27.2.6.6. Připojení MS WindowsXP s použitím openssl certifikátů

27.2.6.6. Připojení MS WindowsXP s použitím openssl certifikátů
	27.2.6. Zkušební konfigurace IPsec

Zdroje a odkazy:

IPsec Tunneling Between FreeBSD Hosts
Setting up a FreeBSD IPSec Tunnel by John J.Rushford Jr
FreeBSD IPsec mini-HOWTO
.

Vytvoření certifikátu pro server.

mpressca@yoda:~$ openssl req -new -keyout pikachu4.key -out pikachu4.req -days 360
mpressca@yoda:~$ cat pikachu4.req pikachu4.key >new.pem
mpressca@yoda:~$ mpressca@yoda:~$ openssl ca -policy policy_anything -out pikachu.crt -config /etc/ssl/openssl.cnf -infiles new.pem

mpressca@yoda:~$ openssl req -new -x509 -keyout pikachu5.key -out pikachu5.req

Vytvoření klíče a žádosti o podpis.

mpressca@yoda:~$ openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout privkey.pem -outform PEM -out newreq.pem

Podepsání žádosti certifikační autoritou

mpressca@yoda:~$ CA -sign
mpressca@yoda:~$ mv privkey.pem pikachu6.key
mpressca@yoda:~$ mv newreq.pem pikachu6.req
mpressca@yoda:~$ mv newcert.pem pikachu6.cert

Nyní pokročíme. Budeme zkoušet IPsec v režimu transport s použitím certifikátů. Certifikáty máme připraveny a nakopírovány na server i klienta. Upravíme tedy konfiguraci v souboru racoon.conf.

# Konfigurace s pouzitim certifikatu

log debug2;

path certificate "/etc/racoon/certs";  

remote anonymous 
{
        exchange_mode main;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        lifetime time 4 min;

        certificate_type x509 "pikachu3.crt" "pikachu3.key";
        peers_certfile "jirkanb.pem";

        proposal {
                encryption_algorithm des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group modp768;
        }
}

sainfo anonymous {
        pfs_group modp768;
        lifetime time 4 min;   
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

Skrip pro inicializaci SA databáze v souboru /etc/racoon/spd.conf:

#!/usr/sbin/setkey -f
# pikachu:/etc/racoon/ipsec.conf
# Spojeni s yoghurt,jirkanb,trada

### Flush all
flush;
spdflush;

### Security Policy

### jirka .firma.cz
# TRANSPORT MODE
#spdadd 212.96.165.122 212.96.165.121 any -P out ipsec
#        esp/transport//require;
#spdadd 212.96.165.121 212.96.165.122 any -P in ipsec
#        esp/transport//require;

# TUNNEL MODE
spdadd 10.16.64.0/19 10.225.64.0/19 any -P out ipsec
        esp/tunnel/10.16.66.53-10.225.64.3/require;
spdadd 10.225.64.0/19 10.16.64.0/19 any -P in ipsec
        esp/tunnel/10.225.64.3-10.16.66.53/require;



### trada.firma.cz from gprs: 160.218.179.137
spdadd 212.96.165.122 160.218.179.137 any -P out ipsec
        esp/transport//require;
spdadd 160.218.179.137 212.96.165.122 any -P in ipsec
        esp/transport//require;

# trada.firma.cz from lan: 212.96.165.120/28
spdadd 212.96.165.122 212.96.165.120 any -P out ipsec
        esp/transport//require;
spdadd 212.96.165.120 212.96.165.122 any -P in ipsec
        esp/transport//require;

Při vytváření části popisující tunel k jitkovi jsem vycházel z Setting up a FreeBSD IPSec Tunnel by John J.Rushford Jr. Obecně se tunel vytvoří takto:

spdadd my_local_net peer_local_net any -P out ipsec
        esp/tunnel/my_local_ip-peer_local_ip/require;
spdadd peer_local_net my_local_net any -P in ipsec
        esp/tunnel/peer_local_ip-my_local_ip/require;

Podle jiného dokumentu to má být ovšem jinak:

spdadd my_local_net peer_local_net any -P out ipsec
        esp/transport/my_public_ip-peer_public_ip/require;
spdadd peer_local_net my_local_net any -P in ipsec
        esp/transport/peer_public_ip-my_public_ip/require;

Vzor pro nastavování Security Policy pro transport je:

spdadd my_public_ip peer_public_ip any -P out ipsec
        esp/transport//require;
spdadd peer_public_ip my_public_ip any -P in ipsec
        esp/transport//require;

a nebo podle FreeBSD IPsec mini-HOWTO, kde stroj A má adresu 1.2.3.4 a stroj B zase 5.6.7.8, takto

#!/bin/sh
setkey -FP
setkey -F

setkey -c << EOF
spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec
 esp/transport/1.2.3.4-5.6.7.8/require;
spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec
 esp/transport/5.6.7.8-1.2.3.4/require;
EOF

Podle dokumentace k programu setkey je struktura příkazu spdadd následující: spdadd [-46n] src_range dst_range upperspec policy; Kde src_range a dst_range jsou ve tvaru

address
address/prefixlen
address[port]
address/prefixlen[port]

Parametr upperspec pak může být:

any — stands for any protocol
ip4
icmp6

Policy:

-P direction discard
-P direction nine
-P direction ipspec protocol/mode/src-dst/level [...]

A restartujeme:

pikachu:/etc/racoon# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
pikachu:/etc/racoon# ./spd.conf
pikachu:/etc/racoon# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.
pikachu:/etc/racoon#

Tentokrát je na straně MS WindowsXP použita vnitřní implementace IPsec. Při konfiguraci WindowsXP byly použity stránky Nata Carlsona. Potřebný program ipsec je stažený z vpn.ebootis.de.

Na WinXP je potřeba doinstalovat z orig. CD WinXP z adresáře \support\tools\setup.exe kompletní instalace. Po té je potřeba zkopírovat z adresáře c:\program files\support tools\ipseccmd.exe do adresáře, kde je rozpakovany IPsec od Nata Carlsona.

Výsledný konfigurační soubor ipsec.conf je:

conn roadwarrior
	left=%any
        right=212.96.165.122
	rightca="C=CZ, L=Breclav, O=FIRMA a.s., OU=IT Departement, \
CN=Radek Hnilica, E=ca@firma.cz"
	network=auto
	auto=start
	pfs=yes

conn roadwarrior-net
	left=%any
        right=212.96.165.122
        rightsubnet=212.96.165.122/28
	rightca="C=CZ, L=Breclav, O=FIRMA a.s., OU=IT Departement, \
CN=Radek Hnilica, E=ca@firma.cz"
	network=auto
	auto=start
	pfs=yes

Nepodaří se navázat spojení. Na straně serveru se objeví v deníku následující:

Dec 14 14:04:27 pikachu racoon: DEBUG: send packet from 212.96.165.122[500] 
Dec 14 14:04:27 pikachu racoon: DEBUG: send packet to 160.218.179.137[500] 
Dec 14 14:04:27 pikachu racoon: DEBUG: src4 212.96.165.122[500] 
Dec 14 14:04:27 pikachu racoon: DEBUG: dst4 160.218.179.137[500] 
Dec 14 14:04:27 pikachu racoon: DEBUG: 1 times of 148 bytes message will be sent to 212.96.165.122[500] 
Dec 14 14:04:27 pikachu racoon: DEBUG:  bb437566 a5ca8302 e8006166 4db9a1d6 04100200 00000000 00000094 \
  0a000064 38e171f6 8837b555 28f437df 55e58b16 30953439 bc348592 4911417f d006de3e d111aa90 115d118e e48cc89f \
  55b76d12 4ee957bd 832e0875 ddfaccb6 87190c0c f34990d2 661e9710 5345b7c1 e8ce2e74 bcadf9c9 ecfccf1e 00c49324 \
  6df89f9c 00000014 845ac279 b40650f2 c3554622 2751b278 
Dec 14 14:04:27 pikachu racoon: DEBUG: resend phase1 packet bb437566a5ca8302:e80061664db9a1d6 
Dec 14 14:04:37 pikachu racoon: ERROR: phase1 negotiation failed due to time up. bb437566a5ca8302:e80061664db9a1d6
⋮
Dec 14 15:04:50 pikachu racoon: DEBUG: filename: /usr/etc/racoon/certs/trada.pem 
Dec 14 15:04:50 pikachu racoon: ERROR: failed to get peers CERT. 
Dec 14 15:04:54 pikachu racoon: DEBUG: 148 bytes from 212.96.165.122[500] to 212.96.165.120[500]
⋮
Dec 14 15:15:37 pikachu racoon: ERROR: unknown Informational exchange received.
⋮
Dec 14 15:25:20 pikachu racoon: DEBUG: malformed cookie received or the spi expired. 
Dec 14 15:25:52 pikachu racoon: DEBUG: === 
Dec 14 15:25:52 pikachu racoon: DEBUG: 84 bytes message received from 212.96.165.120[500] to 212.96.165.122[500] 
Dec 14 15:25:52 pikachu racoon: DEBUG:  0f89de27 bb035ad4 09aabda3 fe6aa8d5 08100501 04827136 00000054 600f9521 \
    aaa09a54 d5f65e7d 3a8752f9 a8c5dd2e 948b6444 d810c16e 68947437 cbf9b6bd 1ca7dd14 00009b0d 8a673d10 8b5cba1b \
    efcc7735 
Dec 14 15:25:52 pikachu racoon: ERROR: unknown Informational exchange received.
⋮
Dec 14 15:26:34 pikachu racoon: DEBUG: filename: /etc/racoon/certs/pikachu.key 
Dec 14 15:26:34 pikachu racoon: ERROR: failed to get private key. 
Dec 14 15:26:34 pikachu racoon: ERROR: failed to process packet. 
Dec 14 15:26:34 pikachu racoon: ERROR: phase1 negotiation failed. 
⋮
Dec 14 16:22:34 pikachu racoon: DEBUG: filename: /etc/racoon/certs/pikachu2.pem 
Dec 14 16:22:34 pikachu racoon: ERROR: failed to get my CERT. 
Dec 14 16:22:34 pikachu racoon: ERROR: failed to get own CERT. 
Dec 14 16:22:34 pikachu racoon: ERROR: failed get my ID 
Dec 14 16:22:34 pikachu racoon: ERROR: failed to process packet. 
Dec 14 16:22:34 pikachu racoon: ERROR: phase1 negotiation failed. 
⋮
Dec 16 14:25:56 pikachu racoon: DEBUG: suitable outbound SP found: 212.96.165.122/32[0] 212.96.165.121/32[0] proto=any dir=out. 
Dec 16 14:25:56 pikachu racoon: DEBUG: sub:0xbffffb40: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=in 
Dec 16 14:25:56 pikachu racoon: DEBUG: db :0x809bf90: 212.96.165.122/32[0] 212.96.165.121/32[0] proto=any dir=out 
Dec 16 14:25:56 pikachu racoon: DEBUG: sub:0xbffffb40: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=in 
Dec 16 14:25:56 pikachu racoon: DEBUG: db :0x80a0f20: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=out 
Dec 16 14:25:56 pikachu racoon: DEBUG: sub:0xbffffb40: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=in 
Dec 16 14:25:56 pikachu racoon: DEBUG: db :0x80a1220: 212.96.165.122/32[0] 160.218.179.137/32[0] proto=any dir=out 
Dec 16 14:25:56 pikachu racoon: DEBUG: sub:0xbffffb40: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=in 
Dec 16 14:25:56 pikachu racoon: DEBUG: db :0x809f398: 160.218.179.137/32[0] 212.96.165.122/32[0] proto=any dir=out 
Dec 16 14:25:56 pikachu racoon: DEBUG: sub:0xbffffb40: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=in 
Dec 16 14:25:56 pikachu racoon: DEBUG: db :0x809f770: 212.96.165.122/32[0] 212.96.165.120/32[0] proto=any dir=out 
Dec 16 14:25:56 pikachu racoon: DEBUG: sub:0xbffffb40: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=in 
Dec 16 14:25:56 pikachu racoon: DEBUG: db :0x809f9a8: 212.96.165.120/32[0] 212.96.165.122/32[0] proto=any dir=out 
Dec 16 14:25:56 pikachu racoon: NOTIFY: no in-bound policy found: 212.96.165.121/32[0] 212.96.165.122/32[0] proto=any dir=in 
Dec 16 14:25:56 pikachu racoon: DEBUG: new acquire 212.96.165.122/32[0] 212.96.165.121/32[0] proto=any dir=out 
Dec 16 14:25:56 pikachu racoon: ERROR: failed to get sainfo. 
⋮
Dec 20 13:01:58 pikachu racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 3DES-CBC:DES-CBC 
Dec 20 13:01:58 pikachu racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = pre-shared key:RSA signatures 
Dec 20 13:01:58 pikachu racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = SHA:MD5 
Dec 20 13:01:58 pikachu racoon: ERROR: no suitable proposal found. 
Dec 20 13:01:58 pikachu racoon: ERROR: failed to get valid proposal. 
Dec 20 13:01:58 pikachu racoon: ERROR: failed to process packet.


27.2.6.5. Vytvoření certifikátů		27.2.6.7. Další pokus s WinXP