andreas steffen, 30.05.2008, linuxtag2008.ppt 1 linuxtag 2008 berlin strongswan vpns scalable and...
Post on 16-Jan-2016
224 Views
Preview:
TRANSCRIPT
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 1
LinuxTag 2008 Berlin
strongSwan VPNs
scalable and modularized!Prof. Dr. Andreas Steffen
andreas.steffen@strongswan.org
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 2
Virtual Private Networks
Internet
HeadQuarters Subsidiary
„Road Warrior“
VPN Tunnel
VPN Tunnel
VPN Gateway11.22.33.44
VPN Gateway55.66.77.88
VPN Client
10.1.0.0/16
10.2.0.0/16
10.3.0.210.1.0.5 10.2.0.3
55.66.x.x
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 3
strongSwan User-Mode-Linux VPN Testbed
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 4
LinuxTag 2008 Berlin
strongSwan
Software Architecture
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 5
The FreeS/WAN Genealogy
Super FreeS/WANSuper FreeS/WAN
2003 X.509 2.x PatchX.509 2.x Patch
FreeS/WAN 2.xFreeS/WAN 2.x
1999 FreeS/WAN 1.xFreeS/WAN 1.x
X.509 1.x PatchX.509 1.x Patch2000
Openswan 1.xOpenswan 1.x
2004
2004
strongSwan 2.xstrongSwan 2.xOpenswan 2.xOpenswan 2.x
2005
ITA IKEv2 ProjectITA IKEv2 Project
2006
strongSwan 4.xstrongSwan 4.x
2007
IKEv1 & IKEv2
Openswan 3.xOpenswan 3.x
IKEv1 only
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 6
The strongSwan IKE Daemons
• IKEv1- 6 messages for IKE SA Phase 1 Main Mode- 3 messages for IPsec SA Phase 2 Quick Mode
• IKEv2- 4 messages for IKE SA and first IPsec SA IKE_SA_INIT/IKE_AUTH- 2 messages for each additional IPsec SA CREATE_CHILD_SA
rawsocket
rawsocket
IKEv1 IKEv2
ipsecstarter
ipsecstarter
ipsecwhack
ipsecwhack
ipsecstroke
ipsecstroke
charoncharonplutopluto
LSFLSF
UDP/500socket
UDP/500socket
nativeIPsec
nativeIPsec
NetlinkXFRMsocket
Linux 2.6kernel
ipsec.confipsec.conf
stroke socket
whack socket
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 7
IKEv2 Daemon – Software Architecture
socketsocket
charon
busbus
backendsbackendscredentialscredentials
receiverreceiver
sendersender
kernel interfacekernel interface
schedulerscheduler
processorprocessor
file loggerfile logger sys loggersys logger
IKE SAManager
IKE SAManager
IKE SA
IKE SA
IKE SA
IKE SA
CHILD SACHILD SA
CHILD SACHILD SA
CHILD SACHILD SA
IPsec stackIPsec stack
16 concurrent worker threads
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 8
LinuxTag 2008 Berlin
Configuration and Control
The FreeS/WAN way
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 9
IKEv2 Mixed PSK/RSA Authentication
#ipsec.conf for roadwarrior carol
conn home keyexchange=ikev2 authby=psk left=%defaultroute leftsourceip=%config leftid=carol@strongswan.org leftfirewall=yes right=192.168.0.1 rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 auto=start
#ipsec.conf for gateway moon
conn rw keyexchange=ikev2 authby=rsasig left=%defaultroute leftsubnet=10.1.0.0/16
leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes right=%any rightsourceip=10.3.0.0/16 auto=add
#ipsec.secrets for roadwarrior carol
carol@strongswan.org : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx"
#ipsec.secrets for gateway moon
: RSA moonKey.pem
carol@strongswan.org : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx"
dave@strongswan.org : \ PSK "jVzONCF02ncsgiSlmIXeqhGN"
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 10
Default stroke plugin for charon
credentialscredentials
charon
Plugin
Loader
busbus
backendsbackends
strokestrokecontrollercontroller
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 11
stroke: Control Interface I
carol> ipsec start
05[AUD] initiating IKE_SA 'home' to 192.168.0.105[ENC] generating IKE_SA_INIT request 0 [SA KE No N N]05[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500]06[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500]06[ENC] parsed IKE_SA_INIT response 0 [SA KE No N N]06[ENC] generating IKE_AUTH request 1 [IDi CERTREQ IDr AUTH CP SA TSi TSr]06[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500]07[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500]07[ENC] parsed IKE_AUTH response 1 [IDr CERT AUTH CP SA TSi TSr N]07[ENC] IKE_SA 'home' established between 192.168.0.100...192.168.0.107[IKE] installing new virtual IP 10.3.0.107[AUD] CHILD_SA 'home' established successfully
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 12
stroke: Control Interface II
carol> ipsec status
Performance: uptime: 5 seconds, since Apr 28 18:30:36 2008 worker threads: 11 idle of 16, job queue load: 1, scheduled events: 5Listening IP addresses: 192.168.0.100 fec0::10Connections: home: 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org] home: dynamic/32 === 10.1.0.0/16Security Associations: home[1]: ESTABLISHED, 192.168.0.100[carol@strongswan.org]... 192.168.0.1[moon.strongswan.org] home[1]: IKE SPIs: 15993ec81138c1b1_i* ce054ec02da36c8e_r, reauth in 51 minutes home{1}: INSTALLED, TUNNEL, ESP SPIs: c51cf634_i cf2c3efd_o home{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o home{1}: 10.3.0.1/32 === 10.1.0.0/16
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 13
LinuxTag 2008 Berlin
Configuration and Control
The modular way
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 14
Plugins for charon
credentialscredentials
charon
Plugin
Loader
busbus
backendsbackends
eapeap
…
strokestroke
smpsmp
med_dbmed_db
eap_akaeap_aka
eap_simeap_sim
eap_md5eap_md5
controllercontroller
…
• eap_xAny EAP protocol.
• smpXML-based control andmanagement protocol.Uses a bi-directionalUNIX socket.
Implementation:strongSwan
Manager
• sqlGeneric SQL interfacefor configurations,credentials & logging.
Implementations:SQLite & MySQL
sqlsql
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 15
strongSwan Manager
take downIKE SA
take downIPsec SA
FastCGI written in C with ClearSilver templates
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 16
strongSwan Entity Relationship Diagram
identities
private_keys
certificates
leases
peer_configs
ike_configs
child_configs
traffic_selectorslogs
identitiesshared_secrets
pools
SQLite and MySQL implementations
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 17
LinuxTag 2008 Berlin
Modular Crypto Plugins
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 18
Plugins for libstrongswan
credentialscredentials
libstrongswan
Plugin
Loader
cryptocrypto
databasedatabase
fetcherfetcher
…
…
…
aesaes
sha2sha2
randomrandom
x509x509
sqlitesqlite
mysqlmysql
curlcurl
ldapldap
Factories
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 19
VIA EPIA-NX PadLock Crypto-Processor
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 20
LinuxTag 2008 Berlin
IKEv2 Mediation Extension
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 21
Mediated Connection
IKEv2
Peer-to-Peer NAT-Traversal for IPsec
NAT Router5.6.7.8:3001
Direct ESP Tunnelusing NAT-Traversal
10.1.0.10 10.2.0.10
10.1.0.10:4500 10.2.0.10:4500
NAT Router1.2.3.4:1025
IKEv2
MediationConnection
IKEv2
MediationConnection
Peer Alice Peer Bob
• Client registration
• Endpoint discovery1.2.3.4:1025
• Hole punching(ICE, etc.)
aZ9ch2@m.org
7vnU3b@m.org
Mediation Server
MediationClient
MediationClient
• Endpoint relaying
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 22
draft-brunner-ikev2-mediation released
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 23
Login at the strongSwan Mediation Manager
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 24
Register a Peer with the Mediation Manager
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 25
List of Registered Peers
Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 26
LinuxTag 2008 Berlin
Thank you for your
attention!
Questions?
top related