andreas steffen, 30.05.2008, linuxtag2008.ppt 1 linuxtag 2008 berlin strongswan vpns scalable and...

Andreas Steffen, 30.05.2008, LinuxTag2008.ppt 1

LinuxTag 2008 Berlin

strongSwan VPNs

scalable and modularized!Prof. Dr. Andreas Steffen

[email protected]


Virtual Private Networks

Internet

HeadQuarters Subsidiary

„Road Warrior“

VPN Tunnel

VPN Tunnel

VPN Gateway11.22.33.44

VPN Gateway55.66.77.88

VPN Client

10.1.0.0/16

10.2.0.0/16

10.3.0.210.1.0.5 10.2.0.3

55.66.x.x


strongSwan User-Mode-Linux VPN Testbed



strongSwan

Software Architecture


The FreeS/WAN Genealogy

Super FreeS/WANSuper FreeS/WAN

2003 X.509 2.x PatchX.509 2.x Patch

FreeS/WAN 2.xFreeS/WAN 2.x

1999 FreeS/WAN 1.xFreeS/WAN 1.x

X.509 1.x PatchX.509 1.x Patch2000

Openswan 1.xOpenswan 1.x

2004

2004

strongSwan 2.xstrongSwan 2.xOpenswan 2.xOpenswan 2.x

2005

ITA IKEv2 ProjectITA IKEv2 Project

2006

strongSwan 4.xstrongSwan 4.x

2007

IKEv1 & IKEv2

Openswan 3.xOpenswan 3.x

IKEv1 only


The strongSwan IKE Daemons

• IKEv1- 6 messages for IKE SA Phase 1 Main Mode- 3 messages for IPsec SA Phase 2 Quick Mode

• IKEv2- 4 messages for IKE SA and first IPsec SA IKE_SA_INIT/IKE_AUTH- 2 messages for each additional IPsec SA CREATE_CHILD_SA

rawsocket

rawsocket

IKEv1 IKEv2

ipsecstarter

ipsecstarter

ipsecwhack

ipsecwhack

ipsecstroke

ipsecstroke

charoncharonplutopluto

LSFLSF

UDP/500socket

UDP/500socket

nativeIPsec

nativeIPsec

NetlinkXFRMsocket

Linux 2.6kernel

ipsec.confipsec.conf

stroke socket

whack socket


IKEv2 Daemon – Software Architecture

socketsocket

charon

busbus

backendsbackendscredentialscredentials

receiverreceiver

sendersender

kernel interfacekernel interface

schedulerscheduler

processorprocessor

file loggerfile logger sys loggersys logger

IKE SAManager

IKE SAManager

IKE SA

IKE SA

IKE SA

IKE SA

CHILD SACHILD SA

CHILD SACHILD SA

CHILD SACHILD SA

IPsec stackIPsec stack

16 concurrent worker threads



Configuration and Control

The FreeS/WAN way


IKEv2 Mixed PSK/RSA Authentication

#ipsec.conf for roadwarrior carol

conn home keyexchange=ikev2 authby=psk left=%defaultroute leftsourceip=%config [email protected] leftfirewall=yes right=192.168.0.1 [email protected] rightsubnet=10.1.0.0/16 auto=start

#ipsec.conf for gateway moon

conn rw keyexchange=ikev2 authby=rsasig left=%defaultroute leftsubnet=10.1.0.0/16

leftcert=moonCert.pem [email protected] leftfirewall=yes right=%any rightsourceip=10.3.0.0/16 auto=add

#ipsec.secrets for roadwarrior carol

[email protected] : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx"

#ipsec.secrets for gateway moon

: RSA moonKey.pem

[email protected] : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx"

[email protected] : \ PSK "jVzONCF02ncsgiSlmIXeqhGN"


Default stroke plugin for charon

credentialscredentials

charon

Plugin

Loader

busbus

backendsbackends

strokestrokecontrollercontroller


stroke: Control Interface I

carol> ipsec start

05[AUD] initiating IKE_SA 'home' to 192.168.0.105[ENC] generating IKE_SA_INIT request 0 [SA KE No N N]05[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500]06[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500]06[ENC] parsed IKE_SA_INIT response 0 [SA KE No N N]06[ENC] generating IKE_AUTH request 1 [IDi CERTREQ IDr AUTH CP SA TSi TSr]06[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500]07[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500]07[ENC] parsed IKE_AUTH response 1 [IDr CERT AUTH CP SA TSi TSr N]07[ENC] IKE_SA 'home' established between 192.168.0.100...192.168.0.107[IKE] installing new virtual IP 10.3.0.107[AUD] CHILD_SA 'home' established successfully


stroke: Control Interface II

carol> ipsec status

Performance: uptime: 5 seconds, since Apr 28 18:30:36 2008 worker threads: 11 idle of 16, job queue load: 1, scheduled events: 5Listening IP addresses: 192.168.0.100 fec0::10Connections: home: 192.168.0.100[[email protected]]...192.168.0.1[moon.strongswan.org] home: dynamic/32 === 10.1.0.0/16Security Associations: home[1]: ESTABLISHED, 192.168.0.100[[email protected]]... 192.168.0.1[moon.strongswan.org] home[1]: IKE SPIs: 15993ec81138c1b1_i* ce054ec02da36c8e_r, reauth in 51 minutes home{1}: INSTALLED, TUNNEL, ESP SPIs: c51cf634_i cf2c3efd_o home{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o home{1}: 10.3.0.1/32 === 10.1.0.0/16



Configuration and Control

The modular way


Plugins for charon


charon

Plugin

Loader

busbus

backendsbackends

eapeap

…

strokestroke

smpsmp

med_dbmed_db

eap_akaeap_aka

eap_simeap_sim

eap_md5eap_md5

controllercontroller

…

• eap_xAny EAP protocol.

• smpXML-based control andmanagement protocol.Uses a bi-directionalUNIX socket.

Implementation:strongSwan

Manager

• sqlGeneric SQL interfacefor configurations,credentials & logging.

Implementations:SQLite & MySQL

sqlsql


strongSwan Manager

take downIKE SA

take downIPsec SA

FastCGI written in C with ClearSilver templates


strongSwan Entity Relationship Diagram

identities

private_keys

certificates

leases

peer_configs

ike_configs

child_configs

traffic_selectorslogs

identitiesshared_secrets

pools

SQLite and MySQL implementations



Modular Crypto Plugins


Plugins for libstrongswan


libstrongswan

Plugin

Loader

cryptocrypto

databasedatabase

fetcherfetcher

…

…

…

aesaes

sha2sha2

randomrandom

x509x509

sqlitesqlite

mysqlmysql

curlcurl

ldapldap

Factories


VIA EPIA-NX PadLock Crypto-Processor



IKEv2 Mediation Extension


Mediated Connection

IKEv2

Peer-to-Peer NAT-Traversal for IPsec

NAT Router5.6.7.8:3001

Direct ESP Tunnelusing NAT-Traversal

10.1.0.10 10.2.0.10

10.1.0.10:4500 10.2.0.10:4500

NAT Router1.2.3.4:1025

IKEv2

MediationConnection

IKEv2

MediationConnection

Peer Alice Peer Bob

• Client registration

• Endpoint discovery1.2.3.4:1025

• Hole punching(ICE, etc.)

[email protected]

[email protected]

Mediation Server

MediationClient

MediationClient

• Endpoint relaying

andreas steffen, 30.05.2008, linuxtag2008.ppt 1 linuxtag 2008 berlin strongswan vpns scalable and...

Documents