Mailing List Archive

On Monday, April 5, 2021 3:46:37 AM CEST Grant Taylor wrote:
> Hi,
>
> Does anyone have any experience with IPsec? Preferably on Gentoo or
> Linux in general?
>
> I'd like to discuss some things (probably off list) while wading into
> the IPsec pool. E.g.:
>
> - ip xfrm ...
> - strongSwan
> - Libraswan
> - X.509 certificate based authentication, preferably /mutual/
> - Opportunistic Encryption
> - Transport Mode
> - Tunnel Mode

I only managed to get it working between off-the-shelve devices, but would
prefer to do it from Linux.

Please keep it on the list so I can participate in the process.

--
Joost

On 4/6/21 8:09 AM, J. Roeleveld wrote:
> I only managed to get it working between off-the-shelve devices,
> but would prefer to do it from Linux.

That's where some of my experience is; SOHO routers, 15+ years ago. I
think I did manage to get FreeS/WAN (at the time) to establish a VPN
with one of the SOHO routers that I was using at the time.

But I've started to get some more experience using IPsec without IKE
recently.

> Please keep it on the list so I can participate in the process.

Okay. Here's a copy of what I've sent to the handful of people that
replied to me in the varies places I sent the broadcast.

I'll elaborate on the things that I'm pondering below.

- ip xfrm - I'm currently dabbling with IPsec transport mode between
some systems using the following commands:

--8<--
1 AKEY1=0x$(xxd -c 32 -l 32 -ps /dev/random)
2 AKEY2=0x$(xxd -c 32 -l 32 -ps /dev/random)
3 AID=0x$(xxd -c 4 -l 4 -ps /dev/random)
4 ASRC="$LeftIP"
5 ADST="$RightIP"
6 ALOCAL="$ASRC"
7 AREMOTE="$ADST"
8 echo "Run the following commands on $LeftHost."
9 ip xfrm state add src $ASRC dst $ADST proto esp spi $AID
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # b out
state (SA)
10 ip xfrm policy add src $ALOCAL dst $AREMOTE dir out tmpl src
$ASRC dst $ADST proto esp reqid $AID mode transport # b out policy
11 ip xfrm state add src $ADST dst $ASRC proto esp spi $AID
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # b in
state (SA)
12 ip xfrm policy add src $AREMOTE dst $ALOCAL dir in tmpl src
$ADST dst $ASRC proto esp reqid $AID mode transport # b in policy

13 echo
14 echo
15 echo

16 echo "Run the following commands on $RightHost."
17 ip xfrm state add src $ADST dst $ASRC proto esp spi $AID
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # d out
state (SA)
18 ip xfrm policy add src $AREMOTE dst $ALOCAL dir out tmpl src
$ADST dst $ASRC proto esp reqid $AID mode transport # d out policy
19 ip xfrm state add src $ASRC dst $ADST proto esp spi $AID
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # d in
state (SA)
20 ip xfrm policy add src $ALOCAL dst $AREMOTE dir in tmpl src
$ASRC dst $ADST proto esp reqid $AID mode transport # d in policy
-->8--

This is working and does enable IPsec /transport/ /mode/ between
$LeftHost and $RightHost. But it's completely manual at the moment.

I'm curious if you have any comments on "ip xfrm".

- strongSwan / Libraswan / OpenSwan / FreeS/WAN - I dabbled with
FreeS/WAN the better part of 20 years ago. It worked at the time. But
I've not needed or wanted to do anything with IPsec again until
recently. -- I've taken a foray through OpenVPN and WireGuard, both of
which were decidedly easier than IPsec.

It's my understanding that OpenSwan and strongSwan are direct forks of
FreeS/WAN and that Libraswan is a fork or rename of OpenSwan.

What I'm not sure of is what the actual current status of the *Swan(s) is.

Also, how do the *Swan(s) relate to racoon, which I see reference as
being independent.

- X.509 certificate based authentication - One of the reasons my script
above is manual is because I don't want to embed keying material in
config files on the VPSs that I'm using IPsec transport mode between.
I'd like to figure out if it's possible to use X.509 certificates to
have the two IPsec endpoints authenticate against each other and
dynamically negotiate keying material based on their public & private
key pairs that they already have.

E.g. can $LeftHost use use it's private key to authenticate itself to
$RightHost and vice versa?

I presume that this would be done via IKE, and I further presume that it
will likely be IKEv2.

- Opportunistic Encryption - I really like the idea of IPsec
Opportunistic Encryption so that systems can dynamically / automatically
configure and use IPsec /transport/ /mode/ encryption between each other.

- AH vs ESP - Do the cryptographic primitives of ESP supplant AH in
confirming ~> authenticating that the traffic came from the host that is
sending the traffic? E.g. can ESP offer the same authentication that AH
does? Or are AH and ESP truly different functions which don't overlap?

- Transport vs Tunnel Mode - I'm really interested in /transport/ mode
more than I am tunnel mode. I'd like to get my various servers to use
IPsec /transport/ mode configured (much like my script) to protect all
of the traffic between them.

I did some playing this weekend with /transport/ mode between my Linux
router at home and one of my VPS(s). Yes, my Linux router is
functioning as a basic NATing router. But, it occurred to me
/transport/ mode might work between my router and my VPS(s) in that
Linux /was/ doing the /NAT/ing. Meaning that it was effectively the
endpoint of the traffic. Thus the traffic might work via /transport/ mode.

Suffice it to say that I was pleasantly surprised that my script above
actually worked both for my router's access to the VPS(s) /and/ mostly
worked for traffic from NATed clients inside my home. I say /mostly/
because traffic was working between clients and my VPS(s) with the
annoying exception of SSH which was successfully negotiating and
starting sessions before running into MTU issues. I was able to work
around the MTU issues via typical TCPMSS --set-mm games.

So ... I was able to ""tunnel NATed traffic through IPsec /transport/
mode ESP. }:-D

I'd be very curious to learn what your reactions are to what I've done
and would like to do plus any pointers or gotchas to avoid that you
would care to share.

Thank you for replying to my open ended broadcast. :-



--
Grant. . . .
unix || die

On Tue, Apr 6, 2021, at 10:35 AM, Grant Taylor wrote:
> But I've started to get some more experience using IPsec without IKE
> recently.
>

Can you clarify why you need to use IPsec? If it is to support a commercial
client you may be better off handing them a system based around BSD. More
flexibility will be had from Linux, but pfSense/OPNsense gives you a point and
click web terminal which is easier to train in house IT on due to the
documentation available. The modes are also usually sufficient -- site to site
tunnel (like the appliances you're used to using), intranet protection, and
routing options for the same.

If you control everything you can use wireguard or OpenVPN.

To answer some of your later questions in summary:
1. Of the projects libreswan seems to best maintained, though openswan still
releases regularly. I would start with libreswan. For racoon, see
https://www.netbsd.org/docs/network/ipsec/rasvpn.html.
2. Yes, see
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2. Don't
worry about embedding key material in your scripts (unless you expect someone
has bugged your monitor). The key material has to be on disk in some form
anyway. Typical usage has the tunnel creation commands referencing key
material. Bash disables history in noninteractive shells by default.
3. Drop opportunistic encryption. It's best if you or the user knows if the
network is secure or not.
4. The authentication header (AH) does not provide "security." Encapsulating
security payload (ESP) provides confidentiality and, if selected,
authentication. Check the docs -- usually you want authentication and
confidentiality, merely confidentiality allows some classes of attacks.
5. Transport mode may be most appropriate, however you could have tunnels
between all servers for redundancy.
6. Setting up the public key infrastructure will be most of the headache.

> This is working and does enable IPsec /transport/ /mode/ between
> $LeftHost and $RightHost. But it's completely manual at the moment.
>

Doesn't seem manual if you've got a script for it. A lot of people stop here.

If you need consulting time I can offer it, but reading the linked pages should
get you far enough along. I won't mind answering things in public but do
wonder about your interest in IPsec.

On 06/04/2021 20:07, Sid Spry wrote:
> If you control everything you can use wireguard or OpenVPN.

https://lwn.net/Articles/850098/

Salutory reading ...

Cheers,
Wol

Pre-Script: I'm probably in a bad mental state to reply, but I want to
answer some valid questions before others reply. Please take what I say
and how I say it with a grain of salt. I don't mean anything personally.

I /do/ appreciate the constructive and thought provoking responses that
I'm getting.

On 4/6/21 1:07 PM, Sid Spry wrote:
> Can you clarify why you need to use IPsec?

I don't have a /need/ in any normal sense. But I do /want/ to mess /
play with and learn about /IPsec/. -- I have used many other VPNs;
OpenVPN and WireGuard. But I'm finding my understanding of IPsec
lacking, hence my desire to learn about /IPsec/, specifically
/transport/ mode.

> If it is to support a commercial client you may be better off
> handing them a system based around BSD.

*blink*

Nothing against any of the BSDs, or any other Unix for that matter. But
... I think this is a /Linux/ mailing list. ;-) So ... suggesting
something other than Linux seems counterproductive.

> More flexibility will be had from Linux, but pfSense/OPNsense gives
> you a point and click web terminal which is easier to train in house
> IT on due to the documentation available.

I'd like to add IPFire to that list. Especially considering that it's
Linux based. ;-)

> The modes are also usually sufficient -- site to site tunnel (like
> the appliances you're used to using), intranet protection, and routing
> options for the same.

"Usually" being the operative word. "Sufficient" being in the eye of
the beholder.

*I* /personally/ _frequently_ fall outside of "usually". Being the
person that I am, what is "sufficient" for the vast majority of people
leaves me wanting.

> If you control everything you can use wireguard or OpenVPN.

If it wasn't for the fact that I'm wanting to play with / learn about
IPsec, I would completely agree with you. However, my desire to learn
about /IPsec/ is in direct conflict with your otherwise reasonable
suggestion.

> To answer some of your later questions in summary:
> 1. Of the projects libreswan seems to best maintained, though openswan
> still releases regularly. I would start with libreswan. For racoon,
> see https://www.netbsd.org/docs/network/ipsec/rasvpn.html.
> 2. Yes, see
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2.
> Don't worry about embedding key material in your scripts (unless
> you expect someone has bugged your monitor). The key material has
> to be on disk in some form anyway.

Please allow me to elaborate.

I view -- what I understand to be the quintessential mode of operation
for -- Pre Shared Keys to have a security weakness ~> flaw in that both
ends must know the PSKs used for each direction. Thus compromising
either end completely compromises the security of the connection.

Further, if we assume that a per-system key is used for {en,de}cryption
(pick one, I don't think it matters which), then we can probably further
assume that the same per-system key is used for {en,de}cryption with
other additional systems. As such, compromising the PSK(s) on one
system likely compromises at least one of the PSK(s) for other systems.

Whats' more is that PSKs tend to be static. -- Maybe there are ways
with IKE to use PFS to ensure minimize damage done by knowing PSK(s).

I feel like most, if not all, of this is avoided by not having PSK(s) or
other keying material in scripts and on systems.

We are probably all familiar with having a TLS certificate key pair on
systems these days. So if we can leverage and re-use those key pairs,
that would be Really Nice™.

> Typical usage has the tunnel creation commands referencing key
> material.

There is a difference in referencing a PSK and referencing a key pair.
Especially when looking at the output of ps.

> Bash disables history in noninteractive shells by default.

I feel like relying on a default, which can be changed, is not a good
basis for security. }:-)

> 3. Drop opportunistic encryption. It's best if you or the user knows
> if the network is secure or not.

Agreed.

The O.E. is more to allow other systems to be able to communicate with
my system /more/ securely if they want to.

There are also ways to have IPTables allow IPsec protected traffic while
blocking unprotected traffic. Thus providing the hard pass / fail that
I think you're alluding to.

> 4. The authentication header (AH) does not provide
> "security."

What does "security" mean?

I agree that AH does not provide /confidentiality/.

> Encapsulating security payload (ESP) provides confidentiality and,
> if selected, authentication. Check the docs -- usually you want
> authentication and confidentiality, merely confidentiality allows
> some classes of attacks.

I will check out the authentication option for ESP.

Though, I suspect it's going to be quite a bit more difficult to pull
off a MitM with ESP that's only providing confidentiality assuming that
proper authentication has recently happened in conjunction with
establishing the SAs being used by ESP, a la. IKE.

> 5. Transport mode may be most appropriate, however you could have
> tunnels between all servers

The addition of tunnels very likely means the addition of additional
interfaces and IPs. Which means that now systems inherently become
multi-homed, which is it's own set of problems.

> for redundancy.
Please elaborate on what you mean by "for redundancy" here.

I see it as the tunnel likely won't function if the main connection is
down. It's not like an OoB backup connection.

> 6. Setting up the public key infrastructure will be most of the
> headache.

I'm really hoping that there is a way to leverage / utilize something
like Let's Encrypt's (et al.) /existing/ PKI and re-use the existing certs.

> Doesn't seem manual if you've got a script for it. A lot of people
> stop here.

It's manual in that it currently requires human intervention and that
there isn't automatic re-keying.

> If you need consulting time I can offer it, but reading the linked
> pages should get you far enough along. I won't mind answering things
> in public but do wonder about your interest in IPsec.

Hopefully I've answered some of your questions and have explained where
I'm coming from and why I'm looking at /IPsec/ *specifically*.



--
Grant. . . .
unix || die