Security Protocol Series (v)----IKE and IPSec (above)

Ike/ipsec belongs to the Network Layer Security protocol, which protects the IP and upper layer protocol security. Since the end of last century, the research and application of these two protocols have been very mature. The protocol itself is evolving. In the case of IKE alone, its corresponding RFC number evolves from RFC 2407/2408/2409 to RFC 4306, then to RFC 5996, and the latest version is RFC 7296.

Why divide it into two agreements? What is the difference between these two protocols? From a cryptographic point of view, IKE is used for key exchange, and IPSEC is used to protect subsequent communications. The key that protects the communication is the result of the IKE protocol running. (In the SSL/TLS protocol, key generation and encryption protection are done in a single protocol, at which point both are distinct)

This article still uses discovering's idea: carries on an experiment, grasps once the message, uses the cryptographic study to check the computation once. Python is used as a verification tool in this article.

Construction of experimental environment

The server is implemented Strongswan (version 4.4.0) with the famous open source on Linux and the operating system is Ubuntu Server 12.10 (VMware virtual Environment).
The client uses the Windows 7 built-in IPSec VPN client.
The virtual machine runs on Windows 7, configuring a dual network adapter, using NAT and host-only operating mode, respectively. Two network cards mapped in Linux correspond to eth0 and eth1.
The IKE and IPSEC frameworks are complex, and there are a number of options for protocol-only use.
IKE, for example, is divided into two versions of Ikev1/ikev2, and there are many authentication methods. The IPSEC working mode is divided into tunnel and Transport two kinds, the specific implementation of the Protocol and AH and ESP points.
Considering the actual test environment and application scenario, the IKE protocol in this paper uses IKEV2/certificate authentication. IPSEC uses TUNNEL/ESP mode.
The network topology is as follows

Download, compile, install Strongswan 4.4.0. In a word, it is./configure && make && make install three-step.
The process is not much to say, the only need to explain: Strongswan request GMP Library support. For simplicity, all command-line operations use the root identity.

Generate CA Certificates (use OpenSSL below or use Strongswan's own PKI commands)

[Email protected]:~# OpenSSL genrsa-des3-out cakey.pem-passout Pass:123456 1024x768[email protected]:~# OpenSSL Req-sha1-days3650-new-key cakey.pem-out Cacertreq.pem-passin Pass:123456-subj"/c=cn/st=hz/o=vpn/cn=strongswan CA"[email protected]:~#mkdir-P democa/newcerts # Create CA directory [email protected]:~#Touchdemoca/Index.txt[email protected]:~#Echo  on> democa/Serial[email protected]:~# OpenSSL ca-batch-selfsign-extensions v3_ca-days3650-inchCacertreq.pem-keyfile Cakey.pem-passin Pass:123456-out Ca.cer

Temporarily modify the OpenSSL configuration file

[Email protected]:~# CP/etc/ssl/openssl.cnf./

To modify a file openssl.cnf:

= Keyid,issuer= Serverauth

This is the case (with the Red line) because Windows 7 requires the server Authentication extended attribute for the peer server certificate, see

Generate a server certificate

[Email protected]:~# OpenSSL genrsa-des3-out serverkey.pem-passout pass:1234561024x768[email Protected]:~# OpenSSL req-sha1-new-key serverkey.pem-out servercertreq.pem-passin pass:123456"
    /c=cn/st=hz/o=vpn/cn=server.vpn.cn"[email protected]:3650-in Servercertreq.pem-cert ca.cer-keyfile Cakey.pem-passin Pass:123456 -out server.cer

Install CA and server certificates to Strongswan

CP ca.cer/usr/local/etc/ipsec.d/cacerts/[email protected]:CP server.cer/usr/local/etc/ ipsec.d/certs/[email protected]:~# CP serverkey.pem/usr/local/etc/ipsec.d/private/

Configure Strongswan

[Email protected]:~#Cat/usr/local/etc/ipsec.conf# ipsec.conf-Strongswan IPsec ConfiguratiOn file# Basic Configurationconfig setup Charondebug="CFG 4, CHD 4, DMN 4, Enc 4, Ike 4, Job 4, Knl 4, Lib 4, Mgr 4, net 4"Charonstart=Yes Plutostart=no# Add connections Here.conn Linux-vs-Win7 Authby=PubKey Left=%Defaultroute Right=%Any keyexchange=IKEv2 Compress=No auto=Add PFS=No Leftauth=PubKey Rightauth=PubKey Rightid=%Any leftsubnet=1.2.3.0/ -Leftsourceip=1.2.3.123Rightsourceip=1.2.3.0/ -Leftcert=Server.cer Leftfirewall=Yes[email protected]:~#Cat/usr/local/etc/Ipsec.secrets:RSA Serverkey.pem"123456"

Generate a client certificate and package it into PKCS12 format

[Email protected]:~# OpenSSL genrsa-des3-out clientkey.pem-passout Pass:123456 1024x768[email protected]:~# OpenSSL req-sha1-new-key clientkey.pem-out clientcertreq.pem-passin Pass:123456-subj"/c=cn/st=hz/o=vpn/cn=vpn Client"[email protected]:~# OpenSSL Ca-batch-days3650-inchClientcertreq.pem-cert Ca.cer-keyfile Cakey.pem-passin Pass:123456-Out Client.cer[email protected]:~# OpenSSL Pkcs12-export-passin Pass:123456-passout Pass:123456-inchClient.cer-inkey Clientkey.pem-out CLIENT.P12

Copy the PKCS12 and CA certificates to Windows 7 and install to the computer account, click "Start Menu", "Run", "MMC", add the Certificates snap-in as shown

Import client and CA certificates

Create a new VPN connection

Configure VPN Connection properties: IKEv2 Access VPN Gateway

Configure local DNS, add the last line of the file c:\windows\system32\drivers\etc\hosts
192.168.203.129 server.vpn.cn

Configure end, start connection

[Email protected]:~# IPSec Start--nofork

Under Windows 7, double-click New VPN Connection

The following is the successful connection status (the server-side assigned IP address has been obtained

During the connection process, the Linux command line outputs a series of debug messages that will be used in subsequent calculation validation

Python Environment Preparation

Download the latest version of the Python password library pycrypto file pycrypto-2.6.1.tar.gz, extract to C:\Python27\Lib
C:\python27\lib\pycrypto-2.6.1>python setup.py Install
Description: A Visual Studio environment is required during installation to compile source files

Security Protocol Series (v)----IKE and IPSec (above)