DRNJ

h3. IPSec

In my previous note I described how to get IPSec working to encrypt wireless or other traffic. I managed to get it working with triple-DES encryption but I could not get it to tunnel when using AES (and SHA1 hash). I particulary wanted to get this working to be able to tunnel my mobile-broadband connection back to base and from there out to the internet – who knows who snoops your mobile broadband traffic !

After some time playing I saw error messages in my unix log concerning MTU. So I searched and found an article about reducing MTU sizes on windows.

I reduced my MTU size to 1420 bytes and…voila…AES encryption/tunnelling works !

Simples.

Hot News

The information below works on Windows-XP. For Vista, I cannot make the MS client config tunnel an IPSec connection (I even tried to follow this and failed !). However, I have found two IPSec client programs which run under vista and will tunnel a connection

• Fortinet client
• The GreenBow Ipsec Client
• ShrewSoft VPN Client

I have tried both and I prefer the Fortinet client. N.B. I did have an issue with Fortinet and my anti-virus/firewall (Comodo) where a laptop-hibernate would cause a blue-screen on wake-up. A re-install of Fortinet and using the latest Comodo software seems to have cured it.

So, now we can secure wireless for Vista and XP.

Introduction

When wireless networks (802.11B) started to be deployed little thought was given to unauthorised use of these networks or snooping of traffic. After all, with wired ethernet connection people gave scant regard to security at the data link layer so “why worry about wireless”.

Then along came WEP, an encryption technology for wireless connections. Unfortunately it turned out to be easy to crack. So it was tweaked and along came WPA, which proved slightly harder to crack, and then WPA2.

These encryption technologies have been widely adopted by the user community, however, as they are fairly-easy to crack, this leaves all wireless networks vunerable, and vunerable in two ways. The first is unauthorised usage of a wireless network and secondly snooping of a user’s wireless network traffic (ideal for phishing). Worse still, it can prove troublesome to configure WEP or WPA to work correctly so many users simply don’t bother and leave their networks (and laptops) wide open.

So what’s the solution ? This is where IPSec comes into its own. IPSec is an augmentation to the standard tcp/ip protocol which allows for fully encrypted communication using some of the strongest (i.e. hard to crack) public cryptography around. Again, unfortunately, it is not straightforward to configure IPSec, especially for a Windows system.

And now for the good news ? This article will show you how to configure and use IPSec on a windows system (with a little help from a unix gateway) to encrypt and protect your wireless traffic.

N.B. This article will not explain how IPSec works nor encryption – that’s left to the reader to google and read. An excellent introduction to IPSec and openswan is given in a book by <a href=”http://www.amazon.com/Building-Integrating-Virtual-Networks-Openswan/dp/1904811256″>Wouters and Bantoft</a> and this article is based on their chapter about <a href=”http://www.wavesec.org”>’WaveSEC'</a>.

Example Config

This article assumes that you have a wireless laptop with IP address 192.168.1.100, a unix gateway with a wireless interface on 192.168.1.1 and a second interface 192.168.2.1 connected to an internet router.

What You Will Need

• What you will need for this example are
  Unix platform running Openswan as your gateway
• Unix platform with OpenSSL installed
• Laptop running Windows + an IPSec VPN Client (see above)

Openswan is a free implemenation of IPSec which runs on (and in) unix.

Openswan (and Windows) can be configured to work with Public Key encryption via X.509 certificates and these can be built using the OpenSSL product under linux.

IPSec Encryption, Keys and X.509

To make IPSec work with Public Key encryption you need to (simplistically) have a public key with which to encrypt data and a private key to decrypt data. This can be done by ‘making’ an X.509 certificate which contains public key information and a private key by using the openssl tool under linux. In addition, due to the way the public key infrastructure (PKI) works you will also need a ‘Certificate Authority’ (CA) X.509 certificate (alternatively, you could pay one of the public CAs to sign your certificate). An excellent article on how to make certificates was been written by Nate Carlson which should be read and followed before proceeding. Unfortunately the ‘CA.sh’ script seems to have been modified in the latest release of openssl and does not seem to build the certificates correctly – the workaround – use an earlier version (0.9.7a works for me).

So, to make it work follow Nate’s article to produce a CA and then two certificates/keys – one for the gateway and one for your windows machine. Turn the windows info into a ‘.p12’ file following Nate’s method. For, example, the certificates/keys are named:

• cacert.pem for the CA certificate
• gw.pem for the gateway certificate
• gw.key for the gateway private key
• laptop.pem for the laptop certificate
• laptop.key for the laptop private key
• laptop.p12 for the combined cert/key for the laptop

Configuring the Gateway

You need to copy the CA certificate and then the gateway certificate and private key to the relevant place:

Copy cacert.pem to /etc/ipsec.d/cacerts
Copy gateway.pem to /etc/ipsec.d/certs
Copy gateway.key to /etc/ipsec.d/private

Edit /etc/ipsec.secrets and enter just the single line

: RSA /etc/ipsec.d/private/gateway.key "private-key-password"

Ensure the private key password (you entered this when creating the certificate/key in the previous section) is correctly entered and enclosed in double quotes.

Edit /etc/ipsec.conf and change the contents to

version 2.0
# conforms to second version of ipsec.conf specification
#basic configuration
config setup
#interfaces="ipsec0=vlan1 ipsec1=br0"
#nhelpers=0
conn wireless
type=tunnel
authby=rsasig
auto=add
left=192.168.1.1
leftsubnet=0.0.0.0/0
leftcert=gateway.pem
rightrsasigkey=%cert
right=%any
rightca=%same
pfs=yes
ikelifetime=5h
# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Restart IPSec on the gateway and then it will be ready to encrypt traffic.

The line #interfaces… is commented out in this example. The explanation is complicated…see the notes at the foot of this article.

Importing Certificates on the Laptop

Copy the laptop.p12 file to the laptop. Run up MMC (Start..Run..MMC). Then use File->Add/Remove Snap-In, click the Add button and select ‘Certificates’. On the next dialog select ‘Computer Account’, on the next dialog ‘Local Computer’. Click ‘Finish’ and close this dialog. You now have MMC configured to manage certificates.

Right click ‘Persona’ and then ‘All Tasks -> Import’. Select the ‘laptop.p12’ file you created earlierand click ‘Next’. Then enter the password you created for this file and click Next. Then select the ‘Automatically select the certificate store based on the type of certificate. Then next, this should load you certifcate (and CA certifcate) into the Windows certificate store. You can try finding the certifcates in the ‘Personal’ and ‘Trusted Roout Certification Authorities’ folders within MMC

Configure Laptop to use IPSec

Configure Shrewoft VPN Client

TLDR coming soon

Checking the Connection Comes Up

On the unix gateway (as root) do ‘tail /var/log/secure’ (or whatever ‘secure’ log files are configured). There should be messages concerning IPSec and there should be a message containing ‘IPSec SA established’ – this means that an IPSec Security Association has been established – you are securely tunneling your data from the laptop to the unix gateway ! On the laptop you should be able to now browse the internet securely.

KLIPS and NETKEY

Interestingly, I can make a tunnel to my Centos 4 linux platform – that implementation uses KLIPS. Centos 5 uses NETKEY and I cannot make a tunnel to it (using an identical ipsec.conf to Centos 4). I found a newsgroup posting (my Mr Wouters [see above] I think) that the NETKEY implementation in linux 2.6 kernels may not work properly (either that or I don’t know what I’m doing !).

But then I installed Kubuntu 8 and….now IPSec and Netkey and tunnelling work !

Natting

As I said earlier I want to use the tunnel to connect my laptop to the internet securely. Once I got the tunnel up everything seemed fine but on the gateway machine I could only see encryption happening in one direction (do tcpdump eth0 and look for ESP packets). What is happening on the LAN is that the tunnel is made for the outbound packet but for the reverse the broadband router knows how to send the packet directly back to my laptop – it has no knowledge of the ipsec gateway.

So, to get encryption in both directions I needed to set the gateway to NAT the outgoing request. I used the following commands to do this (you may need to use eth0 or whatever your interface is)

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth1
-j MASQUERADE

Notes

The interfaces line in the ipsec.conf article is commented out above. This line is needed depending on which version of IPSec you are using – either KLIPS or NETKEY. I don’t wish to go in to details here, suffice to say, on a KLIPS version here I needed this line to tell IPSec which of the network interfaces I wanted to use. See the references and “google” “Ipsec KLIPS ipsec=0” for futher information