/24 10.0.99.0/24
# ipsecadm flow -in -require -proto esp
-src 192.168.1.254 -dst 192.168.2.1 -addr
10.0.99.0/24 10.0.50.0/24
4. Create the matching IPsec flows on machine B:
# ipsecadm flow -out -require -proto esp
-src 192.168.1.254 -dst 192.168.2.1 -addr
10.0.50.0/24 10.0.99.0/24
# ipsecadm flow -in -require -proto esp
-src 192.168.1.254 -dst 192.168.2.1 -addr
10.0.99.0/24 10.0.50.0/24
5. Configure the firewall rules on machine A using the
previously defined
ruleset:
GATEWAY_A = "192.168.1.254/32"
GATEWAY_B = "192.168.2.1/32"
NETWORK_A = "10.0.50.0/24"
NETWORK_B = "10.0.99.0/24"
(rest of ruleset)
6. Configure the firewall rules on machine B, modifying
the definitions
as appropriate:
GATEWAY_B = "192.168.1.254/32"
GATEWAY_A = "192.168.2.1/32"
NETWORK_B = "10.0.50.0/24"
NETWORK_A = "10.0.99.0/24"
(rest of ruleset)
Automated keying [Toc] [Back]
To create a VPN between the same two C class networks as the
example
above, using isakmpd(8):
1. Create /etc/isakmpd/isakmpd.conf for machine A:
# Incoming phase 1 negotiations are multiplexed on the
source IP
# address. Phase 1 is used to set up a protected channel just
# between the two gateway machines. This channel is
then used for
# the phase 2 negotiation traffic (i.e. encrypted & authenticated).
[Phase 1]
192.168.2.1= peer-machineB
# 'Phase 2' defines which connections the daemon should
establish.
# These connections contain the actual "IPsec VPN" information.
[Phase 2]
Connections= VPN-A-B
# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineB]
Phase= 1
Transport= udp
Address= 192.168.2.1
Configuration= Default-main-mode
Authentication= yoursharedsecret
# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase= 2
ISAKMP-peer= peer-machineB
Configuration= Default-quick-mode
Local-ID= machineA-internal-network
Remote-ID= machineB-internal-network
# ID sections (as used in [VPN-A-B])
[machineA-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.50.0
Netmask= 255.255.255.0
[machineB-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.99.0
Netmask= 255.255.255.0
# Main and Quick Mode descriptions (as used by peers
and connections)
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
2. Create /etc/isakmpd/isakmpd.conf for machine B:
# Incoming phase 1 negotiations are multiplexed on the
source IP
# address. Phase 1 is used to set up a protected channel just
# between the two gateway machines. This channel is
then used for
# the phase 2 negotiation traffic (i.e. encrypted & authenticated).
[Phase 1]
192.168.1.254= peer-machineA
# 'Phase 2' defines which connections the daemon should
establish.
# These connections contain the actual "IPsec VPN" information.
[Phase 2]
Connections= VPN-B-A
# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineA]
Phase= 1
Transport= udp
Address= 192.168.1.254
Configuration= Default-main-mode
Authentication= yoursharedsecret
# IPSEC phase 2 connections (from [Phase 2])
[VPN-B-A]
Phase= 2
ISAKMP-peer= peer-machineA
Configuration= Default-quick-mode
Local-ID= machineB-internal-network
Remote-ID= machineA-internal-network
# ID sections (as used in [VPN-A-B])
[machineA-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.50.0
Netmask= 255.255.255.0
[machineB-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.99.0
Netmask= 255.255.255.0
# Main and Quick Mode descriptions (as used by peers
and connections)
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
3. Read through the configuration one more time. The only
real differences
between the two files in this example are the IPaddresses,
and ordering of Local- and Remote-ID for the VPN itself. Note that
the shared secret (the Authentication tag) must match
between machineA
and machineB.
Due to the shared secret information in the configuration file, it
must be installed without any permissions for "group"
or "other".
# chmod og-rwx /etc/isakmpd/isakmpd.conf
4. Create a simple /etc/isakmpd/isakmpd.policy file for
machineA:
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
5. Create a simple /etc/isakmpd/isakmpd.policy file for
machineB:
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
6. Configure the firewall rules on machines A and B:
Use the same ruleset as the manual keying example, but
add permission
for the isakmpd(8) control traffic, on UDP port
500.
For machineA, add:
# Permit ISAKMPD control traffic between A and B
pass in proto udp from 192.168.2.1/32 to
193.127.1.254/32 port = 500
pass out proto udp from 192.168.1.254/32 to
193.127.2.1/32 port = 500
For machineB, add:
# Permit ISAKMPD control traffic between A and B
pass in proto udp from 192.168.1.254/32 to
193.127.2.1/32 port = 500
pass out proto udp from 192.168.2.1/32 to
193.127.1.254/32 port = 500
7. Start isakmpd(8)
On both machines, run:
# /sbin/isakmpd
To run with verbose debugging enabled, instead start
with:
# /sbin/isakmpd -d -DA=99
openssl(1), enc(4), ipsec(4), keynote(4), options(4), isakmpd.conf(5),
isakmpd.policy(5), pf.conf(5), ipsecadm(8), isakmpd(8),
pfctl(8),
sysctl(8)
In situations where the gateway IPs are outside the tunnelled network
range, such as when tunnelling private (RFC 1918) networks
over the Internet,
isakmpd(8) or manual keying must be used.
OpenBSD 3.6 February 9, 1999
[ Back ] |
