http://nullcon.net/

Convert your Linux box in to security Gateway Part-2 (VPN)

By Murtuja Bharmal

http://null.co.in/

http://nullcon.net/http://null.co.in/

About Me• No Work Busy Man….• Unemployed….• Interest…. /dev/random….• Co-founder of null…. :-D• X-IBMer ….. • Dal, Roti ka jugad, Security Consulting/Training

http://nullcon.net/

Prerequisites

http://null.co.in/

• Basic concept of networking/routing/natting.• Knowledge of TCP/IP model & communication

protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc.

• How to Install and use Linux OS• Some hands on Linux command line

http://nullcon.net/

Full Picture

http://null.co.in/

• Security Features of Linux..• Hardening OS• Firewall Concept/Configuration• VPN Concept/Configuration• IDS/IPS Concept/Configuration• Proxy Concept/Configuration• Antivirus Concept/Configuration• Hardening Services i.e. Web Server/Mail

Server/Database etc.

http://nullcon.net/

Agenda for Today

• What is VPN• Why VPN• Benefits of VPN• Types of VPN• VPN Concept• VPN Configuration – (Openswan)

http://null.co.in/

http://nullcon.net/

What is VPN (Misconception)

http://null.co.in/

http://nullcon.net/

What is VPN (Conceptually)

http://null.co.in/

http://nullcon.net/

What is VPN (Actually)

http://null.co.in/

http://nullcon.net/

Why VPN

http://null.co.in/

• Business have grown beyond local and regional concern. We now have to worry about global markets and logistics

• We need to get connected efficiently and securely to our offices.

• Earlier Offices where connected through leased lines, from ISDN to OC3 (Optical Carrier 3 – 155 Mbps) fibre. It proved to be expensive.

• With the wide use of Internet, it became the medium to connect business together and also connect offices using VPN

• VPN, in short, is connecting networks together, using a public network. It could connect a mobile user, or a remote office to the head office using the Internet.

http://nullcon.net/

Benefits of VPN

• Extend Geographic connectivity• Reduce Operational costs versus traditional

WAN• Improve Security• Improve productivity? • Provide global networking opportunity• Provide broadband networking compatibility• Provide telecommuter support

http://null.co.in/

http://nullcon.net/

Types of VPN (Based on Technology)

• IPSec VPN – IP Security• SSL VPN – Secure Socket Layer • MPLS – Multiprotocol Layering Switch• GRE – Generic Route Encapsulation • PPTP – Point-to-Point Tunneling Protocol• L2TP – Layer 2 Tunneling Protocol

http://null.co.in/

http://nullcon.net/

Types of VPN (Based on functionality)

• Site-to-Site VPN• Client-to-Site VPN

http://null.co.in/

http://nullcon.net/

Site-to-Site VPN

http://null.co.in/

Courtesy: http://nirlog.com

http://nullcon.net/

Client-to-Site VPN

http://null.co.in/

Courtesy: http://nirlog.com

http://nullcon.net/

VPN Concept (Encryption)

• Translation of data into secret code is called encryption

• To decrypt data you must have access to a secret key or password

• Unencrypted data is called plain text• Encrypted data is called cipher text

http://null.co.in/

Courtesy: http://www.webopedia.com

http://nullcon.net/

VPN Concept (Encryption)

• There are two main forms of encryption– Symmetric encryption• Each computer uses a secret key that it can use to

encrypt data. The same key is used to decrypt data too.

– Public Key encryption• Uses a combination of two keys called as private key

and public key. The public key is given to everyone. The data is encrypted using the public key and the private key is used to decrypt it.

http://null.co.in/

Courtesy: http://www.webopedia.com

http://nullcon.net/

VPN Concept (HASH)

• Cryptographic hash functions are used for example to create a message digest

• A hash function compresses the bits of a messages to a fixed-size hash value in a way that only one hash value is possible for a message.

• Most widely used hash functions are md5 and sha-1

http://null.co.in/

Courtesy: http://www.webopedia.com

http://nullcon.net/

VPN Concept (IPSec)

• Why do we need IPSec ?– Suite of protocols for securing network

connections• IPSec provides mechanism and not policy– You can decide on any encryption algorithm or

authentication method as long as both the connecting parties agree

http://null.co.in/

Courtesy: http://www.unixwiz.net

http://nullcon.net/

IP Header

http://null.co.in/

Courtesy: http://www.unixwiz.net

http://nullcon.net/

VPN Concept (IPSec Overview)• IPSec, is a framework of open standards (from IETF) that define policies

for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer

• The IPsec standard provides a method to manage authentication and data protection between multiple crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol (ESP) and Authentication Header (AH).

• IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability.

http://null.co.in/

Courtesy: http://cisco.comCourtesy: http://ipv6.com

http://nullcon.net/

VPN Concept (IPSec Overview)

IPSec consists of the following two main protocols:

• Authentication Header (AH)• Encapsulating Security Payload (ESP)

http://null.co.in/

http://nullcon.net/

VPN Concept (IPSec Mode)•Transport mode IPsec transport mode works by inserting the ESP or AH header between the IP

header and the next protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic is being protected by IPsec are visible in the IP header of the post-encrypted packet.

•Tunnel mode Tunnel mode works by encapsulating and protecting an entire IP packet.

Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in this new header.

Tunnel mode can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and destination IP addresses of the original packet, and hides that information from the unprotected network.

http://null.co.in/

Courtesy: http://www.unixwiz.net

VPN Concept (Difference in Modes)

http://null.co.in/ http://nullcon.net/

New IPHeader

IPSec ESPHeader

Data

IP Header Data

Tunnel Mode

Original IPHeader

IPSec ESPHeader

Transport Mode

Original IPHeader

Data

Optional Encryption

Optional Encryption

Outer IP Header

Inner IP Header

Original Packet

http://nullcon.net/http://null.co.in/

Courtesy: http://www.unixwiz.net

http://nullcon.net/

VPN Concept (Security Association)A Security Association (SA) is an agreement between two peers engaging in a

crypto exchange. This agreement includes the type and strength of the encryption algorithm used to protect the data. The SA includes the method and strength of the data authentication and the method of creating new keys for that data protection.

ISAKMP Security Association (ISAKMP Phase 1)The first phase is a “setup” stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates a security association for ISAKMP itself; an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2.

IPsec Security Associations (ISAKMP Phase 2) Data Tunnel In this phase the ISAKMP SA established in Phase 1 is used to create SAs for othe security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated.

http://null.co.in/

http://nullcon.net/

VPN Concept (Phase 1: Main Mode)

http://null.co.in/

Courtesy: http://www.eetimes.com

http://nullcon.net/

VPN Concept (Phase 1: Aggressive Mode)

http://null.co.in/

Courtesy: http://www.eetimes.com

http://nullcon.net/

VPN Concept (Phase 1: Authentication)

IKE phase 1 has three methods to authenticate IPSec peers.

1. Pre-Shared Keys (PSK). 2. Public KeyInfrastructure (PKI) using X.509

Digital Certificates. 3. RSA encrypted nonces

http://null.co.in/

http://nullcon.net/

VPN Concept (Phase 2: Quick Mode)

http://null.co.in/

Courtesy: http://www.eetimes.com

http://nullcon.net/

VPN Configuration (OpenSwan)Site-to-Site VPN

http://null.co.in/

Office 1 LAN192.168.1.0/24

Office 2 LAN172.16.1.0/24

172.16.1.1

192.168.1.1

1.2.3.4

5.6.7.8

eth0

eth1

eth0eth1

1.2.3.5

5.6.7.9

http://nullcon.net/http://null.co.in/

VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf

Left Internet IP address of the left-hand side VPN device.

Leftsubnet The network protected by the left-hand side VPN device.

Leftid Fully qualified domain name in DNS of the left-hand side VPN device, which is preceded by an "@" sign. If DNS is set up for the IP addresses, remove this entry, because names that don't resolve correctly cause the VPN initialization to fail.

Leftrsasigkey The entire left RSA sig public key for the left-hand side VPN device. This can be obtained by using the ipsec showhostkey --left command.

Leftnexthop The next hop router from the left-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.

Courtesy: http://www.linuxhomenetworking.com

http://nullcon.net/

Conn net-to-netauthby=secret #Key exchange methodleft=1.2.3.4leftsubnet =192.168.1.0/24leftnexthope=%defaultrouteright=5.6.7.8rightsubnet=172.16.1.0/24rightnexthope=5.6.7.9auto=start/add

http://null.co.in/

VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf

Courtesy: http://www.linuxhomenetworking.com

http://nullcon.net/

• 1.2.3.4 5.6.7.8 : PSK "nonebutourselvescanfreeourminds"

http://null.co.in/

VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.secrets

Courtesy: http://www.linuxhomenetworking.com

http://nullcon.net/

• net/ipv4/ip_forward = 1• iptables -t nat -A POSTROUTING -o eth0 -s

192.168.1.0/24 -d \! 172.16.1.0/24 -j MASQUERADE

http://null.co.in/

VPN Configuration (OpenSwan)Site-to-Site VPN – Othersetting

Courtesy: http://www.linuxhomenetworking.com

http://nullcon.net/

• 104 "net-to-net" #1: STATE_MAIN_I1: initiate • 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 • 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 • 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established • 112 "net-to-net" #2: STATE_QUICK_I1: initiate • 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe0bdd0e9 <0x13ac7645}

http://null.co.in/

VPN Configuration (OpenSwan)Site-to-Site VPN – Log

Courtesy: http://www.linuxhomenetworking.com

http://nullcon.net/

[root@vpn2 tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 6.25.232.0 0.0.0.0 255.255.255.248 U 40 0 0 eth0 172.16.1.0 1.2.3.4 255.255.255.0 UG 40 0 0 ipsec0

tcpdump -n -i ipsec0 icmp03:05:53.971308 IP 192.168.1.5 > 172.16.1.5: icmp 64: echo request seq 89 03:05:53.995297 IP 172.16.1.5 > 192.168.1.5: icmp 64: echo reply seq 89

tcpdump -n -i eth1 host 5.6.7.8 02:08:23.637149 IP 1.2.3.4 > 5.6.7.8: ESP(spi=0xf4909a7e,seq=0x73) 02:08:24.635302 IP 5.6.7.8 > 1.2.3.4: ESP(spi=0x808e9a87,seq=0x74)

http://null.co.in/

VPN Configuration (OpenSwan)Site-to-Site VPN – Verification/Debug

Courtesy: http://www.linuxhomenetworking.com

http://nullcon.net/

Questions?

http://null.co.in/

http://nullcon.net/

void@null.co.inbharmal.murtuja@gmail.com

http://null.co.in/

Courtesy http://www.wien2k.at