Simple Configuration Sample of IPsec/Racoon
Shoichi Sakane,
KAME Project
$Id: index.html,v 1.2 2001/09/12 13:39:15 sakane Exp $
Abstract
This document describes how to configure to establish IPsec-SA automatically
on KAME stack.
To understand configuration for several environment requires the reader
to be familiar with IPsec architecture.
Because many items must be specified in order to establish IPsec-SA
automatically.
This document gives priority to run racoon,
by giving simple example of the environment,
and by putting configuration items to a minimum.
The reader may required to know about IPsec architecture,
but may not familiar with it.
Note that this document refers to racoon included in
kame-20001113-*-snap or later.
The kits before 20001113 are not suitable to them.
Introduction
If you want IPsec to communicate with somebody, It is required to establish
the Security Association(IPsec-SA) between you and the peer before that.
There are two way to establish it.
One is by using manual configuration.
Another way is automated configuration.
In our implementation, we have a daemon named "racoon" for latter case.
Several parameters(Key) must be exchanged between you and peer
in order to establish the IPsec-SA.
Racoon exchange them by using IKE.
IKE establish own SA by myself while exchanging Key, don't use IPsec-SA.
There are two phase in IKE.
One is the phase to establish SA for own communication (IKE-SA).
Another is the phase to establish IPsec-SA.
I say Phase 1 and Phase 2 respectively.
The initiator to begin IKE proposes multiple parameters to the responder,
and the responder choices one of them or rejects them in each phases.
Also racoon has some parameter for the management of exchanging.
So that there are many items to configure racoon.
It is not easy for public users to understand all of them.
This document explains how to configure racoon briefly.
The complex configuration is not described.
Also to use certificate is out of scope in this document.
Basic mechanism
Kernel maintains two database to use IPsec.
One is the Security Policy Database(SPD).
Kernel refers to SPD in order to decide whether to apply IPsec
to a packet or not.
Also SPD entries specify which/how IPsec-SA is applied.
Another one is the Security Association Database(SAD).
SAD entries contain Key of each IPsec-SA.
The following figure specifies a flow
until kernel applies IPsec-SA to a packet.
setkey racoon <-------(IKE)-------> somebody
| ^ | (5)
| | |(6)
|(1) +-----+ +---+
| (4)| |
v | v
+-----+ (2) | (3) +-----+
| SPD |<----- kernel ------>| SAD |
+-----+ | +-----+
|(7)
v
(1)The administrator sets a policy to SPD by using setkey.
(2)Kernel refers to SPD in order to make a decision of applying IPsec to a packet.
(3)If IPsec is required, then kernel get the Key for IPsec-SA from SAD.
(4)If it is failed, then kernel send a request to get the Key to racoon.
(5)racoon exchange the Key by using IKE with the other to be established IPsec-SA.
(6)racoon put the Key into SAD.
(7)Kernel can send a packet applied IPsec.
So that the administrator must configure SPD entries by using setkey command,
and must configure racoon.
Also it must be required to run racoon or else on the other side.
Starting racoon
It is required root privilege to start racoon.
Because racoon use a port 500 of UDP,
also open /var/log/racoon.log as log file.
Racoon has a few options. This section explains only typical options.
- -f configfile
- Specify alternate configuration file.
- /usr/local/v6/etc/racoon.conf as default.
- -l logfile
- Specify alternate log file.
- /var/log/racoon.log as default.
- -d dlevel
- Set debugging level of hexadecimal.
- As below, racoon outputs many information onto standard output and log file.
# racoon -d 0xffffffff
Simple Configuration Sample of Racoon
The following description is the one of most simple configuration.
This section explains this sample step by step.
# cat case1.conf
path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
remote anonymous
{
exchange_mode aggressive ;
my_identifier user_fqdn "sakane@kame.net" ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
lifetime byte 50 MB ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
remote directive
- remote directive specifies about Phase 1.
anonymous means to match any peer.
You can limit the exchange to each peer, but the document does not describes it.
- exchange_mode directive specifies
the exchange mode on Phase 1 aggressive means to exchange
by aggressive mode.
You can use main as main mode and base as base mode.
If a peer start to exchange by the mode which is not specified here,
racoon will reject it.
Although racoon can accept three mode, this document does not describe this way.
- identifier directive in remote specifies
what own identifier is used.
The identifier will send to the peer, and the peer will use as one of the information of authentication.
In the case of above sample, identifier
in remote is user_fqdn,
so "sakane@kame.net" defined in identifier user_fqdn is applied.
- lifetime time and lifetime byte
specify the lifetime of IKE-SA. These are by time and by bytes respectively.
You can use sec, min and hour as the unit of lifetime by time.
And you can use B, KB, MB and TB as the unit of lifetime by bytes.
- proposal directive specifies a proposal on Phase 1.
Although you can specify multiple proposals, this is the out of scope in this document.
- encryption_algorithm directive specifies
encryption algorithm on Phase 1.
racoon can use DES, 3DES, RC5, IDEA, CAST, BLOWFISH as encryption algorithm.
You must specify des, 3des, rc5, idea, cast, blowfish respectively.
You can specify one of them in a proposal for Phase 1.
- hash_algorithm directive specifies hash algorithm.
racoon can use MD5 and SHA1 as hash algorithm.
You must specify md5 and sha1 respectively.
You can specify one of them in a proposal for Phase 1.
- authentication_method directive specifies
the authentication method on Phase 1. In the case of above sample,
it means to use Pre-shared Key as authentication method.
Racoon can use RSA Signature authentication method,
but this is the out of scope in this document.
- dh_group directive specifies a group for
Diffie-Hellman Key Exchange. Racoon can use 1, 2 and 5 as this group.
You must specify 1, 2 and 5 respectively.
sainfo directive
- sainfo directive specifies some parameters about Phase 2.
anonymous means to match any peer.
You can limit the exchange to each peer, but the document does not describes it.
- pfs_group directive specifies a group
for Diffie-Hellman Key Exchange on Phase 2.
Racoon can use 1, 2 and 5 as this group.
You must specify 1, 2 and 5 respectively.
- lifetime time and lifetime byte specify
the lifetime of IPsec-SA. These are by time and by bytes respectively.
You can use sec, min and hour as the unit of lifetime by time.
And you can use B, KB, MB and TB as the unit of lifetime by bytes.
- encryption_algorithm directive specifies
the proposal of encryption algorithm for ESP.
racoon can use DES, 3DES, CAST, BLOWFISH, TWOFISH, RIJNDAEL
and NULL as encryption algorithm for ESP.
3des, cast128, blowfish, des, twofish, rijndael ;
You must specify des, 3des, cast, blowfish,
twofish, rijndael and null_enc respectively.
- authentication_algorithm directive specifies the proposal of authentication algorithm for both ESP and AH.
racoon can use HMAC-SHA1, HMAC-MD5 and Keyed-MD5 as authentication algorithm.
You must specify hmac_sha1, hmac_md5 and kpdk respectively.
- compression_algorithm directive specifies
the proposal of compression algorithm for IPCOMP.
racoon can use DEFLATE at the moment.
You must specify deflate.
NOTE:
Racoon does not have the list of security protocols to be negotiated.
The list of security protocols are passed by the kernel.
Beforehand you have to define all of the potential algorithms into the
sainfo even if you do not need any compression algorithms.
The above sample can accept to exchange both Phase 1 and Phase 2, only if you specify appropriate Pre-shared Key before exchange.
Racoon can restrict to exchange with the peer each phases.
But this document does not describe the way.
Sample Configuration of SPD
Case 1
Security protocol is ESP.
Encapsulation mode is Transport.
Host-A Host-B
fec0::1 ---------------------- fec0::2
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0::1 fec0::2 any -P out ipsec
esp/transport//require ;
spdadd fec0::2 fec0::1 any -P in ipsec
esp/transport//require ;
EOF
Note that IP address and direction.
First IP address means source of IP header.
Next IP address means destination of IP header.
out means a packet goes out.
in means a packet comes in.
At Host-B:
# setkey -c <<EOF
spdadd fec0::2 fec0::1 any -P out ipsec
esp/transport//require ;
spdadd fec0::1 fec0::2 any -P in ipsec
esp/transport//require ;
EOF
Case 2
ESP Transport mode applied first
and AH Transport mode next.
It means that kernel makes a packet to be [IP|AH|ESP|ULP].
Host-A Host-B
fec0::1 ---------------------- fec0::2
Configuration at Host-A:
# setkey -c <<EOF
spdadd fec0::1 fec0::2 any -P out ipsec
esp/transport//require
ah/transport//require ;
spdadd fec0::2 fec0::1 any -P in ipsec
esp/transport//require
ah/transport//require ;
EOF
Note that the ordering of security protocol.
In outgoing case defined out,
it specifies the sequence of security protocol which kernel apply to the packet.
In incoming case defined in,
it specifies the sequence of security protocol to be applied to the packet.
The above case means that ESP transport mode is first,
and the next is AH transport mode.
At Host-B:
# setkey -c <<EOF
spdadd fec0::2 fec0::1 any -P out ipsec
esp/transport//require
ah/transport//require ;
spdadd fec0::1 fec0::2 any -P in ipsec
esp/transport//require
ah/transport//require ;
EOF
Note IP addresses as case 1.
Case 3
ESP Tunnel for VPN.
======= ESP =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ------ 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:
# setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
esp/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
esp/tunnel/172.16.0.2-172.16.0.1/require ;
Tunnel end points must be defined.
and at Gateway-B:
# setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
esp/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
esp/tunnel/172.16.0.1-172.16.0.2/require ;
Conclusion
This document explains basic mechanism to establish IPsec-SA automatically,
and describes how to configure to establish IPsec-SA automatically
in each typical IPsec environment with simple configuration sample of racoon.
It is necessary to know many parameters if you want complex configuration
of racoon. You may refer racoon.conf(5) for that reason, and
the other document will explain about detail configuration.