Using IKE to build an enterprise virtual network (I)

Article title: using IKE to build an enterprise virtual network (I ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
At present, there are two main risks facing internet communication: 1. information is peeked at or illegally modified during transmission; 2. illegal Internet access and attacks to the intranet. In this case, the VPN technology stands out, which can effectively solve the security problem of using Internet transmission.
　　
IPSec is a widely accepted technology used to implement VPN and is widely used in enterprises. IPSec protects data packets at the IP layer. It provides security services such as data source verification, connectionless data integrity, data confidentiality, anti-replay, and limited business confidentiality, it can reduce the risks of Internet communication to a considerable extent.
　　
IKE (Internet Key Exchange) is a crucial protocol in IPSec, because IPSec needs to use it to negotiate certain security parameters related to IPSec security, including computer Trust, encryption Key and security method. The main function of IKE is to establish and maintain the security alliance (SA.
　　
This article describes IPSec, IKE introduction, Linux VPN running environment establishment, and IKE configuration, and provides an example of using IKE to build a VPN application.
　　
Introduction to IPSec and IKE
　　
1. IPSec introduction
　　
IPSec consists of a group of protocols, including AH, ESP, IKE, and encryption and verification algorithms. ESP is used to ensure the confidentiality of IP data packets (not viewed by others), data integrity, and authentication of data sources. In addition, it is responsible for resisting replay attacks. AH also provides data integrity, data source verification, and anti-replay attack capabilities, but it cannot be used to ensure data confidentiality.
　　
The IPSec security service is provided by the security alliance (SA) established by both parties. SA indicates the specific details of policy implementation, including the source/destination address, application protocol, SPI (Security Policy Index), Algorithm/key/length, they determine the IPSec protocol, mode, algorithm/Key, Lifetime, anti-replay window, and counter used to protect data security.
　　
Each IPSec node contains a security policy Library (SPD ). SPD determines the security requirements of the entire VPN. In the SPD database, each entry defines what communication to protect, how to protect it, and who to share this protection. When processing input/output IP streams, the IPSec system must refer to this policy Library and perform different processing on the IP stream based on the policies extracted from the SPD: Reject, bypass, or perform IPSec protection.
　　
The IPSec protocol (including AH and ESP) has two working modes: transmission mode and channel mode. Transmission mode is used to protect upper-layer protocols, while channel mode is used to protect the entire IP datagram. In transmission mode, a special IPSec header must be inserted between the IP header and the upper-layer protocol header. in channel mode, the entire IP packet to be protected must be encapsulated in another IP datagram, insert an IPSec header between the external and internal IP addresses.
　　
2. about IKE
　　
Before using IPSec to protect an IP packet, you must create an SA. IKE is used to dynamically create a SA. IKE stands for IPSec to negotiate with SA and fill the SADB and SPD databases.
　　
IKE interacts with the kernel using the PF_KEY interface to update the SPD and SADB of the kernel. SADB is a logical entity in the kernel used to store, update, and delete Security Alliance Data of security protocols. Security protocols (such as IPSec) use logical interfaces in the kernel to request and obtain SAS.
　　
IKE specifies two independent phases of negotiation. The first stage is to establish an authentication and security protection Channel ike sa between the communication parties. For this phase, IKE uses identity protection Exchange and the brutal exchange method developed according to the basic ISAKMP document, namely the "master mode" and "brutal mode ". Each of them establishes a secure and verifiable communication channel (ike sa) and establishes a verified key, provides the confidentiality, message integrity, and message source verification services for IKE communications between the two parties.
　　
Ike sa provides a variety of parameters called "protective cover", including encryption algorithms, hash algorithms, verification methods, and Diffie-Hellman groups. There are also some optional attributes that can be negotiated as part of the protective cover. Before these optional attributes, you must add a "survival time" (validity period ).
　　
For the second stage, IKE defines a fast mode switch. After the ike sa is established in the first stage, it can be used to encrypt parameter negotiation of the IPSec SA, such as the encryption algorithm, verification algorithm, key, and survival time.
　　
Establish a Linux VPN running environment
　　
1. upgrade to kernel 2.6.0
　　
Currently, various Linux versions are basically using the 2.4.x kernel. most Linux VPN implementations use Freeswan software. Now the protocol stack of the 2.6.0 kernel is embedded with the IPSec processing code. to upgrade the kernel to 2.6.0, you can use its inherent IPSec function. The Linux VPN implementation described in this article is based on Red Hat 9.0.
　　
There are many articles about how to upgrade the kernel to 2.6.0. here we will only list the basic steps for upgrading the kernel.
　　
(1) Download the 2.6.0 kernel from www.kernel.org and put it in the/usr/src directory.
　　
(2) release the kernel source code to the/usr/src/directory.
　　
# Tar-zxvf linux-2.6.0.tar.gz
# Cd linux-2.6.0
# Make mrproper
# Make menuconfig
　　
Note: To ensure compatibility with the file system in kernel 2.4.x, you must change the file system ext3 to required. Select the following four items in the network option to enable the system kernel to support IPSec.
　　
<*> PF_KEY sockets
<*> IP: AH transformation
<*> IP: ESP transformation
<*> IP: IPComp transformation
　　
Restart kernel 2.6.0 to start the system.
　　
# Make; make bzImage
# Make modules; make modules_install
# Make install
　　
(3) install the IPSec manual configuration tool.
　　
Slave.
　　
#./Configure
# Make; make install
　　
With the application sekey, you can use it to manually configure SPD and SA.
　　
During the run of the IKE process racoon that comes with ipsec-tools, the negotiation process in channel mode cannot be automatically executed. the SA request must be initiated by the kernel. Therefore, the security policy must be manually entered beforehand. This makes great inconvenience to the VPN application. Therefore, the isakmpd process described later will be used here.
　　
2. install IKE-related applications
　　
The IKE authentication method described in this article supports pre-shared keys and X.509 authentication modes. To support X.509 certificate authentication, you must first install keynotes.
　　
To install keynotes, follow these steps:
　　
(1) from http://www1.cs.columbia.edu /~ Angelos/keynote.html gets the source code keynote.tar.
　　
(2) decompress and compile it.
　　
# Tar-xvf keynote.tar
#./Configure
# Make
　　
Note: When compiling isakmpd, the file header and library libkeynotes. a of keynotes are required.
　　
Now you can install isakmpd. Isakmpd was first run on OpenBSD, and was transplanted to the Linux platform by Thomas Walpuski. Therefore, we can see the marks of OpenBSD in the source code.
　　
To install isakmpd, follow these steps:
　　
(1) from http://bender.thinknerd.de /~ Thomas/IPsec/isakmpd-linux.html get Source code isakmpd. tgz.
　　
(2) decompress and compile.
　　
# Tar-zxvf isakmpd. tzg
　　
Modify the GNUmakefile file and change OS to Linux.
　　
Modify the isakmpd/sysdep/linux/GNUmakefile. sysdep file and add the header files of kernel 2.6.0 and keynotes to the compilation path.
　　
# Make
　　
(3) equipment running directory.
　　
# Mkdir/etc/isakmpd
　　
Stores configuration files and policy files.
　　
# Mkdir/etc/isakmpd/ca
　　
Store the CA X.509 certificate.
　　
# Mkdir/etc/isakmpd/certs
　　
Store the X.509 certificate of the local host and other hosts.
　　
# Mkdir/etc/isakmpd/private
Store the private key of the local machine.
　　
# Cp isakmpd/usr/sbin /.
　　
Now, the Linux operating environment supporting IPSec and IKE has been set up.