VPNs and network security
En savoir plus sur www.opensourceschool.fr
Ce support est diffusé sous licence Creative Commons (CC BY-SA 3.0 FR)
Attribution - Partage dans les Mêmes Conditions 3.0 France
2. 1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de
l'intégration et de l'infogérance open source, et de l'EPSI,établissement
privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le
gouvernement français a décidé de soutenir la création de cette école en
lui attribuant une première aide de 1,4M€ et confirme sa volonté de
soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000
postes vacants chaque année dans le secteur du Logiciel
Libre, OSS entend répondre à la pénurie de compétences du
secteur en mobilisant l’ensemble de l’écosystème et en
proposant la plus vaste offre en matière de formation aux
technologies open source tant en formation initiale qu'en
formation continue.
3. 2
Les formations du plein emploi !
Formation Continue
Open Source School "Executive Education" est un organisme
de formation qui propose un catalogue de plus de 200
formations professionnelles et différents dispositifs de
reconversion permettant le retour à l’emploi (POE) ou une
meilleure employabilité pour de nombreux professionnels de
l’informatique.
Pour vos demandes : formations@opensourceschool.fr
Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open
Source School s’appuie sur le référentiel des blocs de
compétences de l’EPSI.
Il est sanctionné par un titre de niveau I RNCP, Bac+5.
Le programme est proposé dans 6 campus à Bordeaux, Lille,
Lyon, Montpellier, Nantes, Paris.
6. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
What is a VPN ?
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/29
7. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
What is a VPN ?
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/29
8. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
What is encapsulation
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/29
9. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Introduction to IPSEC
IPSEC is a set of protocols to harden network communication
security.
A part of the IPv6 spec, but ported to IPv4
Often used for VPNs, however it has other purposes too
Unlike most products (eg OpenVPN) it is an IETF standard,
allowing interoperability
This presentation is about IPSEC implementation in operating
systems, there are also software implementations, hardware
implementations in dedicated equipment, etc.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/29
11. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
IPSEC Protocols
IPSEC is built around several protocols
ESP
AH
IKE
NAT-T
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/29
12. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Encapsulation protocols
ESP allows :
Authentication
Integrity (of payload)
Confidentiality
AH allows :
Authentification
Int´egrit´e (of whole packet)
ESP does not protect the IP header, that makes it suitable for NAT
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/29
13. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Negociation protocols
IKE
IKE is the main protocol that allows security parameters
negociation between hosts
NAT-T
NAT-T is a helper protocol which encapsulates traffic into a UDP
port, allowing it to cross firewalls and NAT devices.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/29
14. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Establishment of an IPSEC session
Hosts contact each other using IKE (UDP 500)
IKE Phase 1 : hosts authenticate to each other
IKE Phase 2 : hosts negotiate the IPSEC parameters
IPSEC-protected traffic starts flowing
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/29
15. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Two possible modes
Transport mode : only the payload is encapsulated
Tunnel mode : the IP header is encapsulated too
In tunnel mode, you can rewrite IP headers, allowing VPNs
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/29
17. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
SPD and SAD
Security Policy Database
SPDs are IPSEC’s routing tables.
They decide which traffic is protected
Security Association Database
SAD are IPSEC’s network status (“netstat“), they contain current
sessions
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/29
20. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
How sessions are established
Hosts contact each other spotaneously or on demand
Required sessions are established
When they expire, they are automatically renewed
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/29
22. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Introduction
All the implementations we will study share certain characteristics :
SAD, SPD, routing, encapsulation are managed by the kernel
IKE negociation, retries, renewal, are managed by userland
daemons
Both talk to each other on the standard PF KEY interface,
allowing different implementations to coexist
On Linux, two kernel implementation exist : a native PF KEY
implementation and KLIPS, an historical implementation.
Warning
Firewalls can process IPSEC traffic, you’ll have to configure yours.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/29
23. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Openswan/Strongswan : configuration
Configuration is done in ipsec.conf
conn net−net
l e f t =192.168.0.1
l e f t s u b n e t =10.1.0.0/16
l e f t i d =192.168.0.1
l e f t f i r e w a l l=yes
r i g h t =192.168.0.2
r i g h t s u b n e t =10.2.0.0/16
r i g h t i d =192.168.0.2
auto=add
Write the PSK in ipsec.secrets .
Examples :
http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/29
24. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
Openswan/Strongswan : commands
Restart :
/ etc / i n i t . d/ i p s e c r e s t a r t
Status :
i p s e c c t l auto −−s t a t u s
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/29
25. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Architecture
as usual, SPD/SAD are in-kernel
setkey(8) is used to manipulate SPD/SAD
racoon(8) is the IKE daemon
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/29
26. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Configuration
setkey script
#!/ usr / s b i n / s e t k e y −f
#
# Flush SAD and SPD
f l u s h ;
s p d f l u s h ;
# Create p o l i c i e s f o r racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any −P out i p s e c
esp / t u n n e l /192.168.1.100 −192.168.2.100/ r e q u i r e ;
spdadd 172.16.2.0/24 172.16.1.0/24 any −P i n i p s e c
esp / t u n n e l /192.168.2.100 −192.168.1.100/ r e q u i r e ;
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/29
27. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Configuration (2)
racoon.conf
path p r e s h a r e d k e y ”/ etc / psk . t x t ”;
remote 192.168.2.100 {
exchange mode main ;
p r o p o s a l {
e n c r y p t i o n a l g o r i t h m 3 des ;
h a s h a l g o r i t h m md5 ;
a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y ;
dh group modp1024 ;
}
}
s a i n f o a dd r es s 172.16.1.0/24 any a d dr es s 172.16.2.0/24 any {
p f s g r o u p modp768 ;
e n c r y p t i o n a l g o r i t h m 3 des ;
a u t h e n t i c a t i o n a l g o r i t h m hmac md5 ;
c o m p r e s s i o n a l g o r i t h m d e f l a t e ;
}
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/29
28. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
KAME : Administration
SPD/SAD status
s e t k e y −D
s e t k e y −DP
/etc/init.d/setkey restart
/etc/init.d/racoon restart
racoon.log
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/29
29. Introduction IPSEC Protocols VPNs over IPSEC Applications T13G
OpenBSD : configuration
/etc/ipsec.conf
i k e esp from 1 0 . 1 . 0 . 0 / 1 6 to 10.10.22.0/24
l o c a l 212.85.148.172 peer 195.154.89.70
main auth hmac−sha1 enc aes group modp1024
quick auth hmac−sha1 enc aes group modp1024 psk ” toto ”
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 26/29