3.5. IPSec

IPSec is a new protocol that sits on top of IP that provides ad-hoc encrypted links between 2 hosts on the Internet. The IPSec implementation is mandatory for IPv6 and can be added to IPv4. If IPSec is part of IPv6, it does not mean that it is deployed by network managers. IPSec is not simple to implement due to the difficulty of having mechanisms to exchange keys automatically between machines. DNS can help, but it is not mainstream, and well known Certificate Authorities do not yet deliver adequate certification facilities for a wide deployement in the enterprise.

3.5.1. FreeS/WAN

FreeS/WAN is a popular implementation of IPSec for GNU/Linux. At its current version (1.9.7) it needs to be patched to incorporate X.509 capability. You can find a patched version on this site. Some GNU/Linux distrubutions have applied the patch for you so check your package. The advantage of this version is that you can use openssl to create certificates to use with FreeS/WAN and DNS CERT records, but more specifically you can interact with the Microsoft Implementation of IPSec. For more information check Nate's page.

3.5.1.1. FreeS/WAN gateway machine

Generate a certificate with the CN beeing the fully qualified domain name of your IPSec gateway: host.example.com. Do not forget to sign the certificate. You have two files newcert.pem and newreq.pem. The file newreq.pem contains the private key and some extra information therefore needs to be edited to contain only the private key. Delete everything outside the --BEGIN RSA PRIVATE KEY-- and --END RSA PRIVATE KEY--. Move the files to the appropriate locations on your gateway machine. Make sure that you do that securely. On my distribution all configuration files for FreeS/WAN are located in /etc/freeswan, it could be different in yours.

mv newreq.pem /etc/freeswan/ipsec.d/private/host.example.com.key
mv newcert.pem /etc/freeswan/ipsec.d/host.example.com.pem

Copy also your root certificate to the FreeS/WAN configuration directory. Copy only the certificate, not the key.

mv cacert.pem /etc/freeswan/ipsec.d/cacerts

Generate a certificate revocation list or copy yours to the right location.

openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem

Still on the gateway machine, configure the ipsec.secrets file by including the line:

: RSA host.example.com.key “password”

The password being the one used to generate the key pair. Configure ipsec.conf as following:

config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=<your_subnet>/<your_netmask>
also=roadwarrior
conn roadwarrior
right=%any
left%defaultroute
leftcert=host.example.com.pem
auto=add
pfs=yes

As you can see there are 2 connections beeing established, one to the gateway machine and one to the network behind the gateway machine. This is particulary useful if you are operating some kind of firewall/NAT on your gateway machine. The configuration is such that anybody with a valid certificate will be able to connect to the gateway machine.

3.5.1.2. FreeS/WAN client machine

The procedure is similar, you need to generate a certificate for the client machine with the CN being the fully qualified domain name of the client machine, for instance clienthost.example.com. This certificate must be signed by the same signing authorithy as the gateway certificate. This is how the link will be authorised.

As with the gateway copy the following files securely to the configuration directories:

mv newreq.pem /etc/freeswan/ipsec.d/private/clienthost.example.com.key
mv newcert.pem /etc/freeswan/ipsec.d/clienthost.example.com.pem

Copy also your root certificate to the FreeS/WAN configuration directory. Copy only the certificate, not the key.

mv cacert.pem /etc/freeswan/ipsec.d/cacerts

Generate a certificate revocation list or copy yours to the right location.

openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem

Finally you need to copy also the certificate (not the private key) of your gateway machine

mv host.example.com.pem /etc/fresswan/ipsec.d/host.example.com.pem

Similarly edit your ipsec.secrets file to load the client private key

: RSA clienthost.example.com.key “password”

and edit the ipsec.conf as follows to enable the connection:

config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
left=(ip of host)
leftsubnet=(gateway_host_subnet)/(gateway_host_netmask)
also=roadwarrior
conn roadwarrior
left=(ip of host)
leftcert=host.example.com.pem
right=%defaultroute
rightcert=clienthost.example.com.pem
auto=add
pfs=yes

Now you can start the VPN link

ipsec auto --up roadwarrior
ipsec auto --up roadwarrior-net

To start the link automatically, replace in the configuration file 'auto=add' by 'auto=start'

3.5.1.3. MS Windows 2000/XP client machine

The procedure is the same as for the FreeS/WAN client. Generate a certificate with a CN of winhost.example.com, but you will have to convert this certificate into a .p12 file. Follow the procedure in the chapter “Using this certificate with MS-Outlook” but ensure that the .p12 file is bundled with the root CA certificate: winhost.example.com.p12

Additionally note the output of:

openssl x509 -in cacert.pem -noout -subject

Copy this file securely to the MS-Windows machine.

You know need to install Marcus Muller's ipsec.exe utility in for instance c:\ipsec directory.

Open Microsoft Management Console (MMC), in 'Add/Remove Snap-in' click on 'Add' then click on 'Certificates', then 'Add' Select 'Computer Account', and 'Next'. Select 'Local computer', and 'Finish'. Click on 'IP Security Policy Management', and 'Add'. Select 'Local Computer', and 'Finish' click 'Close' then 'OK'

Now you can add the .p12 certificate

Click the plus arrow by 'Certificates (Local Computer)' then right-click 'Personal', and click 'All Tasks' then 'Import' click 'Next'. Type the path to the .p12 file (or browse and select the file), and click 'Next'. Type the export password, and click 'Next'. Select 'Automatically select the certificate store based on the type of certificate', and click 'Next'. Click 'Finish', and say yes to any prompts that pop up. Exit the MMC, and save it as a file so you don't have to re-add the Snap In each time.

Install ipsecpol.exe (Windows 2000) or ipseccmd.exe (Windows XP) as described in the documentation for the ipsec utility. Edit your ipsec.conf (on the windows machine), replacing the "RightCA" with the output of the 'openssl x509 -in cacert.pem -noout -subject'; reformatted as below (you need to change the /'s to commas, and change the name of some of the fields -- just follow the example below):

conn roadwarrior 
left=%any 
right=(ip_of_remote_system) 
rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root"
network=auto 
auto=start 
pfs=yes
conn roadwarrior-net 
left=%any 
right=(ip_of_remote_system) 
rightsubnet=(your_subnet)/(your_netmask)
rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root" 
network=auto 
auto=start 
pfs=yes

Start the link

Run the command 'ipsec.exe'. Here's example output:

C:\ipsec>ipsec 
IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller 
Getting running Config ... 
Microsoft's Windows XP identified 
Host name is: (local_hostname) 
No RAS connections found. 
LAN IP address: (local_ip_address) 
Setting up IPSec ...
Deactivating old policy... 
Removing old policy...
Connection roadwarrior: 
MyTunnel : (local_ip_address)
MyNet : (local_ip_address)/255.255.255.255 
PartnerTunnel: (ip_of_remote_system) 
PartnerNet : (ip_of_remote_system)/255.255.255.255 
CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root... 
PFS : y 
Auto : start 
Auth.Mode : MD5 
Rekeying : 3600S/50000K 
Activating policy...
Connection roadwarrior-net: 
MyTunnel : (local_ip_address) 
MyNet : (local_ip_address)/255.255.255.255 
PartnerTunnel: (ip_of_remote_system) 
PartnerNet : (remote_subnet)/(remote_netmask) 
CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root... 
PFS : y 
Auto : start 
Auth.Mode : MD5 
Rekeying : 3600S/50000K 
Activating policy...
C:\ipsec>

Now, ping your gateway host. It should say 'Negotiating IP Security' a few times, and then give you ping responses. Note that this may take a few tries; from a T1 hitting a VPN server on a cable modem, it usually takes 3-4 pings. Do the same for the internal network on the remote end, and you should be up!