| 1 |
On 4/6/21 8:09 AM, J. Roeleveld wrote: |
| 2 |
> I only managed to get it working between off-the-shelve devices, |
| 3 |
> but would prefer to do it from Linux. |
| 4 |
|
| 5 |
That's where some of my experience is; SOHO routers, 15+ years ago. I |
| 6 |
think I did manage to get FreeS/WAN (at the time) to establish a VPN |
| 7 |
with one of the SOHO routers that I was using at the time. |
| 8 |
|
| 9 |
But I've started to get some more experience using IPsec without IKE |
| 10 |
recently. |
| 11 |
|
| 12 |
> Please keep it on the list so I can participate in the process. |
| 13 |
|
| 14 |
Okay. Here's a copy of what I've sent to the handful of people that |
| 15 |
replied to me in the varies places I sent the broadcast. |
| 16 |
|
| 17 |
I'll elaborate on the things that I'm pondering below. |
| 18 |
|
| 19 |
- ip xfrm - I'm currently dabbling with IPsec transport mode between |
| 20 |
some systems using the following commands: |
| 21 |
|
| 22 |
--8<-- |
| 23 |
1 AKEY1=0x$(xxd -c 32 -l 32 -ps /dev/random) |
| 24 |
2 AKEY2=0x$(xxd -c 32 -l 32 -ps /dev/random) |
| 25 |
3 AID=0x$(xxd -c 4 -l 4 -ps /dev/random) |
| 26 |
4 ASRC="$LeftIP" |
| 27 |
5 ADST="$RightIP" |
| 28 |
6 ALOCAL="$ASRC" |
| 29 |
7 AREMOTE="$ADST" |
| 30 |
8 echo "Run the following commands on $LeftHost." |
| 31 |
9 ip xfrm state add src $ASRC dst $ADST proto esp spi $AID |
| 32 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # b out |
| 33 |
state (SA) |
| 34 |
10 ip xfrm policy add src $ALOCAL dst $AREMOTE dir out tmpl src |
| 35 |
$ASRC dst $ADST proto esp reqid $AID mode transport # b out policy |
| 36 |
11 ip xfrm state add src $ADST dst $ASRC proto esp spi $AID |
| 37 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # b in |
| 38 |
state (SA) |
| 39 |
12 ip xfrm policy add src $AREMOTE dst $ALOCAL dir in tmpl src |
| 40 |
$ADST dst $ASRC proto esp reqid $AID mode transport # b in policy |
| 41 |
|
| 42 |
13 echo |
| 43 |
14 echo |
| 44 |
15 echo |
| 45 |
|
| 46 |
16 echo "Run the following commands on $RightHost." |
| 47 |
17 ip xfrm state add src $ADST dst $ASRC proto esp spi $AID |
| 48 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # d out |
| 49 |
state (SA) |
| 50 |
18 ip xfrm policy add src $AREMOTE dst $ALOCAL dir out tmpl src |
| 51 |
$ADST dst $ASRC proto esp reqid $AID mode transport # d out policy |
| 52 |
19 ip xfrm state add src $ASRC dst $ADST proto esp spi $AID |
| 53 |
reqid $AID mode transport auth sha256 $AKEY1 enc aes $AKEY2 # d in |
| 54 |
state (SA) |
| 55 |
20 ip xfrm policy add src $ALOCAL dst $AREMOTE dir in tmpl src |
| 56 |
$ASRC dst $ADST proto esp reqid $AID mode transport # d in policy |
| 57 |
-->8-- |
| 58 |
|
| 59 |
This is working and does enable IPsec /transport/ /mode/ between |
| 60 |
$LeftHost and $RightHost. But it's completely manual at the moment. |
| 61 |
|
| 62 |
I'm curious if you have any comments on "ip xfrm". |
| 63 |
|
| 64 |
- strongSwan / Libraswan / OpenSwan / FreeS/WAN - I dabbled with |
| 65 |
FreeS/WAN the better part of 20 years ago. It worked at the time. But |
| 66 |
I've not needed or wanted to do anything with IPsec again until |
| 67 |
recently. -- I've taken a foray through OpenVPN and WireGuard, both of |
| 68 |
which were decidedly easier than IPsec. |
| 69 |
|
| 70 |
It's my understanding that OpenSwan and strongSwan are direct forks of |
| 71 |
FreeS/WAN and that Libraswan is a fork or rename of OpenSwan. |
| 72 |
|
| 73 |
What I'm not sure of is what the actual current status of the *Swan(s) is. |
| 74 |
|
| 75 |
Also, how do the *Swan(s) relate to racoon, which I see reference as |
| 76 |
being independent. |
| 77 |
|
| 78 |
- X.509 certificate based authentication - One of the reasons my script |
| 79 |
above is manual is because I don't want to embed keying material in |
| 80 |
config files on the VPSs that I'm using IPsec transport mode between. |
| 81 |
I'd like to figure out if it's possible to use X.509 certificates to |
| 82 |
have the two IPsec endpoints authenticate against each other and |
| 83 |
dynamically negotiate keying material based on their public & private |
| 84 |
key pairs that they already have. |
| 85 |
|
| 86 |
E.g. can $LeftHost use use it's private key to authenticate itself to |
| 87 |
$RightHost and vice versa? |
| 88 |
|
| 89 |
I presume that this would be done via IKE, and I further presume that it |
| 90 |
will likely be IKEv2. |
| 91 |
|
| 92 |
- Opportunistic Encryption - I really like the idea of IPsec |
| 93 |
Opportunistic Encryption so that systems can dynamically / automatically |
| 94 |
configure and use IPsec /transport/ /mode/ encryption between each other. |
| 95 |
|
| 96 |
- AH vs ESP - Do the cryptographic primitives of ESP supplant AH in |
| 97 |
confirming ~> authenticating that the traffic came from the host that is |
| 98 |
sending the traffic? E.g. can ESP offer the same authentication that AH |
| 99 |
does? Or are AH and ESP truly different functions which don't overlap? |
| 100 |
|
| 101 |
- Transport vs Tunnel Mode - I'm really interested in /transport/ mode |
| 102 |
more than I am tunnel mode. I'd like to get my various servers to use |
| 103 |
IPsec /transport/ mode configured (much like my script) to protect all |
| 104 |
of the traffic between them. |
| 105 |
|
| 106 |
I did some playing this weekend with /transport/ mode between my Linux |
| 107 |
router at home and one of my VPS(s). Yes, my Linux router is |
| 108 |
functioning as a basic NATing router. But, it occurred to me |
| 109 |
/transport/ mode might work between my router and my VPS(s) in that |
| 110 |
Linux /was/ doing the /NAT/ing. Meaning that it was effectively the |
| 111 |
endpoint of the traffic. Thus the traffic might work via /transport/ mode. |
| 112 |
|
| 113 |
Suffice it to say that I was pleasantly surprised that my script above |
| 114 |
actually worked both for my router's access to the VPS(s) /and/ mostly |
| 115 |
worked for traffic from NATed clients inside my home. I say /mostly/ |
| 116 |
because traffic was working between clients and my VPS(s) with the |
| 117 |
annoying exception of SSH which was successfully negotiating and |
| 118 |
starting sessions before running into MTU issues. I was able to work |
| 119 |
around the MTU issues via typical TCPMSS --set-mm games. |
| 120 |
|
| 121 |
So ... I was able to ""tunnel NATed traffic through IPsec /transport/ |
| 122 |
mode ESP. }:-D |
| 123 |
|
| 124 |
I'd be very curious to learn what your reactions are to what I've done |
| 125 |
and would like to do plus any pointers or gotchas to avoid that you |
| 126 |
would care to share. |
| 127 |
|
| 128 |
Thank you for replying to my open ended broadcast. :- |
| 129 |
|
| 130 |
|
| 131 |
|
| 132 |
-- |
| 133 |
Grant. . . . |
| 134 |
unix || die |
Archives