1 |
On 4/6/21 8:09 AM, J. Roeleveld wrote: |
2 |
> I only managed to get it working between off-the-shelve devices, |
3 |
> but would prefer to do it from Linux. |
4 |
|
5 |
That's where some of my experience is; SOHO routers, 15+ years ago. I |
6 |
think I did manage to get FreeS/WAN (at the time) to establish a VPN |
7 |
with one of the SOHO routers that I was using at the time. |
8 |
|
9 |
But I've started to get some more experience using IPsec without IKE |
10 |
recently. |
11 |
|
12 |
> Please keep it on the list so I can participate in the process. |
13 |
|
14 |
Okay. Here's a copy of what I've sent to the handful of people that |
15 |
replied to me in the varies places I sent the broadcast. |
16 |
|
17 |
I'll elaborate on the things that I'm pondering below. |
18 |
|
19 |
- ip xfrm - I'm currently dabbling with IPsec transport mode between |
20 |
some systems using the following commands: |
21 |
|
22 |
--8<-- |
23 |
1 AKEY1=0x$(xxd -c 32 -l 32 -ps /dev/random) |
24 |
2 AKEY2=0x$(xxd -c 32 -l 32 -ps /dev/random) |
25 |
3 AID=0x$(xxd -c 4 -l 4 -ps /dev/random) |
26 |
4 ASRC="$LeftIP" |
27 |
5 ADST="$RightIP" |
28 |
6 ALOCAL="$ASRC" |
29 |
7 AREMOTE="$ADST" |
30 |
8 echo "Run the following commands on $LeftHost." |
31 |
9 ip xfrm state add src $ASRC dst $ADST proto esp spi $AID |
32 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # b out |
33 |
state (SA) |
34 |
10 ip xfrm policy add src $ALOCAL dst $AREMOTE dir out tmpl src |
35 |
$ASRC dst $ADST proto esp reqid $AID mode transport # b out policy |
36 |
11 ip xfrm state add src $ADST dst $ASRC proto esp spi $AID |
37 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # b in |
38 |
state (SA) |
39 |
12 ip xfrm policy add src $AREMOTE dst $ALOCAL dir in tmpl src |
40 |
$ADST dst $ASRC proto esp reqid $AID mode transport # b in policy |
41 |
|
42 |
13 echo |
43 |
14 echo |
44 |
15 echo |
45 |
|
46 |
16 echo "Run the following commands on $RightHost." |
47 |
17 ip xfrm state add src $ADST dst $ASRC proto esp spi $AID |
48 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # d out |
49 |
state (SA) |
50 |
18 ip xfrm policy add src $AREMOTE dst $ALOCAL dir out tmpl src |
51 |
$ADST dst $ASRC proto esp reqid $AID mode transport # d out policy |
52 |
19 ip xfrm state add src $ASRC dst $ADST proto esp spi $AID |
53 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # d in |
54 |
state (SA) |
55 |
20 ip xfrm policy add src $ALOCAL dst $AREMOTE dir in tmpl src |
56 |
$ASRC dst $ADST proto esp reqid $AID mode transport # d in policy |
57 |
-->8-- |
58 |
|
59 |
This is working and does enable IPsec /transport/ /mode/ between |
60 |
$LeftHost and $RightHost. But it's completely manual at the moment. |
61 |
|
62 |
I'm curious if you have any comments on "ip xfrm". |
63 |
|
64 |
- strongSwan / Libraswan / OpenSwan / FreeS/WAN - I dabbled with |
65 |
FreeS/WAN the better part of 20 years ago. It worked at the time. But |
66 |
I've not needed or wanted to do anything with IPsec again until |
67 |
recently. -- I've taken a foray through OpenVPN and WireGuard, both of |
68 |
which were decidedly easier than IPsec. |
69 |
|
70 |
It's my understanding that OpenSwan and strongSwan are direct forks of |
71 |
FreeS/WAN and that Libraswan is a fork or rename of OpenSwan. |
72 |
|
73 |
What I'm not sure of is what the actual current status of the *Swan(s) is. |
74 |
|
75 |
Also, how do the *Swan(s) relate to racoon, which I see reference as |
76 |
being independent. |
77 |
|
78 |
- X.509 certificate based authentication - One of the reasons my script |
79 |
above is manual is because I don't want to embed keying material in |
80 |
config files on the VPSs that I'm using IPsec transport mode between. |
81 |
I'd like to figure out if it's possible to use X.509 certificates to |
82 |
have the two IPsec endpoints authenticate against each other and |
83 |
dynamically negotiate keying material based on their public & private |
84 |
key pairs that they already have. |
85 |
|
86 |
E.g. can $LeftHost use use it's private key to authenticate itself to |
87 |
$RightHost and vice versa? |
88 |
|
89 |
I presume that this would be done via IKE, and I further presume that it |
90 |
will likely be IKEv2. |
91 |
|
92 |
- Opportunistic Encryption - I really like the idea of IPsec |
93 |
Opportunistic Encryption so that systems can dynamically / automatically |
94 |
configure and use IPsec /transport/ /mode/ encryption between each other. |
95 |
|
96 |
- AH vs ESP - Do the cryptographic primitives of ESP supplant AH in |
97 |
confirming ~> authenticating that the traffic came from the host that is |
98 |
sending the traffic? E.g. can ESP offer the same authentication that AH |
99 |
does? Or are AH and ESP truly different functions which don't overlap? |
100 |
|
101 |
- Transport vs Tunnel Mode - I'm really interested in /transport/ mode |
102 |
more than I am tunnel mode. I'd like to get my various servers to use |
103 |
IPsec /transport/ mode configured (much like my script) to protect all |
104 |
of the traffic between them. |
105 |
|
106 |
I did some playing this weekend with /transport/ mode between my Linux |
107 |
router at home and one of my VPS(s). Yes, my Linux router is |
108 |
functioning as a basic NATing router. But, it occurred to me |
109 |
/transport/ mode might work between my router and my VPS(s) in that |
110 |
Linux /was/ doing the /NAT/ing. Meaning that it was effectively the |
111 |
endpoint of the traffic. Thus the traffic might work via /transport/ mode. |
112 |
|
113 |
Suffice it to say that I was pleasantly surprised that my script above |
114 |
actually worked both for my router's access to the VPS(s) /and/ mostly |
115 |
worked for traffic from NATed clients inside my home. I say /mostly/ |
116 |
because traffic was working between clients and my VPS(s) with the |
117 |
annoying exception of SSH which was successfully negotiating and |
118 |
starting sessions before running into MTU issues. I was able to work |
119 |
around the MTU issues via typical TCPMSS --set-mm games. |
120 |
|
121 |
So ... I was able to ""tunnel NATed traffic through IPsec /transport/ |
122 |
mode ESP. }:-D |
123 |
|
124 |
I'd be very curious to learn what your reactions are to what I've done |
125 |
and would like to do plus any pointers or gotchas to avoid that you |
126 |
would care to share. |
127 |
|
128 |
Thank you for replying to my open ended broadcast. :- |
129 |
|
130 |
|
131 |
|
132 |
-- |
133 |
Grant. . . . |
134 |
unix || die |