| Chapter 12. Tunnels | ||
|---|---|---|
 |  | |
| Chapter 12. Tunnels | ||
|---|---|---|
| | | |
Table of Contents
The FB2900 supports the following tunnelling protocols :-
IPsec is an implementation of the IPsec protocol and IKEv2 key management protocol, as defined in various RFCs. This provides the means to authenticate and encrypt traffic sent over a public communication channel (such as the Internet).
L2TP client functionality enables tunnelled connections to be made to an L2TP server
Ether tunnelling provides a mechanism to tunnel layer 2 ethernet traffic between two devices, using the protocol defined in RFC3378.
Support for FB105 tunnels means the FB2900 can inter-work with existing FB105 hardware. FB105 tunnels can also be set up between any two FireBricks from the FB2x00 and FB6000 ranges which support FB105 tunnelling.
One of the uses of IPsec is to create a private tunnel between two places. This could be two FireBricks, or between a FireBrick and some other device such as a router, VPN box, Linux box, etc.
The tunnel allows traffic to IP addresses at the far end to be routed over the Internet in secret, encrypted at the sending end and decrypted at the receiving end.
IPsec can also be used to set up a VPN between a roaming client and a server, providing security for working-at-home or on-the-road scenarios. This usage is usually known as a Road Warrior connection. The FireBrick can be used as the server for Road Warrior connections; it cannot act as a Road Warrior client.
There are three main aspects to IP Security: integrity checking, encryption and authentication.
The purpose of integrity checking is to ensure that the packets of data when received are identical to when transmitted - i.e. their contents have not been tampered with en route.
There are a number of algorithms that can be used to implement integrity checking. They all use a key which is known only to the two ends of the communication. The key is typically a sequence of random-looking bytes, usually expressed in hex notation.
Integrity checking on its own does not stop someone snooping on the contents of the packets, it just makes sure that they are not tampered with on the way (as only someone with knowledge of the key could change the data without invalidating it).
The purpose of encryption is to change the data when it is sent so that nobody snooping on the packet can make sense of it. There are many different algorithms, offering different levels of security. Encryption similarly involves a key which is known only to the two ends of the communication.
IPsec provides two ways to encapsulate data - AH (Authentication Header) which integrity checks the packet data and also some of the header fields (IP addresses), and ESP (Encapsulation Security Payload) - which both encrypts and integrity checks the packet data.
Authentication is a mechanism for ensuring that the two end users of a communication channel trust that they are who they think they are. Neither encryption nor integrity checking alone can do this. To ensure that you are talking to the correct person and not someone else masquerading as them, and to be sure nobody else can read your communications, you need to be sure that keys used for integrity checking and encryption are only known to the two (real) endpoints. Authentication can help prevent a "Man-in-the-Middle" attack, where someone who knows the keys can set himself up between the two endpoints, and without their knowledge can masquerade as the other endpoint to each end. Note that a Man in the Middle can both read the data and modify it, without either of the endpoints being aware that this has happened.
There is scope for confusion in the use of the term Authentication. It is sometimes also used to mean integrity checking, and indeed the "Authentication Header" (AH) should really be known as the Integrity Check Header!
Choosing and configuring the IPsec algorithms and keys, as well as any other required connection parameters for a link is a complex task and also has its own security implications as compatible parameters, including the keys, need to be established at both ends of the link while at the same time ensuring the keys remain accessible only to the two ends. If you use any form of communication to do this and that communication channel is not itself secure, you have potentially lost your link security. For this reason there is a protocol known as IKE (Internet Key Exchange) which automatically negotiates and selects algorithms, keys and other parameters, and installs them at each end of the link, using a secure channel between the two systems. The FireBrick supports version 2 of the IKE protocol (IKEv2). IKE uses Public Key Cryptographic mechanisms to select the keys to be used, using the Diffie-Hellman key exchange mechanism. IKE also performs authentication between the two link endpoints using for example X.509 certificates, pre-shared secrets or other methods such as those supported by EAP (Extensible Authentication Protocol). It is still necessary to install suitable certificates, secrets or methods, obviously, but the configuration is simpler and more secure.
An IPsec IKE connection is established in two logical stages; first a secure control channel for the IKE negotiation is set up, and the peers authenticate each other using this channel, and then algorithms and keys to be used to secure the IPsec data are negotiated and exchanged using the secure channel. The control channel remains open during the lifetime of the connection, and is used to test the connection status, to cleanly close the link down, and also to periodically regenerate the algorithm key data (which mitigates the possibility that a third party has managed to crack the keys currently in use). During the first stage, the peers agree on algorithms to be used for integrity checking and encrypting the control channel, and additionally on algorithms to be used to securely generate the required keying data. These are agreed by the originating peer making a proposal, referred to below as the IKE proposal and the responding peer then selects the best algorithms which it supports. A similar, separate, proposal (referred to below as the IPsec proposal) is used to select the algorithms to be used for the IPsec data channel.
IPsec can also be used in what is known as manual-keying mode. When used in this way, IKE is not used; system administrators at each end of the link need to choose and agree on the integrity and encryption keys to be used, using some private mechanism which they know to be secure, before the IPsec connection is configured. For example, the system administrators may already know each other, and may arrange to meet in private and exchange keying information (which they trust they will not divulge to anyone else), and then configure their FireBricks to use the agreed keys. This is not a recommended approach as it it relies on the system administrators choosing good (ie random and unguessable) keys and keeping them secure. It also provides no way to automatically regenerate the keys regularly.
To fully appreciate the mechanism of authentication, it is necessary to understand the concept of IKE Identities. Each end of an IPsec/IKE peering has an identity, and the purpose of the IKE authentication process is to establish the identity to the peer - ie prove to the peer that you are the identity you proclaim to be. An IKE identity can take one of a variety of forms - it may be an IP address (IPv4 or IPv6), an email address, a domain name or a key identifier. It is important to understand that these forms are, in a sense, notional - you do not have to actually be addressable using a particular IP to proclaim it as your identity, nor do you have to be contactable by an email address if that form is used, nor does a domain name need to be resolvable to your IP address (or, indeed, resolvable at all). This is not unlike the use of personal names, at least in the UK, where you do not have to use your official birth certificate name - you can use any name provided that you can prove that you are associated with that name.
Each end of an IKE connection authenticates itself to its peer by signing a block of data which includes its identity along with other connection-specific data. Depending on the authentication method, the signature is generated using a pre-shared secret, a private key associated with an X.509 end-entity certificate, or a key determined by an EAP exchange.
If a peer authenticates using a pre-shared secret, you trust he is who he says he is simply by virtue of his knowledge of the secret. With certificates the situation is more complex: a successful signature verification using a certificate simply proves that the peer has the private key associated with the certificate used. To accept the authentication you also need to trust the certificate - ie you need to believe that the certificate does indeed belong to the peer. One way to do this is to use a self-signed end-entity certificate - in this case your peer gives you a copy of his certificate in advance, and you choose to trust it on this basis. To avoid needing to install a separate certificate for every peer you may need to authenticate with, it is more normal to have a chain of trust - you elect to trust a certificate from a certificate authority (CA), and you then implicitly trust any certificates which have been signed by that authority using that certificate (and in turn any subordinate certificates signed by these) without needing to explicitly install any of them beforehand. In other words, you are trusting that the CA (and any intermediates) who issued the certificate checked that the intended owner was entitled to use the certificate before issuing it. A certificate includes various data items including the identity of the owner, so the final step in the authentication check using a certificate is to confirm that the certificate used is valid, and its owner identity matches the IKE identity claimed by the peer.
First, an IPsec configuration section needs to be added to the configuration if not already present, or edited if present. Select "Add: New: IPsec connection settings" or edit the exiting entry on the tunnel setup page.
There are some global parameters affecting all connections which can be set on the main IPsec entry.
The logging options log, log-error, and log-debug can be used to steer logging information which is not specific to a particular connection to a selected logging target.
The allow and trusted entries can be used to restrict IKE connections to particular IPs and/or IP ranges. An IKE connection request can potentially be received from any device, and setting up a connection involves some CPU-intensive calculations. The IKE implementation attempts to guard against the possibility of Denial-of-Service attacks from rogue devices requesting bogus connections by limiting the initial connection rate, but for added security allow and trusted settings are also provided. Connections from IPs in either of the two lists are always accepted, and those in the trusted list are processed at higher priority. If an allow list has been set, connection attempts from IPs not in the allow or trusted lists are not accepted.
There is also a Force-NAT option which will force the FireBrick to assume that remote devices on the list are behind NAT boxes. IKE has built-in NAT detection so this option is rarely needed. See the separate section on NAT Traversal for more details.
When IKE connections are negotiated, a selection of compatible algorithms and keys for integrity checking and encryption are negotiated. The initiating end of the connection provides proposals of various combinations of algorithms it is willing to use, and the responding end picks a suitable set. The IKE implementation has built-in default proposal lists, which are suitable for normal use, but for tighter control further proposals can be configured. An IPsec IKE connection consists of two separate communication paths - the IKE control security association, and the IPsec data connection, and these have separate proposals, which are configured using the Proposal for IKE security association and Proposal for IPsec AH/ESP security association sections. See the later discussion on algorithms for further details.
IKE Road Warrior connections provide the ability for users to set up a VPN for remote access to a network. When a client connects an IPv4 and/or IPv6 address and other network data are allocated and communicated to the client for the duration of the connection. The details are configured in a roaming pool section, which can be referenced from one or more IKE connection sections. The pool of IPv4 and/or IPv6 address ranges for allocation needs to be configured here, and optionally a list of addresses of DNS and/or Windows NetBios name servers (NBNS) can be configured. If the IP address(es) to be assigned are not fully addressable on the internet, and the client is to be given internet access in addition to access to the local server network, the nat option can be given to make the FireBrick perform network address translation on sessions initiated by the client.
Note that there is a restriction on the total number of IPs (both IPv4 and IPv6 combined) of approximately 65536 addresses - ie a single IPv4 range of /16, or a single IPv6 range of /112.
To set up a new IKE connection, select "Add: New: IKE connections" on the IPsec configuration page.
There are a large number of options available for configuring a connection, but the majority can usually be left at their default settings.
Three connection modes are currently supported: Wait provides a dormant connection, which will only be set up when the remote peer initiates the connection; Immediate provides a connection which the local FireBrick attempts to initiate immediately; On-demand provides a connection which is only set up when the local FireBrick detects that it has traffic to send over the tunnel.
A Wait-mode connection is useful when the remote IP is not known - for example when it may change if the remote device moves to a different network or is behind a NAT device. Road Warrior connections must be Wait-mode; other connections may use any mode. It is permissible (and common) to set both ends to Immediate-mode - IKE will happily allow the connection to be initiated by either end, and will close a duplicate connection if set up simultaneously by both ends.
The IKE connection type is AH or ESP. ESP is by far the most commonly used, as it provides both integrity checking and encryption of traffic. AH provides integrity cheecking only, so data is transmitted in plaintext. AH does provide a very slight extra level of security, as the IP addresses of the tunnel encapsulation packets are also integrity checked. However, this is (a) incompatible with usage over NAT and (b) rather illusory, as with IKE the whole connection is authenticated at set up time, so the remote peer is already known to be valid.
Algorithms and proposals are discussed in more detail below. Normally, these can be left blank causing the default proposals to be used. If required, the IKE proposal list and/or the IPsec proposal list can configured. Each consists of a list of names of proposals which have been configured under the top IPsec configuration section.
The FireBrick supports three authentication methods:
The auth-method setting specifies how the FireBrick authenticates itself to the peer, and the peer-auth-method setting specifies how the peer authenticates itself to the FireBrick. Note that the authentication of each peer to the other is performed independently, and need not use the same method - eg one may authenticate using a certificate and the other using a pre-shared secret or EAP. Common arrangements are for both to use the pre-shared key method, for both to use certificates or (typically for Road Warrior setups) for one (the server) to use a certificate and the other to use EAP.
IKE authenticates each end of a connection using the connection's IKE identity. The identity is chosen when configuring each end, and can be specified in different ways, using the following syntax:
DOMAIN or DNS are also accepted as alternatives for FQDN, and MAILADDR, MAIL or RFC822 are accepted as alternatives for EMAIL.
It is common to use a peer's real IP address as its IKE ID, and to avoid repetition the ID can be specified in the form "IP:" (ie omitting the IP address) to use the actual IP address. Note that if an IP address is specified there is no requirement for it to actually be the real IP address - it is used solely for identification. Similarly, if the FQDN or EMAIL forms of ID are used there is no requirement for the domain or email address to actually be associated with the peer or even to exist at all.
If the prefix (IP:, FQDN: etc) is omitted in the identity, the FireBrick chooses the most appropriate type, based on the syntax of the identity used.
During the connection set up phase, these IDs are used to authenticate the two ends to each other. Each peer passes its ID to the other end of the connection, in an encrypted and signed form. On receiving an ID it is checked (a) to confirm that it is the expected ID and (b) to confirm that the signature is valid.
If auth-method is Secret, the secret option should be set to the required secret using a free-form text string of arbitrary length. Note that the usual guidelines when choosing passwords should be followed to reduce the chance of the secret becoming compromised; a long string is recommended. If peer-auth-method is Secret the peer-secret option should be set to the secret used by the peer for authentication, or may be left blank in the common case where the local and peer secrets are the same. If certificate-based authentication is used, the certlist and peer-certlist options can be used to specify which certificates are to be used, or may be left blank in which case the the FireBrick looks for any suitable certificate in its certificate store. The use of certificates is discussed further below. If EAP authentication is used the EAP details (usernames, passwords etc) must be specified elsewhere in the EAP configuration section of the FireBrick config under the top-level User Access Control tem. The query-eap-id flag can be set to determine whether the client's IPsec identity should be used as the EAP identity or the client will provide a separate EAP identity when queried. The default setting is true, indicating that a separate EAP identity will be requested. Some EAP clients may require this to be set to false.
The peer-ips item is normally set to the IP of the peer when this is known. It must be a single IP when the connection mode is Immediate or On-Demand, but for a mode Wait connection this may be left blank or specified as a permissible range. Note that in this case the identity the peer provides when it attempts to set up the connection will be used to select the matching configuration connection details. The local-ip is optional - if omitted the IP used by the peer to reach the FireBrick is used for a connection initiated remotely, and the FireBrick chooses a suitable source IP when it initiates a connection. You can also optionally specify an internal-ipv4 and/or an internal-ipv6 address. When specified, these addresses are used for the source address of the tunnelled packet when the FireBrick sends traffic it originates itself down the tunnel (unless the source address has already been specified by some other means). If these are not specified the FireBrick will use the tunnel's local-ip setting when appropriate.
Note that although obviously the tunnel endpoint addresses must be the same type of address (both IPv4 or both IPv6) the traffic sent through the tunnel may be IPv4, IPv6 or a mixture of the two.
Apart from Road Warrior connections, you must configure routing to specify which traffic the FireBrick should send out through the tunnel. The routing configuration uses the same style as used elsewhere in FireBrick configuration. A simple set of IPs and/or IP ranges can be specified in the routes attribute, or for more complex routing a number of separate route elements can be added to the tunnel config. Metrics and the routing tables to be used may also be specified. The blackhole option can be set to ensure that traffic to be routed down the tunnel is discarded if the tunnel is not up. If not set, the normal FireBrick routing rules could select an alternate inappropriate transmission path, thus compromising security.
A graph may be specified to monitor data through the tunnel. A speed may be set to rate-limit the traffic.
mtu can be used to specify a maximum MTU value for tunnelled packets. Packets longer than this size will be fragmented or rejected using the normal IP fragmentation mechanism before being encapsulated. Note that after encapsulation of a packet the resulting packet may become too large to transmit using the MTU of the path used to transmit the tunnel traffic, in which case the encapsulated packet will be fragmented as usual. In some situations (for example where there are poorly implemented intervening NAT devices) such fragments may be dropped. In this case, the mtu setting can be useful to reduce the maximum size of the inner packets, so the encapsulated packets do not themselves need to be fragmented.
tcp-mss-fix can be set to attempt to avoid fragmentation in TCP sessions, by adjusting the TCP SYN header so that the negotiated TCP MSS will fit in the tunnelled MTU.
log, log-error and log-debug can be used to steer IKE logging information which is specific to this connection to a selected logging target.
dead-peer-detect can be set to the period (in seconds) used between checks that the connection is still live (ie the peer is responding). It defaults to 30 for normal connections, and 0 (off) for Road-Warrior connections. lifetime can be set to the period required between rekeying. The default is 1:00:00 (1 hour). The FireBrick will renegotiate the connection shortly before it reaches this period since the last renegotiation. Note that if dead-peer-detection is set to 0 (off) a dead peer will not be noticed until renegotiation is attempted.
To set up a new manually-keyed IPsec tunnel select "Add: New IPsec manually-keyed connections" on the top-level IPsec setup page.
Select the required encapsulation type - either AH (providing just authentication) or ESP (providing authentication and/or encryption). Select the required algorithms and choose appropriate keys. The key lengths depend on the selected algorithm according to the following table:
Table 12.1. IPsec algorithm key lengths
| Algorithm | Bytes | Hex digits | Example |
| HMAC-MD5 | 16 | 32 | 00112233445566778899AABBCCDDEEFF |
| HMAC-SHA1 | 20 | 40 | 000102030405060708090A0B0C0D0E0F10111213 |
| AES-XCBC | 16 | 32 | 0F0E0C0D0B0A09080706050403020100 |
| HMAC-SHA256 | 32 | 64 | 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F |
| 3DES-CBC | 24 | 48 | 00112233445566778899AABBCCDDEEFF0011223344556677 |
| blowfish | 16 | 32 | 00112233445566778899AABBCCDDEEFF |
| blowfish-192 | 24 | 48 | 000102030405060708090A0B0C0D0E0F1011121314151617 |
| blowfish-256 | 32 | 64 | 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F |
| AES-CBC | 16 | 32 | 00112233445566778899AABBCCDDEEFF |
| AES-192-CBC | 24 | 48 | 000102030405060708090A0B0C0D0E0F1011121314151617 |
| AES-256-CBC | 32 | 64 | 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F |
Note that in the current implementation when using manual keying the same key is used for both incoming and outgoing traffic. The same keys and algorithms must be configured at the remote end of the link.
The above keys are examples only. To reduce the possibility that your link could be compromised by keys becoming known or guessed you should generate them using a source of random or pseudo-random data. On a Unix/Linux system the command xxd can be used in conjunction with the /dev/random file. For example to generate a 20-byte key the command would be:
xxd -len 20 -p /dev/random
You also need to configure an SPI (Security Parameter Index) for both the incoming and outgoing traffic. The SPI value is an integer from 256 to 232-1. These are configured as local-spi for incoming traffic and remote-spi for outgoing traffic. The local-spi uniquely identifies this IPsec connection, so must be distinct for all IPsec connections on this FireBrick. The current FireBrick implementation requires that the local SPI for manual connections to be in the range 256 to 65535. The local-spi must match the outgoing SPI of the far end of the link, and vice-versa.
Routing for manually-keyed IPsec connections is the same as for IKE connections as described above.
EAP is typically used in conjunction with certificates to authenticate a Road Warrior connection. The FireBrick can act as a Road Warrior server, and uses EAP methods to authenticate the clients. During the authentication process the client sends a user identity (typically a username) and an encoded password to the FireBrick, and the FireBrick checks the username/password combination is valid. The FireBrick would normally be configured to use a certificate to authenticate itself to the client. A single Road Warrior IKE connection item can support multiple clients connecting at the same time; each client will be dynamically allocated a different IP address. Each user should be given a separate EAP username/password entry.
EAP usernames and passwords are configured under the top-level User Access Control section of the config. Select Users icon on the config web edit page, and enter the required details under the section User access control via EAP. Currently two EAP methods are supported - MD5 and MSChapV2; at least one of these is normally supported by Road Warrior clients. Note that MSChapV2 is more secure than MD5, and is the most commonly used, though it is rather an arcane method with known weaknesses. The subsystem item in the EAP config should be set to IPsec.
The EAP authentication process involves a number of interchanges between the client and server. These take place using the IKE control channel, so although at this stage the server does not yet know the identity of the client connecting (indeed it is the purpose of the EAP interchange to achieve this), the path to the client is secure and encrypted so a third party cannot snoop on the authentication.
The FireBrick IPsec/IKE implementation supports authentication of tunnel endpoints using X.509 certificates. The FireBrick may authenticate itself to its peer using a certificate and private key installed on the FireBrick, and similarly the peer may authenticate itself to the FireBrick using a certificate trusted by the FireBrick.
The FireBrick has an internal secure storage area for holding certificates and private keys. This is held separately from the main FireBrick configuration, and is managed through the UI by selecting the Certificates section in the Config menu. Certificates may be uploaded to the FireBrick, downloaded and deleted, and private keys may be uploaded and deleted. Note that, for security, it is not possible to download a private key once installed; the only use to which a private key can be put is to allow an end-entity certificate to sign data - in particular the IPsec/IKE authentication data payloads.
The FireBrick has an ACME client which allows it to install certificates automatically with a recognised public Certificate Authority. This greatly simplifies the process.
In most cases, all that is needed it to ensure the FireBrick can be accessed via port 80 on a public IP address using a proper public hostname. This is the hostname and ID used for the IPsec connection. Once you have done this, simply add the hostname to the acme-hostname field, and your email address in the acme-terms-agreed-email field, in the system config. This will cause an automatic ACME certificate issue using Let's Encrypt, adding private key pairs for the letsencrypt.org account and the domain and then adding the certificate and any intermediate certificates for IPsec (and HTTPS) to work.
acme-terms-agreed-email field you are indicating that you agree to the terms and conditions of the Certificate Authority being used.
This may include publishing a list of certified domain names, and sending emails for changes of terms, etc.
ACME is an automated system for the issuing of X.509 certificates for HTTPS (and other) use. The FireBrick can work as an ACME client to obtain certificates and is preset to use Let's Encrypt's free certificate issuing service, and automatically renew certificates. You can change settings to use an alternate ACME server if you pefer.
letsencrypt.org and one matching the hostname for the certificate name. If such keys exist then they are used instead of making new keys when requesting a certificate.
If you do not load your own keys, the FireBrick makes keys internally. You can disable automatic key generation by setting acme-keygen false.
When a certificate is installed on the FireBrick, a short local name must be chosen to accompany it. This name appears in the certificate store contents list but need bear no relation to the actual certificate identity. The local names are displayed on the UI certificate configuration page, and are also used to form the filename (with .pem or .crt appended) when downloading the certificate from the FireBrick. The local names can also be used if desired in the IKE connection certlist and peer-certlist items to select the certificates to be used for a specific connection.
The FireBrick allows HTTP and HTTPS access, however, it needs a certificate loading before you can enable HTTPS. In the future the FB2900 will have a pre-installed HTTPS key which can be used to enable HTTPS. If accessing via HTTP and not HTTPS, uploading a private key should only be done from a locally-connected device where the security of the connection can be guaranteed - ideally using a direct ethernet cable or possibly a secure encrypted WiFi link - as the key data is transmitted in the clear.
There are a number of different formats in use for holding certificates and private keys. The FireBrick accepts standard DER-format (binary) and PEM-format (base64 armoured text) X.509 certificates, and DER-format and unencrypted PEM-format private keys in raw or PKCS#8 form, as generated by utilities such as OpenSSL. PKCS#7 and PKCS#12 format certificates and certificate bundles are not recognized by the FireBrick; these should be split up into their component parts (eg using OpenSSL) before being uploaded to the FireBrick. Note that private keys must not be encrypted (ie should not need a passphrase to access them). Again, OpenSSL can be used to unencrypt and remove a passphrase from a private key before upload. When downloading a certificate from the FireBrick, DER or PEM format can be selected.
For use with IPsec/IKEv2 end-entity certificates must hold an RSA or DSA public key. Currently the FireBrick also only accepts RSA or DSA keys for CA certificates. This should not be a problem at present as the use of newer style public keys in certificates used for signing other certificates is uncommon, and can always be avoided if generating one's own CA certificate.
As mentioned above, part of the authentication of a peer using a certificate consists of confirming that the peer's IKE ID matches the ID recorded in the certificate. Certificates can hold identity information in more than one way, and cryptographic implementations do not always agree on how the identity should be stored. The FireBrick accepts the CommonName (CN) field of the Subject DistinguishedName for a KEYID-type ID, or, for IP, FQDN or EMAIL type IDs, any SubjectAltName field of the right type. A certificate usually holds some information regarding its purpose, and again there is not universal agreement among implementations on how this usage information should be checked. The FireBrick requires a certificate to be used for IPsec authentication to be marked as allowing use for digitalSignature or nonRepudiation, and a certificate to be used for signing certificates must be marked as allowing use for certificate signature.
For a FireBrick IKE connection which authenticates itself to a peer using a certificate, it is necessary to install a suitable end-entity certificate along with its associated private key on the FireBrick. Unless the certificate is self-signed the certificate(s) used as CAs to provide a trust chain must also be installed, though private keys are not required for these (and for security should not be installed). During the IKE authentication procedure the FireBrick sends a copy of the certificate identifying itself to the peer, and also sends the trust chain of certificate(s) used to sign the end-entity certificate. The peer does not need to have the end-entity certificate installed, but must have a CA certificate (usually the self-signed "root" CA) installed so that it can check the validity of the certificate. The private key for the CA certificate should be stored in a secure manner - not on the FireBrick, and ideally not on any machine with a permanent network connection - a memory stick is recommended. The CA certificate can have any suitable subject identity, and the end-entity certificate must have a CN or SubjectAltName which corresponds with the local IKE identity which will be used for the connection. For reliable interworking with other kit it is recommended that this is set using a FQDN (aka DNS) subjectAltName field. The certificate which the FireBrick will use to authenticate itself to the peer can be specified in the connection certlist item, using the short local name set when the certificate was installed. This can normally be left unset, however, as the FireBrick will then choose a certificate which matches the local-ID setting.
certlist, if set, should be the end-entity certificate identifying the local FireBrick, and peer-certlist, if set, should be a list of the certificates which provide the trust for authenticating the peer's certificate. These can normally be left unset, in which case the FireBrick will choose any suitable certificate matching the IKE local-ID for authenticating itself, and any certificate(s) in the store for providing the trust of the peer's certificate.
A FireBrick connection which expects its peer to authenticate using a certificate needs to have either the end-entity certificate or a CA certificate providing trust installed. If the peer-certlist item is not set, the FireBrick will use any suitable certificate in its store to validate the peer's certificate; if set (to a list of short local names), only those certificate(s) listed are acceptable.
Note that it is not obligatory to create and use a self-signed certificate. A large organization may have a master CA which has been signed by a CA authority, and which is trusted automatically by many devices which have a built-in set of root CAs. This master CA be used to sign a subsidiary CA, which is then used to sign the end-entity certificate to be used for IKE authentication.
Generating suitable certificates can be a painful experience for the uninitiated, so we have provided some useful tools which can be downloaded from the FireBrick website. These are bash scripts which use the OpenSSL tools, and can be run on Linux or MacOS systems, or on Windows using Cygwin. They should be downloaded and saved locally (eg by cut-and-paste from the displayed web page text, or using the browser save source function). If invoked with no arguments usage information is displayed.
Use the make-key script to generate a new public/private key pair. This is available as http://www.firebrick.co.uk/tools/make-key. By default an RSA key of 2048 bits is generated, but this can be changed by supplying suitable parameters.
Use the make-cert script to generate a new certificate. This is available as http://www.firebrick.co.uk/tools/make-cert. It can be used to generate a CA or an end-entity certificate, and can make a self-signed certificate or make one signed by an existing CA. The private key to be associated with the certificate must be supplied, and if the certificate is not self-signed the CA certificate and its associated private key must be supplied. When making an end-entity certificate the IKE identity should be built into the certificate as a subjectAltName field, using one of the IP, FQDN or EMAIL keywords.
As an example, consider the company Paradigm Ltd. who wish to set up a certificate suitable for authenticating one of their servers using IKE identity FQDN:vpn.server42.paradigm.co.uk. To make a suitable CA and end-entity certificate run the following commands:
# Note that trailing backslash characters have been used below # to split commands over multiple lines for readability. # Generate a new key for the CA certificate ./make-key paradigm-ca-key.pem # Generate the CA certificate # Note that the DN setting can be freely chosen. ./make-cert CA DN="/C=UK/ST=Midsomer/O=Paradigm Ltd/CN=paradigm.co.uk" \ KEY=paradigm-ca-key.pem paradigm-ca.pem # Generate a new key for the end-entity certificate for server42 ./make-key paradigm42-key.pem # Generate the end-entity certificate # Note that the FQDN= parameter is used to set the certificate's SubjectAltName # and this will correspond to the server's local-ID setting ./make-cert DN=/CN=server42 KEY=paradigm42-key.pem \ ISSUER-KEY=paradigm-ca-key.pem ISSUER=paradigm-ca.pem \ FQDN=vpn.server42.paradigm.co.uk paradigm42.pem
The paradigm-ca-key.pem file should be stored safely offline. The paradigm-ca.pem, paradigm42.pem and paradigm42-key.pem files should be uploaded to the FireBrick certificate store. The paradigm-ca.pem file should be installed on the peer(s) wishing to connect.
The following types of algorithm are used:
Manually-keyed connections do not have a control channel, and use only integrity and encryption algorithms.
Both integrity checking and encryption allow a choice of algorithms. When using IKE the default algorithm proposals are in most cases a good choice as they allow negotiation with the peer to choose the best mutually supported algorithms. The supported algorithms are as follows:
Table 12.2. IKE / IPsec algorithm proposals
| Name | Type | Channels | Preferred |
| null | Integrity | Control, Data | Not in default proposal |
| HMAC-MD5 | Integrity | Control, Data | |
| HMAC-SHA1 | Integrity | Control, Data | |
| AES-XCBC | Integrity | Control, Data | |
| HMAC-SHA256 | Integrity | Control, Data | Yes |
| null | Encryption | Control, Data | Not in default proposal |
| 3DES-CBC | Encryption | Control, Data | |
| blowfish | Encryption | Control, Data | Yes |
| blowfish-192 | Encryption | Control, Data | |
| blowfish-256 | Encryption | Control, Data | |
| AES-CBC | Encryption | Control, Data | Yes |
| AES-192-CBC | Encryption | Control, Data | |
| AES-256-CBC | Encryption | Control, Data | |
| none | DHGroup | Data | Yes |
| MODP-1024 | DHGroup | Control, Data | |
| MODP-2048 | DHGroup | Control, Data | Yes |
| HMAC-MD5 | PRF | Control | |
| HMAC-SHA1 | PRF | Control | Yes |
| AES-XCBC-128 | PRF | Control | Yes |
| HMAC-SHA256 | PRF | Control | Yes |
| ALLOW-ESN | ESN | Data | Yes |
| ALLOW-SHORT-SN | ESN | Data | Yes |
Control items can be specified in IKE-Proposal lists, and Data items can be specified in IPsec-Proposal lists. If an IKE connection does not have an explicit ike-proposals entry, two default proposals are offered to the peer. The first includes all the Control entries in the above table marked as preferred, and the second includes all the implemented entries apart from null. Similarly if no explicit ipsec-proposals entry is given, Data entries marked preferred are included in the first proposal, and all except null in the second. The IKE negotiation always picks the first acceptable proposal, so the default proposals will have the effect of selecting from the preferred algorithms if the peer supports them, and otherwise from all available algorithms. Note that the null algorithms are never chosen by default; they provide no security and should only be used for testing.
A Road Warrior server connection provides the ability for a number of remote clients to set up VPNs to the server dynamically. When each client connects, it is allocated its own IP addresses (IPv4 and/or IPv6) from a pool maintained by the server. Most Road Warrior clients expect the server to authenticate itself using a certificate, and authenticate themselves with a username/password using EAP. Note that the FireBrick connection can be configured as a Road Warrior server, but not as a Road Warrior client.
There are a number of considerations when configuring a connection as a Road Warrior server The following assumes the common certificate+EAP authentication setup:
An example of a Road Warrior connection xml config may be:
<eap name="arthur"
password="CorrectHorseBatteryStaple"
subsystem="IPsec"
methods="MSChapV2"/>
<eap name="ford"
password="JosephGodspell"
subsystem="IPsec"
methods="MSChapV2"/>
...
<ipsec-ike>
...
<roaming name="natpool"
ip="10.100.100.0/24"
DNS="8.8.8.8"
nat="true"/>
<connection name="VPN service"
graph="eap-[ip]"
local-ID="FQDN:vpn.server42paradigm.co.uk"
roaming-pool="natpool"
auth-method="Certificate"
peer-auth-method="EAP"
query-eap-id="true"
certlist="VPNcert"/>
</ipsec-ike>
The FireBrick IPsec implementation should be compatible with any IPsec IKEv2 implementation. Note that IKE version 1 is not supported. Older equipment may not support IKEv2 yet, in which case manual keying may be possible. Several vendors have released IKEv2 support only recently; it is worth checking with your vendor for firmware upgrades. The FireBrick is known to interoperate well with StrongSwan implementations, and with more recent OpenSwan implementations. Road Warrior connections are possible using iPhone/iPad running iOS 8.1.3 or later, and using Android devices with the StrongSwan app.
StrongSwan supports IKEv2 with a comprehensive implementation. Consider a tunnel between a FireBrick and a Linux system with the following setup:
A suitable FireBrick xml config for this would be:
<ipsec-ike>
<connection name = "StrongSwan IKE"
local-ip="192.168.1.1" peer-ips="192.168.2.2"
mode="Immediate"
blackhole="true"
auth-method="Secret" secret="Nobody will ever guess this!"
routes="10.2.2.0/24" />
</ipsec-ike>
A corresponding /etc/ipsec.config connection entry would be:
conn FireBrick
left=192.168.2.2
leftsubnet=10.2.2.0/24
right=192.168.1.1
rightsubnet=10.1.1.0/24
reauth=no
auto=add
leftauth=psk
rightauth=psk
The secret should be entered in /etc/ipsec.secrets as follows:
FireBrick : PSK "Nobody will ever guess this!"
The Android OS releases up to and including the current (Lollipop) release do not support IKEv2 natively, but a Road Warrior VPN can be set up using the StrongSwan app.
To set up a client VPN connection on an Android device, perform the following steps
Apple have only recently introduced support for IKEv2 on iOS (since iOS version 8.1) and it is currently somewhat incomplete with rough edges. There is not yet a way to configure an IKEv2 VPN using the device UI. A profile containing all the connection details must be prepared elsewhere and downloaded/installed on the client.
To set up a client VPN connection on an iOS device, perform the following steps
# Note that trailing backslash characters have been used below # to split commands over multiple lines for readability. ./make-profile SERVER=192.168.42.42 \ LOCALID=MyiPhone CA=paradigm-ca.pem SERVERID=vpn.server42.paradigm.co.uk \ USERNAME=arthur PROFNAME="Server42 VPN Profile" VPNNAME=Paradigm iphoneNote that the SERVERID must be the same as used when making the server certificate, and the paradigm-ca.pem file must be the CA certificate used to sign the server end-entity certificate.
Unfortunately there is no logging or diagnostics available on the iOS device. If the connection fails to establish, the FireBrick IPsec debug logging may be helpful.
Setting up manual keying under Linux is possible using the ipsec-tools utility. Care should be taken if the Linux system is running an IKE or IKEv2 daemon, as this may interfere with the manual kernel IPsec configuration using ipsec-tools.
Consider a tunnel between a FireBrick and a Linux system with the following setup:
A suitable FireBrick xml config for this would be:
<ipsec-ike>
<manually-keyed name = "Linux Manual"
local-ip="192.168.1.1" peer-ips="192.168.2.2"
local-spi="1000" remote-spi="2000" type="ESP"
auth-algorithm="HMAC-SHA1"
auth-key="0123456789012345678901234567890123456789"
crypt-algorithm="AES-CBC"
crypt-key="00010203040506070809101112131415"
routes="10.2.2.0/24" />
</ipsec-ike>
A corresponding ipsec-tools config file would be:
flush;
spdflush;
add 192.168.2.2 192.168.1.1 esp 1000 -m tunnel
-E rijndael-cbc 0x00010203040506070809101112131415
-A hmac-sha1 0x0123456789012345678901234567890123456789;
add 192.168.1.1 192.168.2.2 esp 2000 -m tunnel
-E rijndael-cbc 0x00010203040506070809101112131415
-A hmac-sha1 0x0123456789012345678901234567890123456789;
spdadd 10.1.1.0/24 10.2.2.0/24 any
-P in ipsec esp/tunnel/192.168.1.1-192.168.2.2/require;
spdadd 10.2.2.0/24 10.1.1.0/24 any
-P out ipsec esp/tunnel/192.168.2.2-192.168.1.1/require;
Note that rijndael is the name used by ipsec-tools for the AES algorithm.
The L2TP configuration has an optional ha-set setting allowing you to define that sessions in the specified tunnel are used for High availability.
This means any packets sent to the sessions are in fact sent to each session (duplicated). At the receiving end the first of each duplicate is passed on as normal and any subsequent ones discarded.
This sacrafices bandwidth for high availability and reliability.
You need to ensure packets are routed to the multiple sessions in the set, in the same way as bonding L2TP, and also that they are put in the same ha-set.
| | | |
| 11.2. Definining PPPoE links |  | 12.2. FB105 tunnels |