260 likes | 273 Views
LinuxTag 2008 Berlin. strongSwan VPNs scalable and modularized! Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org. „Road Warrior“. VPN Client. 10.3.0.2. 10.1.0.5. 10.2.0.3. 55.66.x.x. Internet. VPN Tunnel. Head Quarters. Subsidiary. VPN Tunnel. 10.1.0.0/16. 10.2.0.0/16.
E N D
LinuxTag 2008 Berlin strongSwan VPNs scalable and modularized! Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org
„Road Warrior“ VPN Client 10.3.0.2 10.1.0.5 10.2.0.3 55.66.x.x Internet VPN Tunnel HeadQuarters Subsidiary VPN Tunnel 10.1.0.0/16 10.2.0.0/16 VPN Gateway11.22.33.44 VPN Gateway55.66.77.88 Virtual Private Networks
LinuxTag 2008 Berlin strongSwan Software Architecture
FreeS/WAN 1.x 1999 2000 X.509 1.x Patch 2004 FreeS/WAN 2.x Super FreeS/WAN 2003 X.509 2.x Patch Openswan 1.x 2004 Openswan 2.x strongSwan 2.x 2005 ITA IKEv2 Project 2006 strongSwan 4.x Openswan 3.x 2007 IKEv1 & IKEv2 IKEv1 only The FreeS/WAN Genealogy
ipsec.conf IKEv1 IKEv2 ipsecwhack ipsecstarter ipsecstroke whack socket stroke socket pluto charon NetlinkXFRM socket Linux 2.6 kernel LSF UDP/500socket nativeIPsec rawsocket The strongSwan IKE Daemons • IKEv1- 6 messages for IKE SAPhase 1 Main Mode- 3 messages for IPsec SAPhase 2 Quick Mode • IKEv2- 4 messages for IKE SA and first IPsec SAIKE_SA_INIT/IKE_AUTH- 2 messages for each additional IPsec SACREATE_CHILD_SA
credentials backends receiver scheduler IKE SA Manager IKE SA CHILD SA CHILD SA socket IKE SA CHILD SA processor sender bus kernel interface file logger sys logger IPsec stack charon IKEv2 Daemon – Software Architecture 16 concurrent worker threads
LinuxTag 2008 Berlin Configuration and Control The FreeS/WAN way
#ipsec.secrets for roadwarrior carol carol@strongswan.org : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx" #ipsec.secrets for gateway moon : RSA moonKey.pem carol@strongswan.org : \ PSK "FpZAZqEN6Ti9sqt4ZP5EWcqx" dave@strongswan.org : \ PSK "jVzONCF02ncsgiSlmIXeqhGN" #ipsec.conf for roadwarrior carol conn home keyexchange=ikev2 authby=psk left=%defaultroute leftsourceip=%config leftid=carol@strongswan.org leftfirewall=yes right=192.168.0.1 rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 auto=start #ipsec.conf for gateway moon conn rw keyexchange=ikev2 authby=rsasig left=%defaultroute leftsubnet=10.1.0.0/16 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes right=%any rightsourceip=10.3.0.0/16 auto=add IKEv2 Mixed PSK/RSA Authentication
charon controller P l u g i n L o a d e r stroke credentials backends bus Default stroke plugin for charon
stroke: Control Interface I carol> ipsec start 05[AUD] initiating IKE_SA 'home' to 192.168.0.1 05[ENC] generating IKE_SA_INIT request 0 [SA KE No N N] 05[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] 06[ENC] parsed IKE_SA_INIT response 0 [SA KE No N N] 06[ENC] generating IKE_AUTH request 1 [IDi CERTREQ IDr AUTH CP SA TSi TSr] 06[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] 07[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] 07[ENC] parsed IKE_AUTH response 1 [IDr CERT AUTH CP SA TSi TSr N] 07[ENC] IKE_SA 'home' established between 192.168.0.100...192.168.0.1 07[IKE] installing new virtual IP 10.3.0.1 07[AUD] CHILD_SA 'home' established successfully
stroke: Control Interface II carol> ipsec status Performance: uptime: 5 seconds, since Apr 28 18:30:36 2008 worker threads: 11 idle of 16, job queue load: 1, scheduled events: 5 Listening IP addresses: 192.168.0.100 fec0::10 Connections: home: 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org] home: dynamic/32 === 10.1.0.0/16 Security Associations: home[1]: ESTABLISHED, 192.168.0.100[carol@strongswan.org]... 192.168.0.1[moon.strongswan.org] home[1]: IKE SPIs: 15993ec81138c1b1_i* ce054ec02da36c8e_r, reauth in 51 minutes home{1}: INSTALLED, TUNNEL, ESP SPIs: c51cf634_i cf2c3efd_o home{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o home{1}: 10.3.0.1/32 === 10.1.0.0/16
LinuxTag 2008 Berlin Configuration and Control The modular way
smpXML-based control andmanagement protocol.Uses a bi-directionalUNIX socket. stroke sql smp Implementation: strongSwan Manager med_db • sqlGeneric SQL interfacefor configurations,credentials & logging. eap_aka eap eap_sim Implementations: SQLite & MySQL eap_md5 Plugins for charon charon controller P l u g i n L o a d e r credentials backends bus … • eap_xAny EAP protocol. …
take down IKE SA take down IPsec SA strongSwan Manager FastCGI written in C with ClearSilver templates
pools traffic_selectors logs private_keys leases child_configs shared_secrets identities identities peer_configs certificates ike_configs strongSwan Entity Relationship Diagram SQLite and MySQL implementations
LinuxTag 2008 Berlin Modular Crypto Plugins
aes sha2 random x509 sqlite mysql curl ldap Plugins for libstrongswan libstrongswan crypto P l u g i n L o a d e r Factories … credentials … database … fetcher
LinuxTag 2008 Berlin IKEv2 Mediation Extension
IKEv2 IKEv2 Mediation Server Mediation Connection Mediation Connection Mediation Client Mediation Client IKEv2 Mediated Connection 10.1.0.10 Direct ESP Tunnelusing NAT-Traversal 10.2.0.10 Peer-to-Peer NAT-Traversal for IPsec aZ9ch2@m.org • Client registration • Endpoint discovery1.2.3.4:1025 7vnU3b@m.org • Endpoint relaying • Hole punching(ICE, etc.) NAT Router 1.2.3.4:1025 NAT Router 5.6.7.8:3001 10.1.0.10:4500 10.2.0.10:4500 Peer Alice Peer Bob
LinuxTag 2008 Berlin Thank you for your attention! Questions?