When reading/adjusting any StrongSwan configurations, remember these important words:

left is local to the machine it’s stated on; right is remote in the same manner

So, on the server side, left is local to the server and on the client side, left is local to that client.

check the X509 cert details

1openssl x509 -text -noout -in  /etc/ipsec.d/private/sunKey.pem

Ubuntu Set up IPsec Tunnel

1docker run --rm -d -i --network host --name cnf --user root -v /home/ubuntu/entrypoint.sh:/entrypoint.sh --privileged cnf:pro  sleep infinity
2
3
4docker run --rm -i -d --network host --name cnf --user root -v /home/ubuntu/entrypoint.sh:/entrypoint.sh  --privileged cnf:pro bash -c '/entrypoint.sh'

Install StrongsWan

1sudo apt update &&  sudo apt install strongswan strongswan-swanctl strongswan-pki strongswan-charon charon-cmd charon-systemd -y
2
3
4sudo apt remove strongswan strongswan-swanctl strongswan-pki strongswan-charon charon-cmd charon-systemd -y

在如下两台机器之间 建立 host-to-host的ipsec tunnle, 以下配置过程整理自Strongswan.

1| 10.95.62.25 | === | 10.95.62.114 |
2     moon                sun

生成证书

使用strongswan的PKI tool 创建证书。

 1# 创建 root 私钥
 2pki --gen --outform pem > caKey.pem
 3# 生成 root CA
 4pki --self --in caKey.pem --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.pem
 5
 6# 生成 node-1 私钥
 7pki --gen --outform pem > moonKey.pem
 8# 使用 root ca签发 node-1 端证书
 9pki --issue --in moonKey.pem --type priv \
10--cacert caCert.pem --cakey caKey.pem \
11--dn "C=CH, O=strongSwan,CN=moon.strongswan.org" --san moon.strongswan.org \
12--outform pem > moonCert.pem
13
14# 生成 node-2 私钥
15pki --gen --outform pem > sunKey.pem
16# 使用 root ca签发 node-1 端证书
17pki --issue --in sunKey.pem --type priv \
18--cacert caCert.pem --cakey caKey.pem \
19--dn "C=CH, O=strongSwan,CN=sun.strongswan.org" --san sun.strongswan.org \
20--outform pem  > sunCert.pem

Host-to-Host 配置

Configuration on host moon:

 1 sudo cp caCert.pem /etc/swanctl/x509ca/caCert.pem
 2 sudo cp moonCert.pem /etc/swanctl/x509/moonCert.pem
 3 sudo cp moonKey.pem /etc/swanctl/private/moonKey.pem
 4
 5/etc/swanctl/swanctl.conf:
 6
 7    connections {
 8        host-host {
 9            #remote_addrs = 52.9.61.247
10            pools=client_pool
11
12            local {
13                auth=pubkey
14                certs = moonCert.pem
15            }
16            remote {
17                auth = pubkey
18                id = "C=CH, O=strongSwan, CN=sun.strongswan.org"
19            }
20            children {
21                net-net {
22                    remote_ts=192.168.0.1/32
23                    start_action = trap
24                }
25            }
26        }
27    }
28    pools{
29    client_pool{
30        addrs=192.168.0.1
31    }
32}

Configuration on host sun:

 1sudo cp caCert.pem /etc/swanctl/x509ca/caCert.pem
 2sudo cp sunCert.pem /etc/swanctl/x509/sunCert.pem
 3sudo cp sunKey.pem /etc/swanctl/private/sunKey.pem
 4
 5/etc/swanctl/swanctl.conf:
 6
 7    connections {
 8        host-host {   # connection name
 9            remote_addrs = 34.230.111.156
10
11            local {
12                auth = pubkey
13                certs = sunCert.pem
14            }
15            remote {
16                auth = pubkey
17                id = "C=CH, O=strongSwan, CN=moon.strongswan.org"
18            }
19            children {
20                host-host {
21                    remote_ts=10.20.0.118/32
22                    start_action = trap
23                }
24            }
25        }
26    }

上述配置是 是用key做认证,下面举个使用pre-shared key的例子

 1  # configuration on moon
 2  connections {
 3        host-host {
 4            remote_addrs = 10.95.62.114
 5
 6            local {
 7                auth=psk
 8                id = "moon.strongswan.org"
 9            }
10            remote {
11                auth = psk
12                id = "sun.strongswan.org"
13            }
14            children {
15                net-net {
16                    start_action = trap
17                }
18            }
19        }
20    }
21 secrets{
22    ike-h2h{
23        id-moon =  "moon.strongswan.org"
24        id-sun =  "sun.strongswan.org"
25        secret = mysecret
26    }
27}
28
29    # configuration on sun
30    connections {
31        host-host {   # connection name
32            remote_addrs = 10.95.62.25
33
34            local {
35                auth = psk
36                id = "sun.strongswan.org"
37            }
38            remote {
39                auth = psk
40                id = "moon.strongswan.org"
41            }
42            children {
43                host-host {
44                    start_action = trap
45                }
46            }
47        }
48    }
49    secrets{
50        ike-h2h{
51            id-moon =  "moon.strongswan.org"
52            id-sun =  "sun.strongswan.org"
53            secret = mysecret
54        }
55    }

配置完成后,可以使用swanclt --load-all 使配置生效。

如果给initiator 分配一个Virtual IP.

Initiator 获得虚拟IP后会再 IP table 220 中增加对应IP的路由方式。

SmartCard demo with OpenSC

Build Strongswan with pcks11

 1# install essential dependency
 2sudo apt install  build-essential libgmp-dev libunbound-dev libldns-dev -y
 3git clone https://github.com/strongswan/strongswan.git
 4./autogen.sh
 5#  config
 6# ./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-kernel-libipsec --enable-swanctl --enable-unity --enable-unbound --enable-vici --enable-xauth-eap --enable-xauth-noauth --enable-eap-identity --enable-md4 --enable-pem --enable-openssl --enable-pubkey --enable-farp --enable-pkcs11
 7./configure --prefix=/usr --sysconfdir=/etc --enable-pkcs11 CFLAGS="-DDEBUG_LEVEL=1"
 8make
 9sudo make install
10sudo systemctl daemon-reload
11sudo systemctl restart strongswan-starter.service

Build virt_cacard

virt_card using libcacard, vitualsmartcard’s vpcd and softhsm2 to provide PCSC accessible virtual smart card.

1# install essential dependency, libcacard & softhsm2
2sudo apt install libcacard-dev libglib2.0-dev softhsm2 gnutls-bin libnss3-tools -y

Build & Install vsmartcard

1sudo apt-get install -y help2man libpcsclite-dev
2git clone https://github.com/frankmorgner/vsmartcard.git
3cd vsmartcard/virtualsmartcard
4autoreconf --verbose --install
5./configure --sysconfdir=/etc
6make
7sudo make install

Build & Install virt_card

1cd ~
2git clone https://github.com/Jakuje/virt_cacard.git
3cd virt_cacard
4./autogen.sh
5./configure
6make

configure softhsm with default certificates and start virt_cacard

1./setup-softhsm2.sh
2export SOFTHSM2_CONF=/home/ubuntu/vivirt_cacard/softhsm2.conf &&./virt_cacard

After that you should be able to access virtual smart card through OpenSC:

1pkcs11-tool -L
1pkcs15-tool --list-pins --list-keys --list-certificates
 1# Generate Key pair
 2openssl req -out pkcs11-new.csr -newkey rsa:2048 -nodes -keyout pkcs11-new.key -subj "/CN=pkcs11-new" 
 3# Generate Certificate
 4openssl x509 -req -days 365 -CA caCert.pem -CAkey caKey.pem -set_serial 1 -in pkcs11-new.csr -out pkcs11-new.crt
 5# Transform CA type to DER
 6 openssl rsa -in ./pkcs11-new.key -outform DER -out pkcs11-new.key.der
 7 openssl x509 -in ./pkcs11-new.crt -outform DER -out pkcs11-new.crt.der
 8
 9
10 # Creating a token
11#  pkcs11-tool  --init-token --label "pkcs11-new"  --slot 0--so-pin 12345678 --init-pin --pin 12345678
12
13  # add private key
14 pkcs11-tool  -login --pin 12345678 --login-type user --slot 0 --write-object pkcs11-new.key.der --type privkey --id 0001
15 # add cert
16 pkcs11-tool  -login --pin 12345678 --login-type user --slot 0 --write-object pkcs11-new.crt.der --type cert --id 0001

Common Tools of PKCS#11

1# list slot
2pkcs11-tool --module /usr/local/lib/libp11sgx.so -L
3# list object of slot
4pkcs11-tool --module /usr/local/lib/libp11sgx.so --slot 0x7316c269 -O

Creating a token

1    pkcs11-tool --module /usr/local/lib/libp11sgx.so --init-token --label "ctk" --slot 0 --so-pin 1234 --init-pin --pin 1234

Creating an RSA keypair

1pkcs11-tool --module /usr/local/lib/libp11sgx.so --login --pin 1234 --id 0001 --token "ctk" --keypairgen --key-type rsa:3072 --label "cert-key" --usage-sign

Listing the objects

1pkcs11-tool --module /usr/local/lib/libp11sgx.so --list-objects -login --pin 1234 --login-type user
 1# login
 2pkcs11-tool --module /usr/local/lib/libp11sgx.so -login --pin 1234 --login-type user --slot 0x18c37829 -
 3 #listobject
 4 pkcs11-tool --module /usr/local/lib/libp11sgx.so -login --pin 1234 --login-type user --slot 0x18c37829 -O
 5# delete private key
 6 pkcs11-tool --module /usr/local/lib/libp11sgx.so -login --pin 1234 --login-type user --slot 0x18c37829 --delete-object --type privkey -d 0001
 7 # delete public key
 8 pkcs11-tool --module /usr/local/lib/libp11sgx.so -login --pin 1234 --login-type user --slot 0x18c37829 --delete-object --type pubkey -d 0001
 9
10 # add private key
11 pkcs11-tool --module /usr/local/lib/libp11sgx.so -login --pin 12345678 --login-type user --slot 0x18c37829 --write-object clientkey.der --type privkey --id 0001
12 # add cert
13 pkcs11-tool --module /usr/local/lib/libp11sgx.so -login --pin 1234 --login-type user --slot 0xc8cbdbc --write-object clientcrt.der --type cert --id 0001
14
15 # create key paair
16 pkcs11-tool --module /usr/local/lib/libp11sgx.so --login --pin 1234 --id 0001 --token "ctk" --keypairgen --key-type rsa:3072 --label "cert-key" --usage-sign  --slot 0x18c37829

Smart Demo with Intel SGX CTK

Build and Install SGX SDK

Build & Install SDK

 1# Ubuntu 20.04
 2sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl -y
 3sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip -y
 4
 5sudo apt-get install build-essential python -y
 6
 7git clone https://github.com/intel/linux-sgx.git
 8cd linux-sgx && make preparation
 9sudo cp external/toolset/{current_distr}/{as,ld,ld.gold,objdump} /usr/local/bin
10which as ld ld.gold objdump
11
12make sdk
13make sdk_install_pkg
14# linux/installer/bin/sgx_linux_x64_sdk_${version}.bin  location /opt/intel
15
16export SDK_INSTALL_PATH_PREFIX=/opt/intel
17./sgx_linux_x64_sdk_${version}.bin --prefix $SDK_INSTALL_PATH_PREFIX
18 source ${sgx-sdk-install-path}/environment
19 # source /opt/intel/sgxsdk/environment

verify SGX SDK

1$ cd ${sgx-sdk-install-path}/SampleCode/LocalAttestation
2  $ make SGX_MODE=SIM
3  $ cd bin
4  $ ./app

Build & Install PSW

1make psw
2make deb_psw_pkg
3make deb_local_repo
4# linux/installer/deb/sgx_debian_local_repo
5# deb [trusted=yes arch=amd64] file: /home/ubuntu/linux-sgx/linux/installer/deb/local_repo_tool/../sgx_debian_local_repo focal main
6sudo apt update
7sudo apt-get install libsgx-launch libsgx-urts -y

Build & Install Intel-sgx-ssl

1make all test
2sudo make install

Build & Install CTK

1sudo apt-get install dkms  autoconf libcppunit-dev autotools-dev libc6-dev libtool build-essential -y
2#libprotobuf10
3
4make
5sudo make install

Build & Install pkcs11 Tool

1git clone https://github.com/Mastercard/pkcs11-tools.git
2./configure
3sudo make install

use p11req generate csr

1p11req -i my-ec-key -d '/CN=my.site.org/O=My organization/C=BE' -e 'DNS:another-url-for-my.site.org' -v

Initialize HSM & Generate Cert

 1# Init Token
 2pkcs11-tool --module /usr/local/lib/libp11sgx.so --init-token --label "sgx-pkcs11" --slot 0 --so-pin 12345678 --init-pin --pin 12345678
 3#Create Key Pair
 4pkcs11-tool --module /usr/local/lib/libp11sgx.so  --login --pin 12345678 --id 0001 --token "sgx-pkcs11" --keypairgen --key-type rsa:2048 --label "cert-key" --usage-sign
 5
 6# Check slot info
 7pkcs11-tool --module /usr/local/lib/libp11sgx.so -L 
 8
 9# Create csr, cert-key is the private lable
10p11req -l /usr/local/lib/libp11sgx.so -i cert-key -d '/CN=sgx-node'  -s 0x5e6dceb4 -p 12345678 > new.csr
11
12# Issuer the cert from root CA 
13openssl x509 -req -days 365 -CA caCert.pem -CAkey caKey.pem -set_serial 1 -in new.csr -out client.crt
14# Transfer to DER form
15openssl x509 -in client.crt -outform DER -out clientcrt.der
16# Add cert to HSM
17pkcs11-tool --module /usr/local/lib/libp11sgx.so -login --pin 12345678 --login-type user --slot 0x5e6dceb4 --write-object clientcrt.der --type cert --id 0001
18
19# Check private Key and Cert status
20pkcs11-tool --module /usr/local/lib/libp11sgx.so --login --pin 12345678  -O  --slot 0x5e6dceb4 
1#需要下载的 组件
2
3crypto-api-toolkit  intel-sgx-ssl  linux-sgx  linux-sgx-driver  OpenSC  pkcs11  SDEWAN-SetUp  SGX.code-workspace  sgx-pkcs11  sgx-software-enable  strongswan  virt_cacard  vsmartcard

Configure PCKS#11 Plugin of Strongswan

 1#strongswan.d/charon/pkcs11.conf
 2pkcs11 {
 3    load = yes
 4    modules {
 5        ctk{
 6                path=/usr/local/lib/libp11sgx.so
 7                os_locking=yes
 8                load_certs=yes
 9        }
10    }
11
12}
13
14
15bash-5.1$ /usr/lib/libp11-kit.so.0^C
16
17
18echo 'pkcs11 {
19    load = yes
20    modules {
21        ctk{
22                path=/usr/lib/p11-kit-client.so 
23                os_locking=yes
24                load_certs=yes
25        }
26    }
27}' | sudo tee /etc/strongswan.d/charon/pkcs11.conf

Configure IPsec Tunnel through swanctl.conf

 1# /etc/swanctl/swanctl.conf
 2connections {
 3    pkcs11-demo{   # connection name
 4       # remote_addrs = 10.95.62.25
 5       pools = client_pool
 6
 7       local {
 8           auth = pubkey
 9           cert1{
10               handle=0001
11               slot=0x11
12               module=ctk
13           }
14       }
15       remote {
16           auth = pubkey
17           id = "CN=sun.strongswan.org"
18       }
19       children {
20           pkcs11-demo {
21               start_action = trap
22           }
23       }
24    }
25}
26
27pools{
28    client_pool{
29        addrs=192.168.0.1
30    }
31}
32
33secrets{
34#    token_1{
35#        handle=0001
36#        slot=0
37#        module=opensc
38#        pin=12345678
39#    }
40    token_2{
41        handle=0001
42        slot=0x11
43        module=ctk
44        pin=12345678
45    }
46}
47
48
49
50
51
52# /etc/swanctl/swanctl.conf
53connections {
54    pkcs11-demo{   # connection name
55       remote_addrs = 10.233.76.178
56       local {
57           auth = pubkey
58           cert1{
59               handle=0001
60               slot=0x11
61               module=ctk
62           }
63       }
64       remote {
65           auth = pubkey
66           id = "CN=sgx-1"
67       }
68       children {
69           pkcs11-demo {
70               start_action = trap
71           }
72       }
73    }
74}
75
76
77
78secrets{
79    token_1{
80        handle=0001
81        slot=0x11
82        module=ctk
83        pin=12345678
84    }
85}

Configure IPsec Tunnel Through ipsec.conf use different secret

  1# /etc/ipsec.conf
  2
  3# ipsec.conf - strongSwan IPsec configuration file
  4
  5sudo cp caCert.pem /etc/ipsec.d/cacerts/
  6sudo cp moonKey.pem /etc/ipsec.d/private/
  7sudo cp moonCert.pem /etc/ipsec.d/certs/
  8
  9conn host-host
 10  left=%any
 11  right=%any
 12  ikelifetime=3h
 13  lifetime=1h
 14  margintime=9m
 15  keyingtries=%forever
 16  dpdaction=restart
 17  dpddelay=30s
 18  closeaction=restart
 19  leftauth=pubkey
 20  rightauth=pubkey
 21  leftcert=moonCert.pem
 22  leftsendcert=yes
 23  rightsendcert=yes
 24  rightsourceip=192.168.0.8
 25  auto=start
 26  leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
 27  rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
 28  keyexchange=ikev2
 29  mark=30
 30  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
 31  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
 32  type=tunnel
 33
 34
 35
 36conn host-host
 37  left=%any
 38  right=34.230.111.156  
 39  ikelifetime=3h
 40  lifetime=1h
 41  margintime=9m
 42  keyingtries=%forever
 43  dpdaction=restart
 44  dpddelay=30s
 45  closeaction=restart
 46  leftauth=pubkey
 47  rightauth=pubkey
 48  leftcert=sCert.pem
 49  leftsendcert=yes
 50  rightsendcert=yes
 51  rightsourceip=192.169.0.8
 52  auto=start
 53  leftid="C=CH, O=strongSwan, CN=sun.strongswan.org"
 54  rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
 55  keyexchange=ikev2
 56  mark=30
 57  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
 58  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
 59  type=tunnel
 60
 61
 62
 63conn common-con
 64  left=%any
 65  right=%any
 66  ikelifetime=3h
 67  lifetime=1h
 68  margintime=9m
 69  keyingtries=%forever
 70  dpdaction=restart
 71  dpddelay=30s
 72  closeaction=restart
 73  leftauth=pubkey
 74  rightauth=pubkey
 75  leftcert=/etc/ipsec.d/certs/root-nodeCert.pem
 76  leftsendcert=yes
 77  rightsendcert=yes
 78  rightsourceip=192.168.0.9
 79  auto=start
 80  leftid="CN=root-node"
 81  rightid="C=CH, O=strongSwan,CN=node-3"
 82  keyexchange=ikev2
 83  mark=30
 84  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
 85  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
 86  type=tunnel
 87
 88
 89
 90  # client
 91sudo cp caCert.pem /etc/ipsec.d/cacerts/
 92sudo cp sunKey.pem /etc/ipsec.d/private/
 93sudo cp sunCert.pem /etc/ipsec.d/certs/
 94
 95conn common-con
 96  left=%any
 97  right=10.233.76.178
 98  leftsourceip=%config
 99  ikelifetime=3h
100  lifetime=1h
101  margintime=9m
102  keyingtries=%forever
103  dpdaction=restart
104  dpddelay=30s
105  closeaction=restart
106  leftauth=pubkey
107  rightauth=pubkey
108  leftcert=%smartcard:0001
109  leftsendcert=yes
110  rightsendcert=yes
111  auto=start
112  leftid="CN=sgx-2"
113  rightid="CN=sgx-1"
114  keyexchange=ikev2
115  esp=aes128-sha256-modp3072,aes256-sha256-modp3072
116  ike=aes128-sha256-modp3072,aes256-sha256-modp3072
117  type=tunnel

ipsec.secrets

1# /etc/ipsec.secrets
2C=CH, O=strongSwan,CN=sun.strongswan.org : RSA sunKey.pem
3: PIN %smartcard:0001 "12345678"
1# 1. Add strongswan.d/chron/pkcs11.conf
2
3
4# 2. This is the firsth 

/usr/sbin/ipsec start –nofork

IPsec protocol overview

IPsec is a framework, which provide security at the network layer of the OSI model by enabling a system to select required security protocols, determine the algorithms to use for security services, and implement any cryptographic keys required to provide secure communication.

IPsec architecture consist of:

  • Basic concept:

    • Security Association(SA)

    • Security Association Database

  • Fundamental security protocols

    • ESP/AH
  • Protocol mode

    • transport/tunnel
  • Various cryptographic primitives with AH and ESP

    • Encryption: DES, 3DES, AES-CBC
    • Integrity: HMAC, MD5, SHA1, SHA2
  • Key management procedures

    • IKEv1, IKEv2, ISAKMP

image-20220516134513652

  • Security Association(SA) is a set of IPsec specifications that are negotiated between devices that are establishing an IPsec relationship.
    • The specifications include preferences for the type of authentication, encryption, and security protocol that should be used when establishing the IPsec connection.
    • A single SA protects data in one direction
    • An SA is uniquely identified by:
      • Security Parameter Index(SPI)
      • IPv4 or IPv6 destination address
      • security protocol(AH or ESP) identifier
    • Security associations are stored in a security associations database(SADB)
  • Security Associations(SAs) require keying material for authentication and for encryption. The managing of this keying material is called key management.
  • The Internet Key Exchange(IKE) protocol is used to exchange SAs between two devices.
    • IKE is based on Internet Security Association and Key Management Protocol( ISAKMP)
    • Two version of IKE are defined(IKEv1 and IKEv2), but at present IKE2 is mostly used
  • IPsec session consists of the following phases:
    • establishing IKE SA (IKE phase I)
    • establishing IPsec SA (IKE phase II)
    • secured communication(IPsec tunnel)
    • re-keying procedures( IKE CHILD_SA)
    • IP tunnel termination( IKE “delete”)

image-20220516142355903

  • Experiment has been performed using two virtual machines
  • Strongswan has been used as IPsec implementation

Red Machine: 192.168.56.100 === Blue Machine: 192.16.56.101

Basic Strongswan configuration

IPsec configuration files:

  • /etc/ipsec.conf IPsec tunnel parameters
  • /etc/ipsec.secret cryptographic secrets
 1# Blue
 2conn bule-to-red
 3    authby=secret     # authentication method
 4    auto=route
 5    keyexchange=ikev2    # key exchange protocol
 6    ike=ase256-sha2_256-modp1024   # IKE secrity association proposal
 7    left=192.168.56.101            # IP of both ends of tunnel
 8    right=192.168.56.100
 9    type=transport                 # IPsec mode(tunnel or transport)
10    esp=aes256-sha2_256            # IPsec security association proposal(ESP/ AH)
11    #ah=sha1-sha256-modp1024
12
13
14# RED
15conn red-to-blue
16    authby=secret     
17    #ah=sha1-sha256-modp1024
18    auto=route
19    keyexchange=ikev2   
20    ike=ase256-sha2_256-modp1024   # 3des-sha2_256-modp1024
21    left=192.168.56.100           
22    right=192.168.56.101
23    type=transport                
24    esp=aes256-sha2_256  
1sudo ipsec stroke loglevel ike 4
2
3sudo tcpdump -i eth0 -w ike.pcap

IKE and IPsec negotiation

  • IKE Phase I (IKE SA negotiation) creates a secure channel between the two IKE peers. IKE SA is negotiated during phase I and the Diffie-Hellman key agreements is always performed in this phase.
  • IKE Phase II (IPsec SA negotiation) negotiates the IPsec security associations and generates the required key material for IPsec(encryption and integrity Keys). Peers authenticate echo other is this phase. A new Diffie-Hellman agreement may be done in phase2, or the keys may be derived form the phase 1.
  • Re-keying (IKE or IPsec) is invoked by send CREATE_CHILD_SA
  • IKE tunnel termination is perform by sending IKE INFORMATIONAL message with payload “delete”

IKE SA proposals of RED and BLUE endpoint(the same now)

 1IKE algorithmn
 2
 3--- RED --
 4IKE ENCR ALG: AES-CBC-256  # encryption algorithm
 5IKE AUTH ALG: HMAC_SHA2_256_128 # Integrity algorithm
 6IKE D-H GROUP: MODP 1024-bit   # Diffie-Hellman group
 7PRF: NOT CONFIGURABLE            # Pseudo random function
 8
 9--- BLUE --
10IKE ENCR ALG: AES-CBC-256
11IKE AUTH ALG: HMAC_SHA2_256_128
12IKE D-H GROUP: MODP 1024-bit
13PRF: NOT CONFIGURABLE

Let’s change encryption algorithm proposal of RED endpoint, is the IKE algorithm not equal. BULE endpoint doesn’t accept IKE SA proposal with “3des” encryption algorithm. BULE doesn’t support such algorithm and responds with NO_PROPOSAL_CHOSEN payload. Inconsistency of encryption algorithm. Now red’s IKE SA proposal has been accepted by BLUE. Authentication process has been started.

Note, the IPsec SA negotiation (Phase II) and authentication has been successful.

image-20220516153819335

image-20220516153827319

image-20220516154420402

image-20220516154524101

image-20220516154619123

image-20220516154655328

After decryption using keys, we can see IKE_AUTH message payload. Shared key data is exchanged (PSK authentication is used.)

traffic selector

IPsec ESP vs AH

Authentication Header(AH) and Encapsulating Security Payload(ESP) are two protocols, which provide security for IPsec tunnel.

  • AH provides only integrity authentication service to IPsec-capable device, so they can verify that message are received intact from other device.
  • AH provides authentication by creating and add MACs to packets.
  • ESP provides not only integrity authentication, but also a privacy for IP. ESP encrypt payload by ESP header and ESP trailer to each packet.

IPsec Tunnel vs transport mode

  • IPsec protocol use transport or tunnel mode.

    • Transport mode can only be used between end-point of a communication
    • Tunnel mode can be used between arbitrary peers
  • The difference between the two modes is protocol stack construction

    • Transport mode just add a security specific header
    • Tunnel mode encapsulates IP packets

    image-20220516161617718

IPsec with pre-shared secret

Pre-Shared Key(PSK) IKEv2 authentication uses pre-shared secrets stored in host’s memory. Secret’s sharing is out of IPsec’s scope.

The shared key is exchanged during IPsec SA negotiation and used by peers to authenticate each other.

The easiest, but not recommended type of authentication

pre-shared secret is configured in ipsec.secrets file.

1  # authty=secret
2192.145.66.100 192.145.66.101   :PSK "123"

image-20220516163315116

IPsec with CA certificates (PKI)

Public Key authentication is based on Public Key Infrastructure(PKI) architecture

  • An individual that wishes to send encrypted data obtains a digital certificate form a Certificate Authority(CA). CA’s certificate contains a public key
  • Both peers need to generate self-certificates, which can be self-signed, in which case they have to installed on peers, or signed by a common Certificate Authority(CA)
  • The latter simplifies deployment and configuration a lot as the gateway only needs the CA certificate.

IKEv2 uses:

  • CERTREQ payload contains information of supported by peer CAs
  • CERT payload contains peer’s certificate signed by CA

During IKE AUTH exchange peers authenticate each other. In SA_INIT response responder sends CERTREQ payload. Then initiator send its certificate in CERT with its identity(IDi). Responder uses public key from CA certificate to authenticate initiator. In the last message responder sends its certificate (CERT) with its identity(IDr). Now, responder is authenticated by initiator(if certificate is authorized by the same CA)

image-20220516165331484

Public Key authentication- RSA authentication with X.509 certificate

image-20220516165427150

CA certificate and private key need to delivered to each IPsec peer.

image-20220516170053454

 1# Blue
 2conn bule-to-red
 3    # authby=secret     # authentication method
 4    left=192.168.56.101            # IP of both ends of tunnel
 5    right=192.168.56.100
 6    ike=ase256-sha2_256-modp1024   # IKE secrity association proposal
 7    esp=aes256-sha2_256            # IPsec security association proposal(ESP/ AH)
 8    auto=start
 9    keyexchange=ikev2    # key exchange protocol
10    type=tunnel                 # IPsec mode(tunnel or transport)
11    leftcert=client1Cert.pem
12    leftid="C=CH,O=strongSwan,CN=device1"
13    rightid="C=CH,O=strongSwan,CN=device2"
14
15    #ah=sha1-sha256-modp1024
16
17
18# RED
19conn red-to-blue
20    # authby=secret     # authentication method
21    left=192.168.56.101            # IP of both ends of tunnel
22    right=192.168.56.100
23    ike=ase256-sha2_256-modp1024   # IKE secrity association proposal
24    esp=aes256-sha2_256            # IPsec security association proposal(ESP/ AH)
25    auto=start
26    keyexchange=ikev2    # key exchange protocol
27    type=tunnel                 # IPsec mode(tunnel or transport)
28    leftcert=client2Cert.pem
29    leftid="C=CH,O=strongSwan,CN=device2"
30    rightid="C=CH,O=strongSwan,CN=device"
1# ipsec.secret RSA private key location is configured in ipsec.secrets
2: RAS client1key.pem

Create IPsec Tunnel on AWS

Running CNF through docker in host network mode

1docker run --rm -i -d --network host --name cnf --user root -v /home/ubuntu/entrypoint.sh:/entrypoint.sh  --privileged cnf:pro bash -c '/entrypoint.sh'

image-20220519143707401

NAT mode

1docker run --rm -i -d -p 5:q
2jjikk00:500/udp -p 4500:4500/udp --name cnf-1 --user root -v /home/ubuntu/entrypoint.sh:/entrypoint.sh  --privileged cnf:pro bash -c '/entrypoint.sh'
3
4netstat -atunlp

rrr

 1# sun add DNAT
 2
 3sudo iptables -D PREROUTING --destination 10.20.0.118/32  -p esp  -j DNAT --to-destination 172.17.0.3 -t nat
 4sudo iptables -D PREROUTING --destination 10.20.0.118/32  -p udp --dport 4500 -j DNAT --to-destination 172.17.0.3:4500 -t nat
 5sudo iptables -D PREROUTING --destination 10.20.0.118/32  -p udp --dport 500 -j DNAT --to-destination 172.17.0.3:500 -t nat
 6
 7
 8
 9# moon add DNAT
10sudo iptables -D PREROUTING --destination 172.16.182.193/32  -p esp  -j DNAT --to-destination 172.17.0.2 -t nat
11sudo iptables -D PREROUTING --destination 172.16.182.193/32  -p udp --dport 4500 -j DNAT --to-destination 172.17.0.2:4500 -t nat
12sudo iptables -D PREROUTING --destination 172.16.182.193/32  -p udp --dport 500 -j DNAT --to-destination 172.17.0.2:500 -t nat
13
14192.169.0.4/32 === 172.17.0.2/32
15iptables -I POSTROUTING -d 172.17.0.2/32 -j SNAT --to-source 192.169.0.4 -t nat
 1# sun add DNAT
 2
 3sudo iptables -I PREROUTING --destination 10.95.62.171/32  -p esp  -j DNAT --to-destination 10.233.83.75 -t nat
 4sudo iptables -I PREROUTING --destination 10.95.62.171/32  -p udp --dport 4500 -j DNAT --to-destination 10.233.83.75:4500 -t nat
 5sudo iptables -I PREROUTING --destination 10.95.62.171/32  -p udp --dport 500 -j DNAT --to-destination 10.233.83.75:500 -t nat
 6
 7
 8
 9# moon add DNAT
10sudo iptables -I PREROUTING --destination 10.95.62.90/32  -p esp  -j DNAT --to-destination 10.233.120.76 -t nat
11sudo iptables -I PREROUTING --destination 10.95.62.90/32  -p udp --dport 4500 -j DNAT --to-destination 10.233.120.76:4500 -t nat
12sudo iptables -I PREROUTING --destination 10.95.62.90/32  -p udp --dport 500 -j DNAT --to-destination 10.233.120.76:500 -t nat

Add AppArmor security Rules

 1# Add to /etc/apparmor.d/usr.lib.ipsec.charon
 2# /usr/lib/ipsec/charon flags=(attach_disconnected) {
 3
 4  /tmp/ipsec/**                r,
 5  /tmp/run/**                  rw,
 6  /tmp/ipsec/strongswan.conf   rwk,
 7  /tmp/ipsec/ipsec.secrets     rwk,
 8  /tmp/run/charon.ctl          rwk,
 9  /tmp/run/charon.pid          rwk,
10  /bin/busybox                 rmPUx,
11# }
12# Add to  /etc/apparmor.d/usr.lib.ipsec.stroke
13  /tmp/ipsec/strongswan.conf    r,
14  /tmp/run/charon.ctl           wr,

Site-to-Site Mode

In site to site mode need to add IP rule on the host, post the traffic through the VTI interface

Add IP Rule

1# sun node
2ip route add default dev  vti_52.9.61.247 table 40
3ip rule add to  172.16.182.193 lookup  40
4
5# moon node
6ip r add default dev vti_34.230 table 50
7ip rule add to 10.20.0.118 lookup 50

ipsec.conf

 1# sun node
 2conn hubaedge1-Connedge1_19216904
 3  left=%any
 4  leftsubnet=0.0.0.0/0
 5  right=%any
 6  rightsubnet=0.0.0.0/0
 7  ikelifetime=3h
 8  lifetime=1h
 9  margintime=9m
10  keyingtries=%forever
11  dpdaction=restart
12  dpddelay=30s
13  leftauth=pubkey
14  rightauth=pubkey
15  leftcert=/etc/ipsec.d/certs/sunCert.pem
16  leftsendcert=yes
17  rightsendcert=yes
18  auto=start
19  # leftid="C=CH, O=strongSwan, CN=sun.strongswan.org"
20  rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
21  leftupdown=/etc/updown
22  keyexchange=ikev2
23  mark=30
24  esp=aes256-sha256-modp4096,aes256-sha256-modp4096
25  ike=aes256-sha256-modp4096,aes256-sha256-modp4096
26  type=tunnel
27
28
29# moon node
30conn edge1huba-Connhuba_10107039
31  left=%any
32  leftsubnet=0.0.0.0/0
33  right= 34.230.111.156
34  rightsubnet=0.0.0.0/0
35  ikelifetime=3h
36  lifetime=1h
37  margintime=9m
38  keyingtries=%forever
39  dpdaction=restart
40  dpddelay=30s
41  leftauth=pubkey
42  rightauth=pubkey
43  leftcert=/etc/ipsec.d/certs/moonCert.pem
44  leftsendcert=yes
45  rightsendcert=yes
46  auto=start
47  # leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
48  rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
49  leftupdown=/etc/updown   # need to bind with a mark
50  mark=30
51  keyexchange=ikev2
52  esp=aes256-sha256-modp4096,aes256-sha256-modp4096
53  ike=aes256-sha256-modp4096,aes256-sha256-modp4096
54  type=tunnel

Site-to-Host Mode

Add SNAT on Client

1# moon node
2iptables -I POSTROUTING -d 10.20.0.118/32 -j SNAT --to-source 192.169.0.4 -t nat
3iptables -I POSTROUTING -d 10.233.83.75/32 -j SNAT --to-source 192.168.0.1 -t nat

ipsec.conf

 1# sun node
 2conn hubaedge1-Connedge1_19216904
 3  left=%any
 4  right=%any
 5  leftsubnet=10.20.0.118/32
 6  rightsubnet=192.169.0.4/32
 7  ikelifetime=3h
 8  lifetime=1h
 9  margintime=9m
10  keyingtries=%forever
11  dpdaction=restart
12  dpddelay=30s
13  leftauth=pubkey
14  rightauth=pubkey
15  leftcert=/etc/ipsec.d/certs/sunCert.pem
16  leftsendcert=yes
17  rightsendcert=yes
18  rightsourceip=192.169.0.4
19  auto=start
20  #leftid="C=CH, O=strongSwan, CN=sun.strongswan.org"
21  rightid="C=CH, O=strongSwan, CN=moon.strongswan.org"
22  leftupdown=/etc/updown
23  keyexchange=ikev2
24  mark=30
25  esp=aes256-sha256-modp4096,aes256-sha256-modp4096
26  ike=aes256-sha256-modp4096,aes256-sha256-modp4096
27  type=tunnel
28
29# moon
30conn edge1huba-Connhuba_10107039
31  left=%any
32  leftsourceip=%config
33  right= 34.230.111.156
34  rightsubnet=10.20.0.118/32
35  ikelifetime=3h
36  lifetime=1h
37  margintime=9m
38  keyingtries=%forever
39  dpdaction=restart
40  dpddelay=30s
41  leftauth=pubkey
42  rightauth=pubkey
43  leftcert=/etc/ipsec.d/certs/moonCert.pem
44  leftsendcert=yes
45  rightsendcert=yes
46  auto=start
47  # leftid="C=CH, O=strongSwan, CN=moon.strongswan.org"
48  rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
49  leftupdown=/etc/updown_oip
50  keyexchange=ikev2
51  esp=aes256-sha256-modp4096,aes256-sha256-modp4096
52  ike=aes256-sha256-modp4096,aes256-sha256-modp4096
53  type=tunnel

Todo

  1. Apparmor

  2. VTI bind with mark and ip xfrm check the startus

Hi, Huifeng, I think we can con