1 / 26

LinuxTag 2008 Berlin

LinuxTag 2008 Berlin. strongSwan VPNs scalable and modularized! Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org. „Road Warrior“. VPN Client. 10.3.0.2. 10.1.0.5. 10.2.0.3. 55.66.x.x. Internet. VPN Tunnel. Head Quarters. Subsidiary. VPN Tunnel. 10.1.0.0/16. 10.2.0.0/16.

schwenk
Download Presentation

LinuxTag 2008 Berlin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LinuxTag 2008 Berlin strongSwan VPNs scalable and modularized! Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

  2. „Road Warrior“ VPN Client 10.3.0.2 10.1.0.5 10.2.0.3 55.66.x.x Internet VPN Tunnel HeadQuarters Subsidiary VPN Tunnel 10.1.0.0/16 10.2.0.0/16 VPN Gateway11.22.33.44 VPN Gateway55.66.77.88 Virtual Private Networks

  3. strongSwan User-Mode-Linux VPN Testbed

  4. LinuxTag 2008 Berlin strongSwan Software Architecture

  5. FreeS/WAN 1.x 1999 2000 X.509 1.x Patch  2004 FreeS/WAN 2.x Super FreeS/WAN 2003 X.509 2.x Patch Openswan 1.x 2004 Openswan 2.x strongSwan 2.x 2005 ITA IKEv2 Project 2006 strongSwan 4.x Openswan 3.x 2007 IKEv1 & IKEv2 IKEv1 only The FreeS/WAN Genealogy

  6. ipsec.conf IKEv1 IKEv2 ipsecwhack ipsecstarter ipsecstroke whack socket stroke socket pluto charon NetlinkXFRM socket Linux 2.6 kernel LSF UDP/500socket nativeIPsec rawsocket The strongSwan IKE Daemons • IKEv1- 6 messages for IKE SAPhase 1 Main Mode- 3 messages for IPsec SAPhase 2 Quick Mode • IKEv2- 4 messages for IKE SA and first IPsec SAIKE_SA_INIT/IKE_AUTH- 2 messages for each additional IPsec SACREATE_CHILD_SA

  7. credentials backends receiver scheduler IKE SA Manager IKE SA CHILD SA CHILD SA socket IKE SA CHILD SA processor sender bus kernel interface file logger sys logger IPsec stack charon IKEv2 Daemon – Software Architecture 16 concurrent worker threads

  8. LinuxTag 2008 Berlin Configuration and Control The FreeS/WAN way

  9. #ipsec.secrets for roadwarrior carol carol@strongswan.org : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx" #ipsec.secrets for gateway moon : RSA moonKey.pem carol@strongswan.org : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx" dave@strongswan.org : \ PSK "jVzONCF02ncsgiSlmIXeqhGN" #ipsec.conf for roadwarrior carol conn home keyexchange=ikev2 authby=psk left=%defaultroute leftsourceip=%config leftid=carol@strongswan.org leftfirewall=yes right=192.168.0.1 rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 auto=start #ipsec.conf for gateway moon conn rw keyexchange=ikev2 authby=rsasig left=%defaultroute leftsubnet=10.1.0.0/16 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes right=%any rightsourceip=10.3.0.0/16 auto=add IKEv2 Mixed PSK/RSA Authentication

  10. charon controller P l u g i n L o a d e r stroke credentials backends bus Default stroke plugin for charon

  11. stroke: Control Interface I carol> ipsec start 05[AUD] initiating IKE_SA 'home' to 192.168.0.1 05[ENC] generating IKE_SA_INIT request 0 [SA KE No N N] 05[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] 06[ENC] parsed IKE_SA_INIT response 0 [SA KE No N N] 06[ENC] generating IKE_AUTH request 1 [IDi CERTREQ IDr AUTH CP SA TSi TSr] 06[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] 07[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] 07[ENC] parsed IKE_AUTH response 1 [IDr CERT AUTH CP SA TSi TSr N] 07[ENC] IKE_SA 'home' established between 192.168.0.100...192.168.0.1 07[IKE] installing new virtual IP 10.3.0.1 07[AUD] CHILD_SA 'home' established successfully

  12. stroke: Control Interface II carol> ipsec status Performance: uptime: 5 seconds, since Apr 28 18:30:36 2008 worker threads: 11 idle of 16, job queue load: 1, scheduled events: 5 Listening IP addresses: 192.168.0.100 fec0::10 Connections: home: 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org] home: dynamic/32 === 10.1.0.0/16 Security Associations: home[1]: ESTABLISHED, 192.168.0.100[carol@strongswan.org]... 192.168.0.1[moon.strongswan.org] home[1]: IKE SPIs: 15993ec81138c1b1_i* ce054ec02da36c8e_r, reauth in 51 minutes home{1}: INSTALLED, TUNNEL, ESP SPIs: c51cf634_i cf2c3efd_o home{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o home{1}: 10.3.0.1/32 === 10.1.0.0/16

  13. LinuxTag 2008 Berlin Configuration and Control The modular way

  14. smpXML-based control andmanagement protocol.Uses a bi-directionalUNIX socket. stroke sql smp Implementation: strongSwan Manager med_db • sqlGeneric SQL interfacefor configurations,credentials & logging. eap_aka eap eap_sim Implementations: SQLite & MySQL eap_md5 Plugins for charon charon controller P l u g i n L o a d e r credentials backends bus … • eap_xAny EAP protocol. …

  15. take down IKE SA take down IPsec SA strongSwan Manager FastCGI written in C with ClearSilver templates

  16. pools traffic_selectors logs private_keys leases child_configs shared_secrets identities identities peer_configs certificates ike_configs strongSwan Entity Relationship Diagram SQLite and MySQL implementations

  17. LinuxTag 2008 Berlin Modular Crypto Plugins

  18. aes sha2 random x509 sqlite mysql curl ldap Plugins for libstrongswan libstrongswan crypto P l u g i n L o a d e r Factories … credentials … database … fetcher

  19. VIA EPIA-NX PadLock Crypto-Processor

  20. LinuxTag 2008 Berlin IKEv2 Mediation Extension

  21. IKEv2 IKEv2 Mediation Server Mediation Connection Mediation Connection Mediation Client Mediation Client IKEv2 Mediated Connection 10.1.0.10 Direct ESP Tunnelusing NAT-Traversal 10.2.0.10 Peer-to-Peer NAT-Traversal for IPsec aZ9ch2@m.org • Client registration • Endpoint discovery1.2.3.4:1025 7vnU3b@m.org • Endpoint relaying • Hole punching(ICE, etc.) NAT Router 1.2.3.4:1025 NAT Router 5.6.7.8:3001 10.1.0.10:4500 10.2.0.10:4500 Peer Alice Peer Bob

  22. draft-brunner-ikev2-mediation released

  23. Login at the strongSwan Mediation Manager

  24. Register a Peer with the Mediation Manager

  25. List of Registered Peers

  26. LinuxTag 2008 Berlin Thank you for your attention! Questions?

More Related