Kernel_Killer
July 29th, 2004, 17:57
Now we will cover VPN setup using the ISAKMP Daemon. For this project, I recommend using OpenBSD as your base VPN concentrator, and using FreeBSD or OpenBSD for clients. The reason I say OpenBSD for the concentrator, is that the FreeBSD port of ISAKMPD isn’t as fully implemented as the OpenBSD native version. The most you can use the FreeBSD port for is client connects and a single host-to-host tunnel. OpenBSD allows a multi-homed setup, allowing multiple clients to connect and work together in unison.

If you are planning on using FreeBSD, there are a few things that need to be done. First you need to go to /usr/ports/security/keynote and install. Then you have a few things to be compiled to the kernel. You need to add these to the kernel configuration.


options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security


Once you have placed that in your kernel, compile the new kernel, and reboot to apply the new settings.

Now we move to the configurations. First we want to make the directory /etc/isakmpd (OpenBSD) or /usr/local/etc/isakmpd (FreeBSD). In the new directory, you want to add these directories: ca/, certs/, crls/, keynote/, and private/. On the concentrator we will make a new file in /etc/isakmpd called isakmpd.conf. It will setup all the client connections, and how the concentrator will take care of incoming connections. First off, we do our Phase 1, section.


[Phase 1]
Default= ISAKMP-peer-default


This sets the default to the peer “default”. Next we go on to Phase 2 connections.


[Phase 2]
Passive-connections= IPsec-vpn-client1, IPsec-vpn-client2


This is showing two passive connections that will be handled. When they are passive, ISAKMPD will not connect based on their IP. This is perfect for clients with dynamic IP addresses.

Now we move to the peer sections.


[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode


[client1@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase

[client2@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase2



Here we have the peer sections. ISAKMP-peer-default is this system, and the clients are the ones we plan to have connected to the concentrator. We show that this is part of our Phase 1 connection, and that we will be using UDP with the default port of 500. During the setup of the connection, this client will use the Default-aggressive-mode, and use the pass phrase “passphrase”.

Now we move to the Phase 2 section.


[IPsec-vpn-client1]
Phase= 2
ISAKMP-peer= client1@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client1

[IPsec-vpn-client2]
Phase= 2
ISAKMP-peer= client2@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client2



Here we have the two clients that will connect, but with a bit more configuration. If you notice, the IPsec-vpn-client1 is the same as the Passive Connection IPsec-vpn-client1. When the connection is being checked, it sees the passive connection, and come here for more configuration parameters. Also notice the ISAKMP-peer. If you go back up to our Phase 1 section, you will see we have a client1@vpn section, where this also looks for more settings. Next are the Local and Remote IDs. This will be our next section.


[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0


[Net-client1]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0

[Net-client2]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0


As you can see, these sections are also bonded to from other sections. This tells ISAKMPD what network the tunnel will be connected to from that client. After that we want to add our General configuration section.


[General]
Listen-on= 66.66.99.231
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /etc/isakmpd/isakmpd.policy


Here we have the IP address that ISAKMPD will listen on, how many retransmits will be made during the connection process, how long it will wait for a key exchange during the connection process in seconds, and the check-interval checks all the connections every 300 seconds to make sure they are still live. The policy file path is what you should set it to for OpenBSD. I’ll talk more about FreeBSD later. Last part we will deal with in our configuration is the transforms.


[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE


Here is where the connection methods come into play. If you notice Phase 1 connections are using the Default Aggressive Mode. Even though aggressive mode is less secure than the alternative, Main Mode, it is quick, and allows slower concentrators to authenticate connections quicker. Here the section has ISAKMPD use 3DES and SHA for this phase. In Phase 2 we use the Default Quick Mode, which pushes it into the 3DES SHA Suite. The QM-ESP-3DES-SHA-SUITE means that we are using the ESP protocol with 3DES as the cipher for encryption, and SHA as the hash. Now this is the most basic setup for encryption. You can go as far as explicitly setting every algorythm to a certain purpose and using suites that encrypt the tunnel multiple times. You can find more in the OpenBSD isakmpd.conf(5) man page.
The Client Side

Now we will make an isakmpd.conf file for the clients. In OpenBSD we will create this file in /etc/isakmpd/, and /usr/local/etc/isakmpd/ for FreeBSD. These are the default directories that the ISAKMPD program will look for these files, so it will make it easy on your self to add them accordingly. Once again, we will start with the Phase 1 connections.


[Phase 1]
66.66.99.231= ISAKMP-peer-vpn


This of course matches the connection name of our concentrator “vpn”. This is the connection the client will make. Now we go to Phase 2 connections.


[Phase 2]
Connections= IPsec-client1-vpn,IPsec-client1-client2


This saying that this client, client1, will try to connect to both “vpn” and “client2”. Now to the Phase 1 peers section


[ISAKMP-peer-vpn]
Phase= 1
ID= client1@vpn
Transport= udp
Address= 66.66.99.231
Configuration= Default-aggressive-mode
Authentication= passphrase


Here it takes the Phase 1 connection, and connects to the IP 66.66.99.231, uses the Aggressive Mode to connect (Which is what is set on the concentrator end) and authenticates with the pass phrase “passphrase” to identify itself. We also need to add a section for the "client1@vpn" section.

[client1@vpn]
ID-type= USER_FQDN
Name= client1@vpn



Next we go to the Phase 2 section.


[IPsec-client1-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn

[IPsec-client1-client2]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-client2


Here the client tells the concentrator what clients it plans to connect to, and what network it will connect to (Local) and what network it is (Remote). As you can see the peer is set to the concentrator, so that it gets it’s connections from there. Just like the concentrator’s configuration file, we’ll add a Client ID section.


[Net-client1]
ID-Type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0

[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0

[Net-client2]
ID-type= IDV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0


Once again we are specifying the networks. If these do not match on both ends for each client, a tunnel could be made incorrectly. And now we do the General and Transforms.


[General]
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /usr/local/etc/isakmpd/isakmpd.policy

[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE


In the General section, you see it’s the same as the concentrator except that the policy path is different and there isn’t a Listen-on line. Notice the path of the isakmpd.policy file. You can see we set it to the default path that would be used under FreeBSD. If it is OpenBSD, then you would set it as /etc/isakmpd/isakmpd.policy.


Firewall Setup

Now that we have this much, we will go through a test run, but before we do we need to set the firewall to allow these transmissions. Under OpenBSD’s pf, we will add these lines.


pass in quick on $external inet proto udp from any to any port = 500
pass in quick on $external inet proto esp from any to any
pass out on $external inet proto udp from any to any port = 500
pass out on $external inet proto esp from any to any


“$External” is your external interface that the connections will come through, usually the interface acting as the WAN connection. Now under FreeBSD’s IPFW, we will add these rules.


ipfw add allow udp from any to any 500
ipfw add allow udp from any 500 to any
ipfw add allow esp from any to any


Now that we have that set, we need to add routes to and from the internal networks. Keep in mind that the connection will go over an internal address. For instance, on the concentrator, we will add these routes assuming the internal NIC IP is 10.0.1.1.


route add 10.0.2.0/24 10.0.1.1
route add 10.0.3.0/24 10.0.1.1


On the clients we will set some similar.


Client1

route add 10.0.1.0/24 10.0.2.1
route add 10.0.3.0/24 10.0.2.1

Client2

route add 10.0.1.0/24 10.0.3.1
route add 10.0.2.0/24 10.0.3.1



Test Run

Now to put the configuration files to a test. First start ‘isakmpd’ on the OpenBSD concentrator. Wait for it to completely load all the settings and transforms. You can watch it with ‘top’ and wait for it to hit a 0.0 load.
Once it has, run ‘isakmpd’ on the client. On both systems, they should start without any problems with the ‘isakmpd’ command without any flags. On the OpenBSD system, run ‘ipsecadm show’ to see all the Security Associations made between the clients and concentrator. You can do this on the clients as well to make sure that the tunnel was established. On FreeBSD you want to run ‘setkey –DP’ instead to check the SAs.


The isakmpd.policy File

If you want to lock you VPN down a bit, this is the file you want to use. I’m only going to cover a small amount of the file to get you use to the basics of the file. You can learn more from the keynote, and isakmpd.policy man pages.

Like the isakmpd.conf, you need to add this file to the isakmpd/ directory. Make sure that you isakmpd.conf does point to the correct location.


KeyNote-Version: 2
Authorizer: “POLICY”
Licensees: “passphrase:passphrase” || “passphrase:passphrase2”
Conditions: app_domain == “IPsec policy” -> “true”;


This is as basic as it gets for a secure policy. You can see the pass phrases for both client1 and client2 under the Licensees section. Then under the conditions, the app domain must be IPsec policy. You can add other conditions like the type of algorhythm and full-qualified domain names. The pass phrase can also be changed to a MD5 Hex pass phrase using the md5 program. The licensees can also use certificates for authentication. Use this next one on the clients.


Comment: the most basic policy.
Authorizer: "POLICY"


This one offers an open policy, and can be used on the concentrator for testing purposes.


Troubleshooting

In this section I’ll cover some common problems and solutions, as well as some things to check first.

First thing first, when you are having a problem with anything, check your isakmpd.conf files. If areas don’t match up correctly, problems can occur. These files are case-sensitive, and hate spaces. If you have a space after a pass phrase in the authentication section, it becomes part of the pass phrase. Go through all the isakmpd.conf files with vi, and use Shift-4 to go to the end of the line and delete any spaces at the end of each line.

Next, make sure all your transforms match. If one is trying to encrypt different from one end, it will not provide the tunnel. Also, check your routes. Make sure you have a route to the vpn network, and client networks. If you think there is a problem with the policy file, use the one above for the clients as the policy file for the concentrator.

Debugging

If you are still having trouble with your VPN setup, or wish to see what goes on you can use the ISAKMPD debugging tool. Use the command “isakmpd –d” for a slight verbose output, or “isakmpd –d –DA=99” for a full verbose output. The full output shows it initializing, reading the conf, and what it’s doing during client connections. This can be very helpful when trying to find a specific problem with your setup.

elmore
July 29th, 2004, 20:12
Hey congrats KK! I've talked and talked about writing this how-to but just never got around to doing it. Great job!! I'll look over this in more detail and make a couple of comments on it as I have the time! I don't think there are too many ISAKMPD how-to's out there atm. :eggface:

Kernel_Killer
July 29th, 2004, 22:24
Thanx Elmore!

Yeah, there isn't hardly a how-to at all out there. If there is, it's not for multi-homed setups, or it only provides one side of the conf causing a trial-and-error process. I plan to go a bit further into the policy file and implementation through the confs, as well as using the ISAKMPD as a client and concentrator, which I'm working on right now (The ability that is).

Kernel_Killer
September 23rd, 2004, 00:39
Ok everybody. If you tried this and failed at getting it setup, then it is completely my fault. After talking to mazpe about his issues from my tutorial, it seems that I got my concentrator and client Phase 2 sections mixed up when pasting into code field. I've revised this how-to, so the first post should now work without error. Sorry, and happy VPN building!

Plagued
November 1st, 2004, 18:09
This is a nice how-to. Looks very similar to what I am trying to do. Do you guys know of a way to connect to the VPN with a windows machines?

Kernel_Killer
November 1st, 2004, 20:12
From the information I have gathered over the time, the only thing I've seen is the secuirty policy that comes with 2K, and XP Pro (and all others > XP Pro). I've been meaning to try it out, but never had the time.

I did find this (http://www.linuxsecurity.com/resource_files/cryptography/ipsec-howto/HOWTO.html) though. It's a VPN setup between OpenBSD ISAKMPD, and Windows PGPNet. It's written by Hans-Jörg Höxer, so it should be theoretically correct.