Professional Documents
Culture Documents
Diplomna Rabota FN21110
Diplomna Rabota FN21110
: VPN
SUnet
: , . 21110, :
: . ,,
. 15.07.2006 .
1. VPN.
1.1. (VPN)
1.2. VPN
1.3. VPN
1.4. , VPN
1.5. , VPN
1.6. VPN
1.7. VPN
2. IPSec.
2.1. , IPSec.
2.2. Encapsulating Security Payload (ESP)
2.3. Authentication Header (AH)
2.4. Internet Key Exchange (IKE)
3. Openswan VPN .
3.1. ipsec.conf.
Openswan
3.2. K ipsec.secrets.
4. SUNet
ADSL . .
4.1. Openswan
4.2. Openswan vpn.uni-sofia.bg
4.3. L2TP PPP vpn.uni-sofia.bg
4.4. Openswan
4.5. Windows XP Openswan
l2tp/ipsec
1.1.
VPN ,
,
( ). VPN
4
.
,
.
VPN
( ),
. VPN
(wide area network - WAN) .
,
,
.
,
.
: , ,
, , .
, .
- , ,
.
VPN
.
1.2. VPN.
.
VPN ,
.
1.2.
,
VPN .
.
dial-up
.
.
VPN
.
,
Frame Relay, WAN
, .
VPN
:
VPN .
, VPN
VPN .
VPN (Demand-Dial VPN Networking).
dial-up VPN -
, ,
.
6
,
LAN .
,
, LAN .
1.3. VPN.
VPN ,
, (data integrity)
.
.
LAN ,
.
, VPN
:
.
VPN VPN
.
VPN.
. VPN
,
,
dns ,
.
. , ,
VPN .
.
. , VPN
, ,
,
,
.
1.4. , VPN.
, .
:
1. . ,
.
( ) ,
.
(plain) (cipher).
, cipher plain
.
:
3DES (Triple DES)
DES (Data Encryption Standard). Triple DES
DES
56- .
BlowFish, TwoFish, Goldfish. BlowFish 64- ,
, 32 448 .
. Goldfish Twofish Blowfish.
AES (Advanced Encryption Standard) - AES - ,
Rijndael, 2000 .
128 , 192 1024 .
2. .
, .
-
,
. -
,
, -
. - :
8
,
. RSA , DSA VPN
, Diffie-Hellman
. - DSA Diffie-Hellman
.
.
:
: 112-
.
: 1024-
2048- .
1.5. , VPN.
1.5.1. .
(,
) ,
(message digests).
,
.
.
9
,
- ,
.
:
MD5 (Message Digest) MD2 MD4,
128- .
SHA1 (Secure Hash Algorithm) ,
512 160-
.
MAC (Message Authentication Codes) ,
,
.
HMAC (Hash Message Authentication Codes) ,
.
, -
MD5 SHA.
1.5.2. ,
VPN .
(Pre shared secret).
.
.
,
. ,
(certification authority -CA),
. ,
, , ,
CA. CA ,
. ,
,
10
.
.
1.6. VPN.
.
,
, ,
.
.
,
, , ,
PFS (Perfect Forward Secrecy). PFS ,
.
Denial of service ( ). DoS ,
, .
:
. - .
,
.
.
PPTP Denial-of-Service (DoS) Windows NT,
OpenBSD , AH/ESP
( IPSec), DoS,
Windows 2000 IKE IPSec.
.
VPN ,
Windows, VPN
. VPN
.
11
7
6
5
4
3
2
1
OSI
TCP/IP
TCP,UDP
IP , ICMP
1.3.
IP
Header
GRE
Header
PPP
Header
PPP Payload
1.4.
PPTP :
MSCHAP-v2 EAP-TLS,
. Microsoft MSCHAP-v2 PPP
e MSCHAP-v1 Challenge
Handshake Authentication Protocol (CHAP). MSCHAP
.
PPTP Microsoft Point-to-Point Encryption
(MPPE). MPPE PPP RSA RC4 ,
40, 56 128-.
PPTP.
PPTP ,
Microsoft Windows Windows 95.
, MacOS PDA
. VPN
EAP-TLS, .
NAT (Network Address Translation).
VPN , , ,
,
,
, replay .
13
IP
Header
UDP
Header
L2TP
Header
PPP
Header
PPP Payload
1.4.
L2TP
- IPSec, ,
. L2TP/IPSec
RFC3193.
L2TP PPTP, : L2TP
;
, ;
, IP,
ATM Frame Relay .
L2TP/IPSec ,
. Windows Server
2003, Windows XP, Windows 2000 L2TP , Microsoft
L2TP/IPsec VPN Client.
1.7.3. IPSec VPN.
IPSec (Internet Protocol security)
IP, , Internet Protocol
.
14
IPSec , IP,
:
;
;
.
, IPSec:
(Authentication Header) - IP .
ESP
(Encapsulating
Security
Payload)
IP .
IKE (Internet Key Exchange) - ,
.
IPSec e , (
), (
),
.
IPSec ,
,
VPN
2.
1.7.4. VPN , - .
, 3 OSI .
, SSL, SSH TLS, 4-7
OSI.
OpenVPN,
.
OpenVPN VPN, Secure Socket
Layer/Transport Socket Layer (SSL/ TSL) , . : ,
(site-to-site),
, ,
(failover)
15
. , (firewall),
VPN-.
Universal/ Tap Device Driver.
Tun ,
, Tap Ethernet .
OpenVPN.
SSL
.
.
OpenVPN RSA/DHE.
OpenVPN OSI 2 3
,
.
, ,
VPN.
OpenVPN :
1. - (pre-shared
key), .
.
2. , -, X.509
.
3. OpenVPN
(Pluggable Authentification
Module, PAM).
, .
OpenVPN :
(SSL/ TLS), RSA
X509 PKI;
;
;
IP NAT;
;
16
,
, , ,
.
SA ,
, , AH ESP (: DES , 3DES, AES
MD5 SHA-1 ).
, , AH ESP, ,
SA. oo IPSec ,
SA ( ). IKE
SA. IPSec VPN SA:
ISAKMP (Internet Security Association Key Management Protocol),
IKE. IKE SA
, -
.
IPSec SAs. IPSec SA
.
IPSec SAs .
IPSec SA :
1. Security parameter index (SPI) 32- ,
SA.
2. IP .
3. , SA AH
ESP.
SA Security Association Database (SAD).
.
IPSec RFC 4301.
. , IPSec ,
.
IPSec
. Authentication Header (RFC 4302) IP
, Encapsulating Security Payload (RFC 4303) - ,
IP , .. - .
18
.
/ .
, AH ESP,
.
- . IPSec IP .
IP , IPsec
.
.
VPN .
,
.
. IPSec
, . IP
,
.
TCP/IP ,
.
, IPSec IP
. IPSec
.
: .
, ,
.
,
.
,
VPN.
. VPN VPN ,
,
.
19
,
. VPN
. , VPN
, .
SA SA
.
.
- VPN IPSec
.
. VPN
.
, ,
.
, ,
,
.
,
IP . ,
IP .
:
.
IP ,
, .
IP , ,
VPN.
IPSec
.
.
VPN .
20
IP
IP
Header
TCP
Header
Data
Transport Mode
IP
Header
ESP
Header
TCP
Header
Data
ESP
Trailer
ESP
Authent
Tunnel
Mode
ESP
Header
IP Header
TCP
Header
Data
ESP
Trailer
ESP
Authent
NEW IP
Header
2.1. ESP .
ESP
. ESP
SA. ESP
,
(: DES, 3DES, AES).
,
.
, , .
,
ESP, .
. ESP
, AH
.
21
ESP .
ESP IP
VPN. IP 50,
ESP 50
(IANA).
2.2. ESP
SA.
2.2. ESP
Pad Length ,
padding, .
Padding , . Pad Length
, pad.
Next Header 8- , ,
Payload data. ,
.
Authentication Data , Integrity
Check Value (ICV), ESP Authentication Data.
. Authentication Data
, SA
.
ESP
. :
.
.
,
ESP. ,
.
1. Payload.
,
IP .
2. padding. Pad Length Next
Header.
3. , , pad, pad length next
header. (IV),
.
4. ESP . .
, .
5. ,
ESP (SPI Sequence number) Payload,
23
,
. ESP ,
RFC. ESP
, .
2.3. Authentication Header (AH).
, () - Authentication
Header (AH), RFC 4302. ,
. .
.
, .
ESP, .
IP
, IPSec .
, IP
. IP
, .
IP
Transport Mode
Tunnel
Mode
NEW IP
Header
IP
Header
AH
Header
IP
Header
AH
Header
TCP
Header
Data
AH Authentification
Data
AH Authentification
Data
IP Header
TCP
Data
Header
TCP
Header
Data
2.3.
25
2.4. ,
:
Next Header
Payload Len
Reserved
Security Parameter Index (SPI)
Sequence Number Field
Authentication Data
2.4. AH Header.
IP 8- 51,
51 IANA.
ESP Next Header ,
. 8- ,
Authentification Header.
Payload Length 8- ,
32- 2.
Reserved 16- ,
. .
SPI 32- ,
ESP.
Authentication Data ,
.
. -
32 , padding.
, .
ESP :
.
:
1. SA
.
2. ,
IP SPI.
3. .
26
4. ,
.
,
, , ESP.
:
IP , .
, .
, .
,
.
.
.
IP :
-
version
IP header length
total length
identification
protocol (51 )
source address
destination address.
:
-
type of service
all flags
fragment offset
time to live (TTL)
header checksum.
27
.
ESP, ,
IPSec .
, :
1. SPI IP
SA SA. ,
.
2. ,
.
3. SA, ,
.
4. IP
.
2.4. Internet Key Exchange (IKE).
IKE Oakley SKEME
, Internet Security Association and Key Management Protocol
(ISAKMP). ISAKMP ,
. Oakley SKEME ,
,
. IKE
(rekeying), .
IKE SA, IKE SA
IPSec SA. IKE SA ,
,
IKE, .. IKE SA
, IPSec SA .
Oakley , ISAKMP .
IKE , ,
.
1 ISAKMP ,
. . . ISAKMP Security Association. ,
28
29
,
, .
Initiator Cookie
Responder Cookie
Next Pay
MJ Ver.
MN Ver.
Flags
Message ID
Length
2.5. ISAKMP .
Next payload
Reserved
Payload Length
Next Pay
Reserved
Payload Length
DOI
Situation
Next Pay
Reserved
Proposal#
Protocol ID
Payload Length
SPI Size
# of Trsfms
SPI
Proposal payload:
Proposal number (Proposal #)
.
.
Protocol ID ,
, ESP H.
SPI size , IPSec.
31
Next Pay
Reserved
Payload Length
Transforml#
Transform ID
Reserved
SA Attributes
Identification Payload.
Payload
.
Next Pay
Reserved
Payload Length
ID Type
Protocol ID
Port
Identification Data
2.10.
ID_Type , IP
v4 , FQDN, IP v4 , IPv6 , IPv6 .
Certificate Payload.
Payload ,
.
Next Pay
Cert encode
Reserved
Payload Length
Cerificate
Data
certificate encoding
, :
32
AF Attribute Type
Attr.Length/Attr.Value
33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1, , IKE
.
1 2 IKE, .
:
DES-CBC
IDEA-CBC
Blowfish-CBC
RC5-R16-B64-CBC
1
2
3
4
34
3DES-CBC
CAST-CBC
AES-CBC
Camelia-CBC
5
6
7
8
2, , ,
IKE .
:
MD5
SHA
Tiger
SHA2-256
SHA2-384
SHA2-512
1
2
3
4
5
6
3, ,
, IKE. ,
:
Pre-shared key
DSS signatures
RSA signatures
Encryption with RSA
Revised encryption with RSA
1
2
3
4
5
4 10 DiffieHellman.
11, life , , 12,
11.
13, - , . IPSec ISAKMP
- HMAC
.
Key length
, .
, .
Diffie-Hellman.
2.
2 IKE, Quick Mode ,
IPSec SA
IKE. 2 SA payload-,
35
1
2
3
4
5
6
7
8
9
Life Type
1. SA.
Group description 2
Diffie-Hellman .
Encapsulation mode
.
Tunnel
Transport
1
2
Authentification Algorithm :
HMAC-MD5
HMAC-SHA
DES-MAC
KPDK
1
2
3
4
6, 7 8,
IPSec 0.
36
37
ISAKMP Header,
KE & Nonce
ISAKMP Header,
ID_i & HASH
ISAKMP
Header, KE &
Nonce
4
5
2
3
ISAKMP Header,
ID_r & HASH
ISAKMP Header,
ID_i, Signature, &
optional Certificate
2
3
ISAKMP
Header, KE &
NonceISAKMP Header, KE,
Nonce, & optional
Certificate Request
ISAKMP Header,
ID_i, Signature, &
optional Certificate
, IP
.
.
,
ISAKMP SA . SA
proposal transform payload-,
. .
. ISAKMP SA
, proposal transform payload ,
. .
38
,
- ,
,
IKE.
Diffie-Hellman,
.
.
Diffie-Hellman nonce. Nonce
, ,
- .
Diffie-Hellman
. :
1. SKEYID, , .
PFS (perfect forward secrecy- ) ,
, 1 2.
2. SKEYID_d SA
2 (.. IPSec).
3. SKEYID_a , .
4. SKEYID_e , IKE .
,
, , SKEYID. ,
SKEYID, .
- (prf)
, . Prf
, ,
, .
:
Digest = prf (key/seed, data1 | data2 | data3)
, SKEYID :
SKEYID = prf (pre-shared key, Nonce_i | Nonce_r)
39
:
/ ()
1
2 ()
3
, :
SKEYID = prf (Nonce_i | Nonce_r, DH_key), Nonce_i Nonce_r
, DH_key , Diffie-Hellman
Diffie-Hellman.
,
, .
SKEYID_d = prf (SKEYID, DH_key | Cookie_i | Cookie_r | 0)
SKEYID_a = prf (SKEYID, SKEYID_d | DH_key | Cookie_i | Cookie_r | 1)
SKEYID_e = prf (SKEYID, SKEYID_a | DH_key | Cookie_i | Cookie_r | 2)
, SKEYID,
,
.
, . ,
, ,
IP . Identification
Payload , IP
, fully qualified domain name (FQDN). ID payload-
, , IP
.
Main Mode 1 ,
, IP .
Main Mode
. , IP ,
, IP
, . , IP
40
.
, .
Aggressive Mode, ID payload-
.
.
ISAKMP , ID payload HASH payload
. SKEYID_e.
HASH ,
, - ID payload.
:
HASH = prf (SKEYID, Ya | Yb | Cookie_i | Cookie_r | SA offer | ID_i)
HASH
a .
2.4.3.2. Aggressive Mode.
Aggressive Mode , Main Mode ,
- Main Mode.
Aggressive Mode - ,
. ,
payload- ,
. ,
Diffie-Hellman , SA payload.
Aggressive Mode ,
Main Mode ID payload-. Aggressive Mode
ID payload- .
Aggressive Mode ,
. , - ,
- - .
Aggressive Mode
IKE SA , ID payload.
, ID payload .
41
,
, IP (..
). , IP ,
,
. Aggressive Mod
, Main Mode.
ID payload- .
ID payload-
ID_USER_FQDN, ,
ID_KEY_ID. ID_KEY_ID, IP Security Domain of
Interpretation (RFC 2407), ,
,
.
, VPN.
,
, .
ISAKMP Header,
SA Proposal &
Transformsets,
KE, Nonce, and ID
payload
2
3
ISAKMP Header
and HASH_i
ISAKMP Header,
SA Proposal & Transformsets, KE,
Nonce, ID payload, and HASH_r
and Set
ISAKMP Header,
SA Proposal &
Transformsets,
KE, Nonce, and ID
payload
ISAKMP Header,
optional Certificate,
and Signature
ISAKMP Header,
SA Proposal &
Transformsets,KE,
Nonce, ID payload,Signature, and
Optional Certificate
43
1,
IPSec.
Quick Mode SA
IPSec. IPSec
3DES SHA ,
DES .
, SA.
Quick Mode SA IPSec .
SA,
SA. ,
SA , nonces,
.
, Quick Mode
, ID ISAKMP
Quick Mode. ID
ISAKMP Quick
Mode,
. , ID Quick Mode IP
1. , Quick Mode
, . IKE
ID payload-,
ID payload-, . ID payload-
, FQDM
1. ID- ,
SPD SAD IPSec.
,
.
ID payload
, SA payload- . SA
,
. a SPD
S ,
44
. SPD
, , ID payload-
SAD.
SAD SPD , ID
SA
, , ID payload-.
ID payload- ,
PFS.
, Diffie-Hellman
.
. Quick Mode
.2.17. ,
SKEYID_e SKEYID_a.
ISAKMP Header,
HASH(1), SA Proposal
and Transformsets,
Nonce_i, Optional KE,
CID_i, and CID_r
ISAKMP Header,
HASH(2), SA Proposal
and Transformsets,
Nonce_r, Optional KE,
CID_i, and CID_r
2.17.
, HASH payload-.
,
(HASH) .
(HASH)
PFS KE. ,
SA, SA payload. SA
payload IPSec SA, ,
SA payload- Quick Mode.
45
HASH payload- (
( )). HASH(1)prf ( SKEYID_a, M-ID | SA offer | Nonce_I | (KE) | (CID_I) |
(CID_r)).
HASH(1) , .
HASH(1) .
HASH(2)prf ( SKEYID_a, M-ID | Nonce_I | SA offer | Nonce_r | (KE) | (CID_I) |
(CID_r)).
HASH(1), HASH(2) ,
nonce .
HASH(3)prf ( SKEYID_a, 0 | M-ID | Nonce_I | Nonce_r).
HASH nonces ID . ,
IPSec
. ,
, Quick Mode,
(replay atack),
(denial-of-service attack).
M-ID ID ISAKMP ,
Quick ode SA. 1, KE
Diffie-Hellman,
IPSec. CID_I CID_r ID payload-
. SKEYID_a HASH
.
IPSec.
SKEYID_d 1,
2, IKE. IPSec SA
. Quick Mode SA,
SA . SPI,
, SA.
, IPSec,
Quick Mode.
PFS, KE,
Diffie-Hellman
46
, IPSec,
:
KEY = prf (SKEYID_d, protocol | SPI | Nonce_i | Nonce_r)
PFS.
KEY = prf (SKEYID_d, DH_key(QM) | protocol | SPI | Nonce_i | Nonce_r)
PFS.
PFS ,
Diffie-Hellman Quick Mode.
ISKAMP
transformsets.
. SPI protocol,
SA, .
SPI SA. SA
,
SA.
Quick Mode .
1.
Quick Mode.
,
IKE IPSec . IPSec
Quick Mode, IKE SA
. IKE SA
Quick Mode SA.
2.4.4.2. New Group Mode.
New Group Mode e , IKE,
Diffie-Hellman , 1.
, , SA payload.
DiffieHellman, .
47
ISAKMP Header,
HASH(NG1),
and SA Proposal
2.18.
48
. - ,
LAN .
IPse .
, - .
,
, .
IPse
- .
man-in-the-middle.
IPse , . IPse
,
ID ,
. IPse
, ,
.
,
, IPse.
IPse (traffic analysis).
. IPse ,
gateway .
49
3. Openswan VPN .
VPN
,
. - SUNet C 62.44.96.0/19.
3.1. - SUNet
,
, ,
NAT ,
() - celk.uni-sofia.bg 62.44.96.183
192.168.0.0/24.
:
VPN
Windows 2000/XP.
VPN ,
. :
IP
- NAT (Network Address Translation - ,
RFC 1631). ,
ADSL .
ADSL ADSL ,
ADSL ISDN
, 10BaseT RJ45 Ethernet.
50
NAT
(WAN) (LAN) .
:
IP IANA/ RIPE,
/ . ADSL
IP DHCP
(LAN) . IP ,
RFC 1918
- .
192.168.1.x. 253
. 3. NAT ADSL
IPSec VPN ,
NAT-T, a RFC-3942 RFC-3948 2005 .
NAT
IPSec, ESP AH UDP 4500
IPSec NAT .
3.2 ADSL
VPN vpn.uni-sofia.bg.
, .
SUNet VPN --.
- ADSL,
51
VPN -
, 23
Aleph 62.44.11.2, SUNet.
, 23
Border . VPN ,
,
. - ADSL
,
.
VPN IPSec
. IPSec Windows 2000, Windows XP Windows 2003
Server, Openswan Strongwan -
IPSec Frees/WAN.
VPN
vpn.uni-sofia.bg, Fedora Core 5
,
-SUNet 192.168.24.0/24 .
IPSec .
Openswan. Openswan
IPSec .
,
IPSec. , IP
52
, NAT ,
ADSL. X.509
2.6.,
Frees/WAN Strongwan, 2.4.
, GNU General Public License.
Openswan IPSec :
KLIPS (kernel IPSec) - AH, ESP ,
.
Pluto (IKE daemon) - IKE,
.
.
3.1. ipsec.conf.
Openswan.
, Openswan VPN,
/etc/ipsec.secrets, , /etc/ipsec.conf,
.
ipsec.conf -
config setup, , conn.
CONN.
CONN ,
, IPSec.
.
172.16.0.0/24
10.0.0.0,
Openswan. ,
.
penswan. IP gateway-a.
/etc/ipsec.conf.
conn left-to-right
left=192.0.2.2
leftsubnet=172.16.0.0/24
IP
53
gateway
IP
gateway
leftnexthop=1.1.1.1
right=2.2.2.2
rightsubnet=10.0.0.0/24
rightnexthop=2.2.2.1
auto=add #
automatic
keying
: IP
gateway-to-gateway .
, ,
,
.
IPSec
.
.
.
, ,
, left right .
, ;
, ,
,
.
CONN.
-
.
,
.
type - . tunnel,
. ,
. transport
.
54
left - IP
. %defaultroute
interfaces=%defaultroute config , left
, , leftnexthop. left,
right %defaultroute, .
%any IP
.
leftsubnet -
network/netmask.
leftnexthop - gateway IP
.
leftupdown -
.
Leftfirewall -
( ,
( ).
yes ( ) no.
CONN .
.
.
keyexchange - .
ike.
auto -
IPSec. add ( ipsec
auto --add), route (ipsec auto --route), start (ipsec auto --up) ignore (
) ( ).
, plutoload plutostart
. ,
( , ,
55
auto=start, ,
).
auth - ESP
AH. esp ah.
authby - gateway .
secret rsasid rsa
.
leftid
. left, IP
FQDN, @.
leftrsasigkey - RSA RFC
2537.
leftrsasigkey2 - , .
pfs - Perfect Forward Secrecy
( pfs
, -). yes no.
keylife - (
)
. , , m, h d,
, .
rekey -
.
rekeymargin -
. keylife.
rekeyfuzz - , rekeymargin
.
, . ,
100%, .
keyingtries - ,
. 3,
0 .
56
ikelifetime -
. 1 ,
8 .
compress - .
.
yes no, no e .
disablearrivalcheck - KLIPS , ,
. yes no.
CONN .
.
.
- AH ESP, .
spi - spi . 0xhex,
hex , KLIPS 0x100, 0x100 0xfff.
Spibase - spi spi .
0xhex0, hex , KLIPS
- 0x100,
0x100 0xff0.
esp - ESP .
, ipsec_spi(8), 3des-md5-96.
ESP.
espenckey - ESP .
leftespenckey rightespenckey.
espauthkey - ESP .
leftespauthkey rightespauthkey.
espreplay_window - ESP replay-window
0 64. , ESP .
leftespspi - SPI, ESP ,
, spi spi base.
57
ah - AH , ,
hmac-md5-96.
ahkey - AH , .
leftahkey rightahkey.
ahreplay_window - AH replay-window 0 (
, ) 64.
leftahspi - SPI, AH-
, spi spi base.
CONFIG.
config setup, ,
penswan.
config setup
interfaces="ipsec0=eth1 ipsec1=ppp0"
klipsdebug=none
plutodebug=all
manualstart=
plutoload="snta sntb sntc sntd"
plutostart=
- , ,
:
interfaces - , ,
IPSec.
forwardcontrol - ip forwarding (
) IPSec.
syslog - log
IPSec.
klipsdebug - KLIPS .
none , all .
plutodebug - Pluto .
none , all .
manualstart -
IPSec. , ,
, .
pluto - Pluto . yes no.
58
plutoload - ( )
Pluto. , , ,
. %search,
auto=add, auto=route auto=start.
plutostart - IPSec.
, , ,
. %search,
auto=add, auto=route auto=start.
plutowait - Pluto
Plutostart .
plutobackgroundload - , .
.
prepluto - shell, Pluto.
postpluto - shell, Pluto.
packetdefault - ,
KLIPS, eroute.
pass, , drop (
), , reject - drop,
icmp .
hidetos - TOS
0 . yes (
) no.
uniqueids - ID
, , ID IP .
yes no, .
overridemtu - MTU
IPSec .
3.2. ipsec.secrets.
.
IP ,
:
59
RSA . ipsec.secrets
RSA.
# an RSA private key.
@my.com: rsa {
Modulus: 0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt...
PublicExponent: 0sAw==
PrivateExponent: 0shlGbVR1m8Z+7rhzSyenCaBN...
Prime1: 0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l...
Prime2: 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0...
Exponent1: 0soaXj85ihM5M2inVf/NfHmtLutVz4r...
Exponent2: 0sjdAL9VFizF+BKU4ohguJFzOd55OG6...
Coefficient: 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ...
}
:
, .
%prompt .
Pluto.
# X.509 certificate
: RSA host.example.com.key "password"
4. SUNet
ADSL .
.
4.1. Openswan .
OpensWAN X.509:
Openswan - , penswan
(http://www.openswan.org/), -
NAT-T, RPM
. RPM fedora, mandrake, suse
.
Fedora
http://www.openswan.org/download/binaries/fedora/3/i386/openswan-2.4.2-1.i386.rpm,
rpm -ivh openswan-2.4.2-1.i386.rpm.
60
4.1.
VPN 192.168.24.0/24 ,
vpn.uni-sofia.bg 192.168.2.0/24 85.187.139.5,
.
home-to-su-icmp-nat Openswan penswan NAT VPN .
4.2.
61
4.2.
VPN 192.168.24.0/24,
vpn.uni-sofia.bg, 192.168.2.0/24 ADSL
192.168.1.1.
win-to-su-icmp e Openswan
Windows 2000/XP - VPN .
4.3.
Windows ,
,
Windows VPN .
4.3.
62
ipsec.conf conn e :
conn home-to-su-icmp
authby=rsasig
pfs=no
auto=add
rekey=no
left=62.44.96.35
leftnexthop=62.44.96.3
leftsubnet=192.168.24.0/24
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/clientCert.pem
leftprotoport=icmp
#
# The remote user.
#
right=85.187.139.5
rightnexthop=85.187.139.5
rightcert=/etc/ipsec.d/certs/hostCert.pem
rightrsasigkey=%cert
rightprotoport=icmp
rightsubnet=192.168.2.0/24
conn home-to-su-icmp-nat
authby=rsasig
pfs=no
auto=add
rekey=no
left=62.44.96.35
leftnexthop=62.44.96.3
leftsubnet=192.168.24.0/24
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/clientCert.pem
leftprotoport=icmp
#
# The remote user.
#
right=%any
rightcert=/etc/ipsec.d/certs/hostCert.pem
rightrsasigkey=%cert
rightprotoport=icmp
rightsubnet=192.168.2.0/24
conn win-to-su-icmp
authby=rsasig
rekey=no
left=62.44.96.35
leftnexthop=62.44.96.3
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/clientCert.pem
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/0
#
# The remote user.
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
pfs=no
auto=add
63
CA
OpenSSL.
winhostCert.pem
hostCert.pem clientCert.pem
/etc/ipsec.d/certs/,
hostCert.pem
clientCert.pem
VPN .
VPN
, winhostCert.pem -
Windows. winhostCert.pem Windows,
OpenSSL winhostCert.p12 , CA,
.
ipsec.conf ipsec.secrets
Openswan service ipsec restart.
ipsec verify ipsec
.
:
>ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path
[OK]
Linux Openswan U2.4.4/K2.6.12-1.1381_FC3 (netkey)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
[OK]
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Checking for 'setkey' command for NETKEY IPsec stack support
[OK]
Opportunistic Encryption Support
[DISABLED]
IPSec,a
UDP 500 (IKE), 50 (ESP), 51(AH) UDP 4500
NAT-T.
4.3. L2TP PPP vpn.uni-sofia.bg.
1) Windows l2tp
64
http://www.openswan.org/download/binaries/fedora/3/i386/l2tpd-0.69-13.i386.rpm
IP . Local IP VPN .
3) . -
/etc/ppp/options.l2tpd.lns.
ipcp-accept-local
ipcp-accept-remote
ms-dns 172.22.127.1
ms-wins 172.22.127.1
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
nologfd
65
, IP ,
IP .
l2tpd
'/etc/init.d/l2tpd start'.
4.4 Openswan .
- NAT.
penswan ,
.
home-to-su-icmp ,
:
conn home-to-su-icmp
authby=rsasig
pfs=no
auto=add
rekey=no
left=62.44.96.35
leftnexthop=62.44.96.3
leftsubnet=192.168.24.0/24
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/clientCert.pem
leftprotoport=icmp
right=85.139.187.5
rightnexthop=85.139.187.1
rightsubnet=192.168.2.0/24
rightcert=/etc/ipsec.d/certs/hostCert.pem
rightrsasigkey=%cert
rightprotoport=icmp
, NAT, :
conn home-to-su-icmp-nat
authby=rsasig
pfs=no
auto=add
rekey=no
left=62.44.96.35
leftnexthop=62.44.96.3
leftsubnet=192.168.24.0/24
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/clientCert.pem
leftprotoport=icmp
right=192.168.1.2
rightnexthop=192.168.1.1
#ADSL
rightsubnet=192.168.2.0/24
rightcert=/etc/ipsec.d/certs/hostCert.pem
rightrsasigkey=%cert
rightprotoport=icmp
66
(right
) , VPN IP .
home-to-su-icmp.
ipsec auto --up home-to-su-icmp.
-:
ipsec auto --up home-to-su-icmp
104 "home-to-su-icmp" #1: STATE_MAIN_I1: initiate
003 "home-to-su-icmp" #1: received Vendor ID payload [Openswan (this version)
2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "home-to-su-icmp" #1: received Vendor ID payload [Dead Peer Detection]
003 "home-to-su-icmp" #1: received Vendor ID payload [RFC 3947] method set
to=109
106 "home-to-su-icmp" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "home-to-su-icmp" #1: NAT-Traversal: Result using 3: no NAT detected
108 "home-to-su-icmp" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "home-to-su-icmp" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "home-to-su-icmp" #2: STATE_QUICK_I1: initiate
004 "home-to-su-icmp" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x6f78f193 <0xd110f47f xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000949d <0x0000dde7
NATD=62.44.96.35:500 DPD=none}
, leftprotoport=
rightprotoport= . ICMP
ping
192.168.2.0/24 192.168.24.0/24.
.
ipsec auto status
000 "home-to-su-icmp": 192.168.24.0/24===62.44.96.35[C=GB, ST=Berkshire, O=My
Company Ltd, CN=pc9, E=ceco1@yahoo.com]:1/0---62.44.96.3...%any[C=GB,
ST=Berkshire, O=My Company Ltd, CN=pc2, E=ceco@yahoo.com]:1/0===192.168.2.0/24;
unrouted; eroute owner: #0
000 "home-to-su-icmp":
srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "home-to-su-icmp":
CAs: 'C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd,
CN=pc2, E=tsvetomir_h@yahoo.com'...'C=GB, ST=Berkshire, L=Newbury, O=My Company
Ltd, CN=pc2, E=tsvetomir_h@yahoo.com'
000 "home-to-su-icmp":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "home-to-su-icmp":
policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,24;
interface: eth0;
000 "home-to-su-icmp":
newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "home-to-su-icmp"[1]: 192.168.24.0/24===62.44.96.35[C=GB, ST=Berkshire, O=My
Company Ltd, CN=pc9, E=ceco1@yahoo.com]:1/0---62.44.96.3...85.187.139.5[C=GB,
ST=Berkshire, O=My Company Ltd, CN=pc2, E=ceco@yahoo.com]:1/0===192.168.2.0/24;
erouted; eroute owner: #2
67
000 "home-to-su-icmp"[1]:
srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "home-to-su-icmp"[1]:
CAs: 'C=GB, ST=Berkshire, L=Newbury, O=My Company
Ltd, CN=pc2, E=tsvetomir_h@yahoo.com'...'C=GB, ST=Berkshire, L=Newbury, O=My
Company Ltd, CN=pc2, E=tsvetomir_h@yahoo.com'
000 "home-to-su-icmp"[1]:
ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "home-to-su-icmp"[1]:
policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio:
24,24; interface: eth0;
000 "home-to-su-icmp"[1]:
newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "home-to-su-icmp"[1]:
IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 #2: "home-to-su-icmp"[1] 85.187.139.5:500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_EXPIRE in 28485s; newest IPSEC; eroute owner
000 #2: "home-to-su-icmp"[1] 85.187.139.5 esp.a5509e0d@85.187.139.5
esp.38f9e656@62.44.96.35 comp.17fb@85.187.139.5 comp.acf6@62.44.96.35
tun.0@85.187.139.5 tun.0@62.44.96.35
000 #1: "home-to-su-icmp"[1] 85.187.139.5:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 3278s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0)
.
Openswan. debug
a all klipsdebug plutodebug.
,
.
ipsec eroute
VPN . VPN
, .
4.5. Windows XP Openswan
l2tp/ipsec.
Windows sp2, ,
NAT-Traversal, NAT
. ,
.
Windows (Windows 2000/XP).
PKCS#12.
,
CA (root) .
: .
,
68
70
, TCP/IP
, Use default gateway on remote network .
,
. route
. 192.168.24.0
- Route add 192.168.24.0 mask 255.255.255.0 172.22.127.11.
default gateway , ,
-
172.22.127.11.
-
VPN.
SUNet VPN.
IPSec, -
VPN.
Openswan, IPsec, a
NAT-T, NAT.
VPN SU Sunet
Windows.
VPN SU
, ,
, .
VPN ,
- IPSec VPN.
,
VPN ,
,
.
71
:
1. : James S Tiller :VPN - A Technical Guide to IPSec Virtual Private Networks
2. : J.Davies and E. Lewis: Deploying VPN with Microsoft Windows Server 2003
3. Openswan http://www.openswan.org/docs/
4. Openvpn http://openvpn.net/
72