Interesting ipsec vpn connection Configuration

Interesting ipsec vpn connection Configuration

I. Level 1: PIX-PIX

The customer proposed to look at a vpn model. In view of the demonstration nature, the requirements were not high, nor did the customer propose the requirements for negotiation parameters and network structures, we chose cisco pix, a popular vpn device, for point-to-point communication.

For hardware vpn products, the configuration methods are similar because it does not involve installation and debugging environments, you need to complete the network, negotiation, algorithm, access control, and other aspects of the configuration, because there are too many online pix-related instances, we will just list the configuration here.

Model: 192.168.0.1 -- 192.168.0.2

192.168.0.2:
Crypto isakmp enable outside
Access-list outside_20_cryptomap line 1 extended permit ip interface inside host 192.168.X.1
Access-list inside_nat0_outbound line 1 extended permit ip interface inside host 192.168.X.1
Tunnel-group 192.168.0.1 type ipsec-l2l
Tunnel-group 192.168.0.1 ipsec-attributes
Pre-shared-key XXXX
Isakmp keepalive threshold 10 retry 2
Crypto isakmp policy 10 authen pre-share
Crypto isakmp policy 10 encrypt 3des
Crypto isakmp policy 10 hash sha
Crypto isakmp policy 10 group 2
Crypto isakmp policy 10 lifetime 86400
Crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Crypto map outside_map 20 match address outside_20_cryptomap
Crypto map outside_map 20 set peer 192.168.0.1
Crypto map outside_map 20 set transform-set ESP-3DES-SHA
Crypto map outside_map interface outside
Nat (inside) 0 access-list inside_nat0_outbound tcp 0 0 udp 0

Crypto isakmp enable outside

192.168.0.1:
Access-list outside_20_cryptomap line 1 extended permit ip interface inside host 192.168.X.2
Access-list inside_nat0_outbound line 1 extended permit ip interface inside host 192.168.X.2
Tunnel-group 192.168.0.2 type ipsec-l2l
Tunnel-group 192.168.0.2 ipsec-attributes
Pre-shared-key XXXX
Isakmp keepalive threshold 10 retry 2
Crypto ISAkmp policy 10 authen pre-share
Crypto isakmp policy 10 encrypt 3des
Crypto isakmp policy 10 hash sha
Crypto isakmp policy 10 group 2
Crypto isakmp policy 10 lifetime 86400
Crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Crypto map outside_map 20 match address outside_20_cryptomap
Crypto map outside_map 20 set peer 192.168.0.2
Crypto map outside_map 20 set transform-set ESP-3DES-SHA
Crypto map outside_map interface outside
Nat (inside) 0 access-list inside_nat0_outbound tcp 0 0 udp 0

In this way, a simple ipsec vpn is built. Is it simple?

Note: If you use ASDM in the graphic interface, you must note that the wizard location of ipsec vpn has changed in version 6.0 or later and moved to the top menu.



Second, the second off: PIX-ISA
The customer immediately raised a new requirement to implement the model just now by combining hardware and software.
The difficulty is increased, but it is not difficult for us, because as long as it is a standard vpn product, intercommunication is generally no problem, here we choose Microsoft's ISA peer end.
Third, the third off: ISA1-ISA2-ISA3-ISA4
This customer raised new requirements. Their four subsidiaries, ABCD, had established VPN links between AB and CD, now we hope that we can only connect BC to achieve mutual ipsec access across the network. Since the ISA platform has been deployed, it must be implemented on the basis of all ISA.
This time it was a little difficult. It was not difficult to establish a vpn, but it was difficult to forward it.
Let's take a look at the model:

External interface: 192.168.1.1 -- 192.168.2.1 192.168.3.1 -- 192.168.4.1
10.0.0.1 --- 10.0.0.2
Internal interface: 100.0.1.0 100.0.2.0 100.0.3.0 100.0.4.0
Name: 1 2 3 4
 
We need to link the four VPNs to the adjacent vpn for direct communication, and the interval vpn is forwarded through the intermediate vpn.

Since 192.168, 1, and 4 have been used to establish a link between 2 and 3, you cannot use this interface address for the link again.
Therefore, a 10-segment interface is added for the link between 2 and 3;

In this way, one VPN appears in 1 and 4, which is the 192 CIDR block; two VPNs appear in 2 and 3, which are the 192 and 10 CIDR blocks.

Key: ISA at both ends is very simple. You only need to establish a vpn with 2 and 3 in the middle. The problem occurs in the ISA in the middle. In order to achieve network-wide forwarding, you must include subnets 1 and 4 in the configuration.
Take 3 as an example. From the perspective of 192.168.3.X, the Intranet is not only 100.0.3.X, but also 100.0.1.X and 100.0.2.X. From the perspective of 10. X. X.2, the Intranet must be 100.0.3.X and 100.0.4.X;
In addition, you must configure Intranet routes on both sides in the network rules and configure mutual access between two VPNs in the firewall policy.
In this way, cross-vpn communication can be realized.

Because most of the configurations are the same, the following uses 3 as an example. For the rest of ISA, you only need to modify the address slightly.

1. ISA management interface-Virtual Private Network-create a VPN point-to-point link.
(Because ISA has a silly wizard, only the configuration items are listed here)

Vpn1 is the 192 CIDR Block and vpn2 is the 10 CIDR block.

Vpn1 settings for the 192 network segment on ISA3: (the following data is extracted from the point-to-point settings abstract in ISA's virtual private network settings)

Local tunnel endpoint: 192.168.3.1
Remote tunnel endpoint: 192.168.4.1

Allow HTTP proxy or NAT to communicate to this remote site, which is configured
The IP address of the local site tunnel endpoint must be included.

IKE Phase I Parameters
Mode: master mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman Group: Group 2 (1024 bits)
Authentication Method: Pre-shared confidential (XXXX)
Security Association lifetime: 28800 seconds

IKE Stage II parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Full forward confidentiality: ON
Diffie-Hellman Group: Group 2 (1024 bits)
Time when the key is regenerated: ON
Security Association lifetime: 3600 seconds

Regenerate key KB: OFF

Remote network 'vpn1 'IP subnet:
Subnet: 100.0.4.0/255.255.255.0
Subnet: 192.168.4.1/255.255.255.255 (peer interface)

Local Network 'vpn2 'IP subnet: (the local network is mentioned above. For 4, 1 and 2 are all my 3 subnets and must be announced, so that 4 can know that I have 1 and 2)
Subnet: 10.0.0.1/255.255.255.255 (peer interface)
Subnet: 100.0.1.0/255.255.255.0
Subnet: 100.0.2.0/255.255.255.0

Local Network 'internal' IP subnet:
Subnet: 100.0.3.0/255.255.255.0

The local IP address that can be routed: (Note the second one. The mask 254 actually contains 100.0.2.X and 100.0.3.X. In fact, it means to route all local intranets, that is, 1, 2, and 3)
Subnet: 100.0.1.0/255.255.255.0
Subnet: 100.0.2.0/255.255.254.0

Settings for vpn2 of the 10 network segments on ISA3:

Local tunnel endpoint: 10.0.0.2
Remote tunnel endpoint: 10.0.0.1

Allow HTTP proxy or NAT to communicate to this remote site, which is configured
The IP address of the local site tunnel endpoint must be included.

IKE Phase I Parameters
Mode: master mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman Group: Group 2 (1024 bits)
Authentication Method: Pre-shared confidential (XXXX)
Security Association lifetime: 28800 seconds

IKE Stage II parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Full forward confidentiality: ON
Diffie-Hellman Group: Group 2 (1024 bits)
Time when the key is regenerated: ON
Security Association lifetime: 3600 seconds

Regenerate key KB: OFF

Remote network 'vpn2 'IP subnet:
Subnet: 10.0.0.1/255.255.255.255
Subnet: 100.0.1.0/255.255.255.0
Subnet: 100.0.2.0/255.255.255.0

Local Network 'vpn1 'IP subnet:
Subnet: 100.0.4.0/255.255.255.0
Subnet: 192.168.4.1/255.255.255.255

Local Network 'internal' IP subnet:
Subnet: 100.0.3.0/255.255.255.0

The local IP address that can be routed:
Subnet: 100.0.3.0/255.255.255.0
Subnet: 100.0.4.0/255.255.255.0

2. ISA management interface-configuration-Network-network rules
Here is simple. You only need to add the following routing rules:
1. 2----4
4----1, 2



I 've written a little tricky here, but I can actually combine two.

3. ISA management interface-firewall policy
Add the following policy:
Vpn1-vpn2 allowed
Vpn2-vpn1 allowed



4. CMD-Press the route add command into two routes
Persistent Routes:
Network Address Netmask Gateway Address Metric
100.0.2.0 255.255.255.0 10.0.0.1 1
100.0.1.0 255.255.255.0 10.0.0.1 1

The reason is that in the test, we found that in this configuration, ISA pushed 10 network segments to the left-side route and set the gateway to 10.0.0.2. This is the network adapter of 3, and we need to point to 2, that is, 10.0.0.1; it is not very clear what causes such a phenomenon. Note that the-p parameter is added to the route settings so that it will not disappear after restart.

In this way, data from 1 and 2 to 4 will enter vpn1 and be sent to 4; Data from 4 to 1 and 2 will enter vpn2 and send to 2; 3, 2, and 4 depend on vpn, and the 3 task is completed;
Similarly, 2 is configured according to this configuration method.

1 and 4 are relatively simple. Take 4 as an example. After configuring the vpn with 3, add the destination address 1 and 2. The other steps can be omitted, by default, all data is forwarded from the vpn.
In this way, vpn communication can be achieved across the network, and all cross-network data is forwarded through the vpn pipeline, without clear text.

Level 4: FC9 (S1)-FC9 (S2)-FC9 (S3)-FC9 (S4)
The customer raised new requirements. Due to service upgrades, the server was replaced with the latest Fedora9, and the previous vpn platform was also integrated.
As the model and implementation logic remain unchanged, we feel that this time the difficulty is not greatly improved. But is it true?

We decided to use the fc vpn.
First, install ipsec-tools when installing FC. In fc, the implementation of ipsec vpn is divided into several parts. The system kernel is responsible for the encryption process, which is implemented by racoon, the upper-layer vpn is implemented by ipsec-tools.

Take S3 as an example.

1. Enable route forwarding
To enable fc to route network data normally, you must first



Make changes to make sure they are on. After the changes, you can use the sysctl-p/etc/sysctl. conf command to refresh the configuration without restarting.

2. Configure ipsec vpn
On the network configuration tool tab, the ipsec column appears. You can start the vpn Configuration Wizard.



When processing the Network Gateway, you must enter the gateway that is directly connected to the corresponding intranet, whether local or remote.
 


Complete the configuration according to the wizard, and the vpn is established.

3. adjust other configurations as needed
As mentioned above, the fc vpn implementation consists of two parts: ipsec-tools and racoon. What configuration files are maintained by the two processes respectively?

Ipsec-tools Configuration:
All ipsec-tools files are stored in/etc/sysconfig/network-scripts.
Vpn configuration: a script file named "ifcfg-your vpn name" is created in/etc/sysconfig/network-scripts, take the S4-oriented vpn built on S3 as an example. The format is as follows:



The data entered in the Wizard configuration is the same as the previous ISA processing method. We want to send the 1 and 2 network segments to S4, so we have added two source intranets.

Pre-shared key: In this case, the pre-shared key Just configured is stored in plaintext in the/etc/sysconfig/network-scripts/file "keys-your name for vpn.

Now, the two files managed by ipsec-tools are clear.

Next, let's take a look at what magic weapon racoon's supervisor has for encryption negotiation.
Before modifying this part of configuration, we strongly recommend that you use the man racoon. conf command to read the manual, because the racoon function is exceptionally powerful.

Phase 1 (IKE) Negotiation file:/etc/racoon/192.168.4.1.conf



Here we can create multiple encryption sets through the structure of proposal {} for negotiation and selection.

Phase 2 (ipsec) Negotiation file:/etc/racoon. conf
 


You can also add multiple negotiation parameters through.
The include statement must be used at the end to include the first-stage file name. Multiple VPNs can be included at the same time.

Pre-shared key:/etc/racoon/psk.txt
The file format is simple and there is no explanation.

4. Press route
Like ISA, we also need to press the route into fc and use the route add command to push the subnets of 1 and 2 to the system, pointing to the vpn gateway on the left.

5. Start vpn
Vpn startup is very simple. You can run the command "ifup Script Name" or use "Activate" and "deactivate" in the network configuration shown earlier.

6. cause of failure
For this model, fc9 was not successfully adopted because the "upper layer" of ipsec-tools adopts a protection mechanism, after deleting the first and second network segments manually added, only the configuration of the last network segment must be retained, that is, the data entered in the Wizard must be consistent. Manual modification of the script file is invalid. This occurs when the vpn is activated, and the ifcfg script is modified to restore the configuration of only one network segment. After we forcibly coupled with other CIDR blocks, we can only achieve network connectivity, such as S1-S2-S3, or S2-S3-S4, never can be linked to the S1-S4. This restriction cannot be understood because, for a network-to-Network vpn, you do not need to explicitly specify the Intranet CIDR Block and gateway. Instead, you only need to specify the addresses at both ends of the negotiation, the previous ISA has made us feel too limited. I didn't expect the ipsec-tools to be even more powerful, not only a little confused.

V. Level 5: openswan (S1)-openswan (S2)-openswan (S3)-openswan (S4)
In view of the failure of the previous model, the customer proposes to adopt a more secure and flexible openswan to implement ipsec connections.
This openswan is built on fc9, Which means we only replaced ipsec-tools on the basis of the previous one to solve the problem that the subnet cannot be specified multiple times. For openswan, racoon does not work. openswan uses a pluto process to manage negotiation. Its check command is setkey. Linux has replaced the ipsec kernel of KLIPS with netkey since kernel 2.6. If you still want to use KLIPS, you need to adjust it during installation and compilation.

Take S3 as an example.

1. Installation
Installing openswan is simple. If fc9 has an independent fc9 release package, you can directly install it by using rpm or by compiling and installing the source code package, which is very difficult. I will not go into details here.

2. Check the environment
Openswan provides the ipsec verify command to check whether the current environment meets the vpn configuration requirements.



It should be noted that the sysctl needs to be adjusted like openswan, but the requirement is much higher than the previous model. Basically, we can list a list as follows:



At the same time, we also need to disable SElinux. In addition, NAT and OE detection is adjusted based on user needs. It does not matter if the check fails.

3. Configuration
For openswan configuration, you only need to pay attention to two files. We strongly recommend "man ipsec. conf" to check the manual before configuration.
The two files are/etc/ipsec. conf;/etc/ipsec. secrets

Ipsec. conf is used to manage ipsec negotiation and network. The configuration is as follows:
Part 1: Global



Mainly manages large aspects such as NATT, OE, and debug levels.

Part 2: vpn instance
 


Here, the CIDR block configuration is flexible. You can configure the Intranet and gateway, or you don't need to configure the CIDR block. You only need to configure the two peer terminals. Because the Intranet Communication of vpn can be completely dependent on the routing implementation.
Someone asked, Where are the negotiated parameters? In fact, if you do not specify it, it is implemented by default parameters. If you specify it, it is in this section. The structure is as follows:
 


Here are a few examples. For example, IKE parameters can be separated by commas (,), which are implemented in the format of encryption-hash-dh transformation respectively. Then, "!" is added. This method is mandatory, that is, the other party must adopt this method. The ESP part also has this meaning, but the format must be shown in, and the time can be specified. In addition, there is also a switch that is not mentioned in the man manual. You can use ikev2 = never to disable ikev2 and enable the negotiation of ikev1.

Ipsec. secrets is used to manage keys. The configuration is as follows:
10.0.0.1 10.0.0.2: PSK "XXXX"

If you need to push the route for the same forwarding, we will not talk about it separately.

4. Start
Openswan provides a wide range of configuration and verification parameters.
Ipsec setup start | stop | restart switches to restart the ipsec process, including the encryption process;
Ipsec auto -- add "name" pushes the current instance into the instance. However, if auto = add is configured earlier, the instance is automatically pushed in, but the instance is not started;
Ipsec auto -- up "name" will start the current instance. If auto = start is configured earlier, it will not only be automatically pushed in, but also automatically started.

Ipsec look to check the current ipsec negotiation status and whether a connection is established.
Setkey-D: Check the status after the key negotiation is completed.

Level 6: freeswan (S1)-freeswan (S2)-freeswan (S3)-freeswan (S4)
At this time, the customer found a problem in the application. openswan does not support ah. This is because ah has some insecure features and has been directly cracked by some vpn products in recent years, we decided to use the predecessor of openswan, freeswan, and the same freeswan, which was also removed from the ah support after version 2.6, so we used version 1.99.
To support the older freeswan, we changed the system to redhat9.
Since freeswan and openswan are the same, the configuration format and environment are very similar. Next we just need to briefly talk about the differences.

1. freeswan provides fewer ipsec verify detection items, which is also related to redhat9 not supporting many features.
 


The core of ipsec is the old KLIPS.

2. If an error of exceeding the length is reported during ipsec setup start, comment out the following two lines in/usr/local/lib/ipsec/_ confread:



3. The configuration structure of ipsec. conf is similar. To enable the ah authentication, add auth = ah to it.

4. Specify parameters for IKE and ESP, which must be set on spi.

5. If the ipsec module is not loaded at startup, use modprobe ipsec to load the module.

6. freeswan does not provide the setkey command.

VII. Hide off: openvpn ssl vpn

In the end, our customer tried to increase security by encapsulating an ssl vpn outside the ipsec vpn ......
Continue to work!

1. Download and install openvpn software.

2. Generate Keys and certificates for servers and clients. There are many online tutorials, which are not described in detail.

3. modify the configuration file. Here we have an intranet on both sides.
Server
Server
Port 1765
Proto tcp
Dev tun
Ca. crt
Cert server. crt
Key server. key

Dh dh1024.pem
Server 10.6.0.0 255.255.255.0 (the address in the vpn tunnel can be adjusted here)
Push "route 192.168.1.0 255.255.255.0" (push Local intranet)

Client-config-dir ccd (create a directory named ccd. Same as the configuration file)
Push "route 172.16.1.0 255.255.255.0" (push target intranet)
Push "route 192.168.2.0 255.255.255.0"
Push "route 192.168.3.0 255.255.255.0"
Client-to-client (enable forwarding between clients)
Route 172.16.1.0 255.255.255.255.0 (route destination intranet)
Route 192.168.2.0 255.255.255.0
Route 192.168.3.0 255.255.255.0

Tls-server
Tls-auth ta. key 0
Comp-lzo

User nobody
Group nobody
Persist-key
Persist-tun
Status openvpn-status.log
Verb 5

This step is important to create a client file in the ccd directory. Many people do not do this step because the content is as follows:

Iroute 172.16.1.0 255.255.255.0 (notifies the client to set the route Intranet entry)
Iroute 192.168.2.0 255.255.255.0
Iroute 192.168.3.0 255.255.255.0

Client:

Client
Dev tun
Proto tcp

Remote Server IP address 1756

Resolv-retry infinite
Nobind
User nobody
Group nobody

Persist-key
Persist-tun

Ca. crt
Cert Client. crt
Key Client. key

Ns-cert-type server
Tls-client
Tls-auth ta. key 1
Comp-lzo

Verb 4

4. Dialing
During the dial-up process, note that the server first dials to obtain the tunnel address, the icon turns green, and then dials the client. After that, the server should be able to access each other's intranet.
Note that the client's intranet routing is sometimes unable to be pressed and needs to be manually added. The adding method is the same as setting the routing method in win.
So far, we have come to an end. Although we have tried only a small part of the vpn army, most of them are free, their thoughts and ideas are the same, when the tide of vpn is surging, we should carry forward the revolutionary tradition, and conduct in-depth mining in terms of less money, less money, and more practical work. I believe many models can be implemented.