Chapter 12. Tunnels

Table of Contents

12.1. IPsec (IP Security)
12.1.1. Introduction
12.1.1.1. Integrity checking
12.1.1.2. Encryption
12.1.1.3. Authentication
12.1.2. Setting up IKE-managed IPsec connections
12.1.2.1. Global IKE parameters
12.1.2.2. IKE proposals
12.1.2.3. IKE connections
12.1.2.3.1. IKE connection mode and type
12.1.2.3.2. IKE proposal lists
12.1.2.3.3. Authentication and IKE identities
12.1.2.3.4. IP addresses
12.1.2.3.5. Routing
12.1.2.3.6. Other parameters
12.1.2.3.7. NAT Traversal
12.1.3. Setting up Manual Keying
12.1.3.1. IP endpoints
12.1.3.2. Algorithms and keys
12.1.3.3. Routing
12.1.3.4. Other parameters
12.1.3.5. Tunnelling to a non-FireBrick device using Manually-Keyed IPsec
12.1.4. Remote connection - IPsec and L2TP
12.1.5. Choice of IPsec algorithms
12.2. FB105 tunnels
12.2.1. Tunnel wrapper packets
12.2.2. Setting up a tunnel
12.2.3. Viewing tunnel status
12.2.4. Dynamic routes
12.2.5. Tunnel bonding
12.2.6. Tunnels and NAT
12.2.6.1. FB2500 doing NAT
12.2.6.2. Another device doing NAT
12.3. Ether tunnelling

The FB2500 supports the following tunnelling protocols :-

IPsec is an implementation of the IPsec protocol and IKEv2 key management protocol, as defined in various RFCs. This provides the means to authenticate and encrypt traffic sent over a public communication channel (such as the Internet).

L2TP client functionality enables tunnelled connections to be made to an L2TP server

Ether tunnelling provides a mechanism to tunnel layer 2 ethernet traffic between two devices, using the protocol defined in RFC3378.

Support for FB105 tunnels means the FB2500 can inter-work with existing FB105 hardware. FB105 tunnels can also be set up between any two FireBricks from the FB2x00 and FB6000 ranges which support FB105 tunnelling.

12.1. IPsec (IP Security)

12.1.1. Introduction

One of the uses of IPsec is to create a private tunnel between two places. This could be two FireBricks, or between a FireBrick and some otehr device such as a router, VPN box, Linux box, etc.

The tunnel allows traffic to IP addresses at the far end to be routed over the Internet in secret, encrypted at the sending end and decrypted at the receiving end.

IPsec can also be used to set up a VPN between a roaming client and a server, providing security for working-at-home or on-the-road scenarios. This usage is known as Road-Warrior. The FireBrick IPsec implementation will support this usage scenario, but the implementation is not yet complete.

There are three main aspects to IP Security: integrity checking, encryption and authentication.

12.1.1.1. Integrity checking

The purpose of integrity checking is to ensure that the packets of data when received are identical to when transmitted - i.e. their contents have not been tampered with en route.

There are a number of algorithms that can be used. They all use a key which is known only to the two ends of the communication. The key is typically a sequence of random-looking bytes, usually expressed in hex notation.

Integrity checking on its own does not stop someone snooping on the contents of the packets, it just makes sure that they are not tampered with on the way (as only someone with knowledge of the key could change the data without invalidating it).

12.1.1.2. Encryption

The purpose of encryption is to change the data when it is sent such that nobody snooping on the packet can make sense of it. There are different algorithms, offering different levels of security. Encryption similarly involves a key which is known only to the two ends of the communication.

IPsec provides two ways to encapsulate data - AH (Authentication Header) which integrity checks the packet data and also some of the header fields (IP addresses), and ESP - which both encrypts and integrity checks the payloads.

12.1.1.3. Authentication

Authenticaion is a mechanism for ensuring that the two end users of a communication channel trust that they are who they think they are. Neither encryption nor integrity checking alone can do this. To ensure that you are talking to the correct person and not someone else masquerading as them, and to be sure nobody else can read your communications, you need to be sure that keys used for integrity checking and encryption are only known to the two (real) endpoints. Authentication can prevent a "Man-in-the-Middle" attack, where someone who knows the keys can set himself up between the two endpoints, and without their knowledge can masquerade as the other endpoint to each end. Note that a Man in the Middle can both read the data and modify it, without either of the endpoints being aware that this has happened.

It is worth noting that there is scope for confusion in the use of the term Authentication. It is sometimes also used to mean integrity checking, and indeed the "Authentication Header" (AH) should really be known as the Integrity Check Header!

IPsec can be used in what is known as manual-keying mode. When used this way, both endpoints need to trust each other, and choose and agree on the integrity and encryption keys to be used, using some private mechanism which they know to be secure, before the IPsec connection is configured. For example, the system administrators may already know each other, and may arrange to meet in private and exchange keying information (which they trust they will not divulge to anyone else), and then configure their FireBricks to use the agreed keys.

Choosing and configuring the algorithms and keys, as well as any other required connection parameters for a link is a complex business, and also has its own security implications, as you must install the same parameters, including the keys, at both ends of the link while at the same time ensuring the keys remain accessible only to the two ends. If you use any form of communication to do this and that communication channel is not itself secure, you have potentially lost your link security. For this reason there is a protocol known as IKE (Internet Key Exchange) which automatically negotiates and selects algorithms, keys and other parameters, and installs them at each end of the link, using a secure channel between the two systems. Public Key Cryptographic mechanisms are used to do this (using eg the Diffie-Hellman key exchange mechanism). This can be made secure by having the two ends of the link authenticate each other using for example X509 certificates, pre-shared secrets or other methods such as those supported by EAP (Extensible Authentication Protocol). It is still necessary to install these certificates, secrets or methods, obviously, but the configuration is simpler and more secure.

To set up a tunnel, it is necessary to configure the IP addresses of the endpoints, the algorithms to be used (and also the keys if using manual keying) and the required routing. The configuration for IKE connections and manual keying is handled differently, and will be discussed separately.

12.1.2. Setting up IKE-managed IPsec connections

First, an IKE configuration section needs to be added to the configuration if not already present, or edited if present. Select "Add: New: IPsec manually-keyed connection settings" or edit the exiting entry on the tunnel setup page.

12.1.2.1. Global IKE parameters

There are some global parameters affecting all connections which can be set on the main IKE entry. The logging options log, log-error, and log-debug can be used to steer IKE logging information which is not specific to a particular connection to a selected logging target.

The allow and trusted entries can be used to restrict IKE connections to particular IPs and/or IP ranges. An IKE connection setup request can potentially be received from any device, and setting up a connection involves some CPU-intensive calculations. The IKE implementation attempts to guard against the possibility of Denial-of-Service attacks from rogue devices requesting bogus connections by limiting the initial connection rate, but for added security the allow and trusted settings are provided. If either is set, only connections from the ranges listed are accepted, and connection requests from the trusted list are given higher priority.

There is also a Force-NAT option which will force the FireBrick to assume that remote devices on the list are behind NAT boxes. IKE has built-in NAT detetion so this option is rarely needed. See the separate section on NAT Traversal for more details.

12.1.2.2. IKE proposals

When IKE connections are negotiated, a selection of compatible algorithms and keys for integrity checking and encryption are selected. The initiating end of the connection provides proposals of various combinations of algorithms it is willing to use, and the responding end picks a suitable set. The IKE implementation has built-in default proposal lists, which are suitable for normal use, but for tighter control further proposals can be configured. An IPsec IKE connection consists of two separate communication paths - the IKE control security association, and the IPsec data connection, and these have separate proposals, which are configured using the Proposal for IKE security association and Proposal for IPsec AH/ESP security association sections. See the later discussion on algorithms for further details.

12.1.2.3. IKE connections

To set up a new IKE connection, select "Add: New: IKE connections" in the IKE configuration page.

There are a large number of options available for configuring a connection, but the majority can usually be left at their default settings.

12.1.2.3.1. IKE connection mode and type

Three connection modes are currently supported: Wait provides a dormant connection, which will only be set up when the remote peer initiates the connection; Immediate provides a connection which the local FireBrick attempts to initiate immediately; On-demand provides a connection which is only set up when the local FireBrick detects that it has traffic to send over the tunnel.

A Wait-mode connection is useful when the remote IP is not known - for example when it may change if the remote device moves to a different network or is behind a NAT device.

The IKE connection type is AH or ESP. ESP is by far the most commonly used, as it provides both integrity checking and encryption of traffic. AH provides integrity cheecking only, so data is transmitted in plaintext. AH does provide a very slight extra level of security, as the IP addresses of the tunnel encapsulation packets are also integrity checked. However, this is (a) incompatible with usage over NAT and (b) rather illusory, as with IKE the whole connection is authenticated at setup, so the remote peer is already known to be valid.

12.1.2.3.2. IKE proposal lists

Algorithms and proposals are discussed in more detail below. Normally, these can be left blank causing the default proposals to be used. If required, the IKE proposal list and/or the IPsec proposal list can configured. Each consists of a list of names of proposals which have been configured under the top IKE configuration section.

12.1.2.3.3. Authentication and IKE identities

IKE authenticates each end of a connection using the connection's IKE identity. The identity is chosen when configuring each end, and can be specified in different ways, using the following syntax:

  • IP:ip-address : an IPv4 or IPv6 address (eg IP:123.45.67.8)
  • DOMAIN:domain : a dot-separated domain (eg DOMAIN:firebrick.co.uk)
  • MAILADDR:email-address : an email address (eg MAILADDR:fred@somewhere.com)
  • KEYID:string : any unstructured string (eg KEYID:This is my IKE ID)

It is common to use a peer's real IP address as its IKE ID, and to avoid repetition specifying the ID in the form "IP:" (ie omitting the IP address) will use the actual IP address. Note that there is no requirement for the IP address specified to actually be the real IP address - it is used solely for identification. Similarly, if the DOMAIN or MAILADDR forms of ID are used there is no requirement for the domain or mail address to actiually be associated with the peer.

During the connection setup phase, these IDs are used to authenticate the two ends to each other. Each peer passes its ID to the other end of the connection, in an encrypted and signed format. On receiving an ID it is checked (a) to confirm that it is the expected ID and (b) to confirm that the signature is valid. The signing process can be performed using X.509 certificates, public keys (eg RSA digital signatures) or pre-shared keys.

Note that currently the FireBrick implementation only supports pre-shared secret authentication. A pre-shared secret must be entered in the configuration at each end. Note that the authentication of each peer to the other is performed independently, and need not use the same method - eg (when implemented) one may authenticate using a certificate and the other using a pre-shared secret. Even when both are using a pre-shared secret they may use different secrets to authenticate each other, and this is provided for in the configuration.

12.1.2.3.4. IP addresses

The peer-ips item is normally set to the IP of the peer when this is known. It must be a single IP when the connection mode is Immediate or On-Demand, but for a mode Wait connection this may be left blank or specified as a permissible range. Note that in this case the identity the peer provides when it attempts to set up the connection will be used to select the matching configuration connection details. The local-ip is optional - if omitted the IP used by the peer to reach the FireBrick is used for a connection initiated remotely, and the FireBrick chooses a suitable source IP when it initiates a connection. You can also optionally specify an internal-ipv4 and/or an internal-ipv6 address. When specified, these addresses are used for the source address of the tunnelled packet when the FireBrick sends traffic it originates itself down the tunnel (unless the source address has already been specified by some other means). If these are not specified the FireBrick will use the tunnel's local-ip setting when appropriate.

Note that although obviously the tunnel endpoint addresses must be the same type of address (both IPv4 or both IPv6) the traffic sent through the tunnel may be IPv4, IPv6 or a mixture of the two.

12.1.2.3.5. Routing

You must configure routing to specify which traffic the FireBrick should send out through the tunnel. The routing configuration uses the same style as used elsewhere in FireBrick configuration. A simple set of IPs and/or IP ranges can be specified in the routes attribute, or for more complex routing a number of separate route elements can be added to the tunnel config. Metrics and the routing tables to be used may also be specified. The blackhole option can be set to ensure that traffic to be routed down the tunnel is discarded if the tunnel is not up. By default, the normal FireBrick routing rules could select an alternate inappropriate transmission path, thus compromising security.

12.1.2.3.6. Other parameters

A graph may be specified to monitor data through the tunnel. A speed may be set to rate-limit the traffic.

mtu can be used to specify a maximum MTU value for tunnelled packets. Packets longer than this size will be fragmented or rejected using the normal IP fragmentation mechanism before being encapsulated. Note that after encapsulation of a packet the resulting packet may become too large to transmit using the MTU of the path used to transmit the tunnel traffic, in which case the encapsulated packet will be fragmented as usual. In some situations (for example where there are intervening NAT devices) such fragments may be dropped. In this case, the mtu setting can be useful to reduce the maximum size of the inner packets, so the encapsulated packets do not themselves need to be fragmented.

tcp-mss-fixcan be set to attempt to avoid fragmentation in TCP sessions, by adjusting the TCP SYN header so that the negotiated TCP MSS will fit in the tunnelled MTU.

log, log-error and log-debug can be used to steer IKE logging information which is specific to this connection to a selected logging target.

12.1.2.3.7. NAT Traversal
Devices performing NAT (Network Address Translation) on the path between the connection peers can cause difficulties with IPsec operation. Since NAT changes source IP addresses, and these are checked if a type AH connection is used, AH is incompatible with NAT. A NAT device usually requires regular traffic to ensure dynamic address and port mappings are maintained. Additionally, some NAT devices incorrectly attempt to modify IPsec traffic en route. IKE attempts to work around these problems, by detecting whether there are any NAT devices in the transmission path, and modifying its behaviour accordingly. IKE ESP traffic is encapsulated in UDP packets using port numbers which faulty NAT devices will not treat specially, and keepalive packets are sent. Additionally, IKE will notice if a peer behind a NAT suddenly changes its IP address (as would happen eg if a NAT device was rebooted and lost its NAT mappings). This mechanism, known as NAT Traversal, is normally automatic if it is supported by the IKE implementations at both ends of the connection. There is a global IKE option force-NAT which can be used to specify IP ranges which should be assumed to have intervening NAT which can be used when the remote peer does not support NAT Traversal.

12.1.3. Setting up Manual Keying

To set up a new manually-keyed IPsec tunnel select "Add: New IPsec manually-keyed connection settings" on the tunnel setup page.

12.1.3.1. IP endpoints

The local-ip and remote-ip must both be configured. The local-ip is the source IP used by the FireBrick when sending tunnelled traffic, and the remote-ip is the IP of the device at the far end of the tunnel. You can also optionally specify an internal-ipv4 and/or an internal-ipv6 address. When specified, these addresses are used for the source address of the tunnelled packet when the FireBrick sends traffic it originates itself down the tunnel (unless the source address has already been specified by some other means). If these are not specified the FireBrick will use the tunnel's local-ip setting when appropriate. Note that although obviously the tunnel endpoint addresses must be the same type of address (both IPv4 or both IPv6) the traffic sent through the tunnel may be IPv4, IPv6 or a mixture of the two.

12.1.3.2. Algorithms and keys

Select the required encapsulation type - either AH (providing just authentication) or ESP (providing authentication and/or encryption). Select the required algorithms and choose appropriate keys. The key lengths depend on the selected algorithm according to the following table:

Table 12.1. IPsec algorithm key lengths

AlgorithmBytesHex digitsExample
HMAC-MD5163200112233445566778899AABBCCDDEEFF
HMAC-SHA120400102030405060708090A0B0C0D0E0F10111213
AES-XCBC16320F0E0C0D0B0A09080706050403020100
HMAC-SHA25632640102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
3DES-CBC244800112233445566778899AABBCCDDEEFF0011223344556677
blowfish163200112233445566778899AABBCCDDEEFF
blowfish-19224480102030405060708090A0B0C0D0E0F1011121314151617
blowfish-25632640102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
AES-CBC163200112233445566778899AABBCCDDEEFF
AES-CBC-19224480102030405060708090A0B0C0D0E0F1011121314151617
AES-CBC-25632640102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F

Note that in the current implementation the same key is used for both incoming and outgoing traffic. The same keys and algorithms must be configured at the remote end of the link.

The above keys are examples only. To reduce the possibility that your link could be compromised by keys becoming known or guessed you should generate them using a source of random or pseudo-random data. On a Unix/Linux system the command xxd can be used in conjunction with the /dev/random file. For example to generate a 20-byte key the command would be:

        xxd -len 20 -p /dev/random

You also need to configure an SPI (Security Parameter Index) for both the incoming and outgoing traffic. The SPI value is an integer from 256 to 232-1. These are configured as local-spi for incoming traffic and remote-spi for outgoing traffic. The local-spi uniquely identifies this IPsec connection, so must be distinct for all IPsec connections on this FireBrick. The current FireBrick implementation requires that the local SPI for manual connections to be in the range 256 to 65535. The incoming SPI must match the outgoing SPI of the far end of the link, and vice-versa.

12.1.3.3. Routing

You must configure routing to specify which traffic the FireBrick should send out through the tunnel. The routing configuration uses the same style as used elsewhere in FireBrick configuration. A simple set of IPs and/or IP ranges can be specified in the routes attribute, or for more complex routing a number of separate route elements can be added to the tunnel config. Metrics and the routing tables to be used may also be specified.

12.1.3.4. Other parameters

A graph may be specified to monitor data through the tunnel. A speed may be set to rate-limit the traffic. the mode should be set to the default (tunnel) for normal applications. Transport-mode IPsec is used in certain situations when the traffic to be encapsulated does not have its own IP header. With the current implementation the only use of this is when it is required to provide both AH and ESP protection to encapsulated packets; AH authentication with ESP encryption can provide marginally better authentication but is rarely used. To configure this, set up an ESP tunnel with just encryption, and set up a separate AH IPsec entry in transport mode. Each must have their own separate SPIs, and the ESP entry should have the outer-spi field set to the local-spi of the AH entry. The AH entry should have no IPs, routing, graph or speed set.

12.1.3.5. Tunnelling to a non-FireBrick device using Manually-Keyed IPsec

The FireBrick IPsec implementation should be compatible with any IPsec implementation providing manual keying, provided a common set of algorithms can be chosen. As an example, the configuration for a Linux system using the ipsec-tools package will be described.

Consider a tunnel between a FireBrick and a Linux system with the following setup:

  • FireBrick has IP address 192.168.1.1, Linux system has IP address 192.168.2.2
  • ESP encapsulation using HMAC-SHA1 authentication and AES-CBC encryption
  • Authentication key 0123456789012345678901234567890123456789
  • Encryption key 00010203040506070809101112131415
  • Incoming SPI 1000, Outgoing SPI 2000
  • FireBrick is providing connectivity for a local user subnet 10.1.1.0/24
  • Linux system is providing connectivity for a local user subnet 10.2.2.0/24

A suitable FireBrick xml config for this would be:

<ipsec
  local-ip="192.168.1.1" remote-ip="192.168.2.2"
  local-spi="1000" remote-spi="2000" type="ESP"
  auth-algorithm="HMAC-SHA1"
  auth-key="0123456789012345678901234567890123456789"
  crypt-algorithm="AES-CBC"
  crypt-key="00010203040506070809101112131415"
  routes="10.2.2.0/24" />

A corresponding ipsec-tools config file would be:

  flush;
  spdflush;

  add 192.168.2.2 192.168.1.1 esp 1000 -m tunnel
    -E rijndael-cbc 0x00010203040506070809101112131415
    -A hmac-sha1 0x0123456789012345678901234567890123456789;
  
  add 192.168.1.1 192.168.2.2 esp 2000 -m tunnel
    -E rijndael-cbc 0x00010203040506070809101112131415
    -A hmac-sha1 0x0123456789012345678901234567890123456789;

  spdadd 10.1.1.0/24 10.2.2.0/24 any
    -P in ipsec esp/tunnel/192.168.1.1-192.168.2.2/require;
  spdadd 10.2.2.0/24 10.1.1.0/24 any
    -P out ipsec esp/tunnel/192.168.2.2-192.168.1.1/require;
  

Note that rijndael is the name used by ipsec-tools for the AES algorithm.

12.1.4. Remote connection - IPsec and L2TP

Another common configuration is remote computer connections, such as a PC or mobile phone making a VPN (Virtual Private Network) connection to a FireBrick. This is similar to a tunnel, but one end is a single device not a whole network.

The connection is made using IPsec in the same way as a tunnel, but then there is a further step using L2TP to further authenticate the device. This uses PPP to set up IP addresses so normally means routing a single IP to the device, and a default route from the device.

Note

The configuration for this is not yet complete in the FireBrick. It will involve an IPsec configuration set up for a dynamic far end, and for connection to L2TP. You then configure L2TP with local authentication (or using RADIUS) to set up the L2TP level connection.

12.1.5. Choice of IPsec algorithms

Both authentication and encryption allow a choice of algorithms

Tip

The fastest encryption algorithm is Blowfish. The fastest authentication is null esp-auth, but you may prefer to pick one of the authentication protocols to avoid garbage packets being decrypted and processed.