As we mentioned in the previous section (Managing the Security Association Database using setkey) managing Security Associations (SAs) manually using setkey soon becomes cumbersome when more than a few machines on a network are to be secured. It also limits the range of possible security options as setkey can only use static keys for the encryption and authentication algorithms.
One of the more elegant solutions to these problems, and others, is to make use of the Internet Key Exchange (IKE) protocol (described in RFC-2409◳). The IKE protocol makes use of the framework for authentication and key exchange described by the Internet Security Association and Key Management Protocol (ISAKMP), as well as the OAKLEY Key Determination Protocol (see RFC-2408◳ and RFC-2412◳ for more details) and the SKEME key exchange techniques, to provide a complete solution offering authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI (described in RFC-2407◳).
In this section we shall describe how the racoon daemon may be used to provide Internet Key Exchange (IKE) services including negotiating security associations for itself (ISAKMP SA, or phase 1 SA) and for kernel IPsec (IPsec SA, or phase 2 SA).
Before we describe how to configure the racoon daemon we shall briefly describe the basic operation of the Internet Key Exchange (IKE) protocol.
The most important thing to know is that the key exchange takes place in two distinct phases.
There are three key exchange modes which may be used to accomplish a Phase 1 Key Exchange each with particular strengths and weaknesses.
Once the Phase 1 Key Exchange has been completed the two IKE peers have negotiated an authenticated and encrypted communications channel, but only between each other and only for the purposes of further key exchange and parameter negotiation. This channel may now be used to negotiate parameters and keying material which may be used with IPsec Security Associations. This phase of operation is usually referred to as Phase 2 and has a single mode of operation.
We mentioned in the previous section that before an IKE peer may be used to negotiate parameters, algorithms and keying material for IPsec they must first establish an authenticated and encrypted channel of communication with another appropriate peer. This is usually referred to as Phase 1 Key Exchange.
The racoon configuration file (usually located at /etc/racoon/racoon.conf) uses the following syntax for specifying a remote Phase 1 peer.
remote name [inherit parent_name] { statements }
As you can see, the first parameter to the remote directive allows a name to be specified for the remote peer. Alternatively, the special name anonymous may be used which will match any peer. Optionally, a named configuration may inherit all the values from a previously declared configuration by specifying the name of the parent configuration after the keyword inherit.
The table below describes some of the more basic configuration statements which may be used inside the remote declaration.
Basic statements for the remote declaration | |
---|---|
remote_address address; | The remote_address directive allows the network address of the remote peer to be configured. If the network address is unknown (when a client is assigned a dynamic address for example) then this directive should be omitted. If this directive is omitted and the remote address for the peer cannot be determined from the Security Policy then no outgoing connection attempts will be made and a connection will only be possible when initiated by the remote peer. |
remote_address 62.149.40.78; | |
my_identifier [qualifier] id_type ...; | This directive allows the identifier sent to the remote peer and the type to be used in the Phase 1 Key Exchange to be specified. Valid types are address (optionally followed by an IP address), fqdn (such as vpn.hacking.co.uk), user_fqdn (such as user@vpn.hacking.co.uk), keyid (followed by the name of a key file), and asn1dn (optionally followed by a string containing the ASN.1 distinguished name). |
my_identifier fqdn "vpn.hacking.co.uk"; | |
exchange_mode (main | aggressive | base); | The exchange_mode directive controls both the phase 1 exchange mode when racoon is the initiator and also lists the acceptable exchange modes when racoon is the responder. Valid modes are main, aggressive and base. |
exchange_mode main, base, aggressive; | |
passive (on | off); | By default the racoon daemon will operate as both a responder and an initiator. If the passive directive is set to on the racoon daemon will only operate as a responder. |
passive off; | |
nat_traversal (on | off | force); | This directive controls use of the NAT-Traversal (NAT-T) IPsec extension which allows one or both of the peers to be located behind a NAT device. A value of on enables the use of NAT-T when a NAT gateway device is detected between the peers, a value of off disables the use of NAT-T and a value of force enables NAT-T regardless of the presence of a NAT gateway device. |
nat_traversal on; | |
dpd_delay delay; | This directive controls the use of Dead Peer Detection (DPD) which is a method of detecting peers whose connection has been lost. Any non-zero value will be interpreted as the maximum time in seconds between two proof of liveliness requests. A value of zero will disable Dead Peer Detection. |
dpd_delay 30; |
Once the basic parameters for the Phase 1 Key Exchange have been specified one or more proposal sections are required. Each proposal section details the encryption, authentication and compression algorithms which may be used. The proposal syntax is briefly described below.
proposal { sub-statements }
The table below describes some of the more basic configuration statements which may be used inside the proposal declaration.
Basic sub-statements for the proposal declaration | |
---|---|
encryption_algorithm algorithm; | This directive specifies the encryption algorithm used for phase 1 negotiation and must therefore be supplied for every proposal. Valid values include des, 3des, blowfish, cast128, aes and camellia. |
encryption_algorithm aes; | |
hash_algorithm algorithm; | This directive specifies the encryption algorithm used for phase 1 negotiation and must therefore be supplied for every proposal. Valid values include md5, sha1, sha256, sha384 and sha512. |
hash_algorithm sha1; | |
authentication_method type; | The authentication_method declaration allows the type of authentication to be specified. Valid values are pre_shared_key (for PSK authentication), rsasig (for RSA signature authentication) or gssapi_krb (for Kerberos authentication). Other supported authentication methods are hybrid_rsa_server and hybrid_rsa_client, which implement hybrid authentication schemes described in A Hybrid Authentication Mode for IKE◳ as well as xauth_rsa_server, xauth_rsa_client, xauth_psk_server or xauth_psk_client, which implement extended authentication schemes described in Extended Authentication within ISAKMP/Oakley (XAUTH)◳. |
authentication_method pre_shared_key; | |
dh_group group; | This declaration specifies the group used for the Diffie-Hellman exponentiations for the phase 1 negotiation. Valid values for group are modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144 and modp8192. Larger values increase security at the expense of greater processing overhead during phase 1 negotiation. |
dh_group modp2048; | |
lifetime time number time_unit; | This directive specifies the proposed lifetime of the Security Association (SA) being negotiated. |
lifetime time 24 hour; |
Once the Phase 1 Key Exchange has been completed IPsec Security Associations (SAs) may be established. The parameters for the Phase 2 Key Exchange are configured using the sainfo directive.
sainfo (local_id | anonymous) (remote_id | clientaddr | anonymous) [from id_type [string]] [group string] { statements }
As you can see, the syntax of the sainfo directive is fairly complex. In its most simple form the single keyword anonymous will cause the subsequent declaration to be valid for any source and destination address.
Basic statements for the sainfo declaration | |
---|---|
encryption_algorithm algorithms; | This directive allows the list of acceptable encryption algorithms to be specified. The first entry in this list which is acceptable to both the initiator and the responder will be selected. Acceptable values are any of des, 3des, des_iv64, des_iv32, rc5, rc4, idea, 3idea, cast128, blowfish, twofish, rijndael, aes, camellia or null_enc. |
encryption_algorithm aes, 3des; | |
authentication_algorithm algorithms; | This directive allows the list of acceptable authentication algorithms to be specified. The first entry in this list which is acceptable to both the initiator and the responder will be selected. Acceptable values are any of des, 3des, des_iv64, des_iv32, hmac_md5, hmac_sha1, hmac_sha256, hmac_sha384, hmac_sha512 or non_auth. |
authentication_algorithm hmac_sha512, hmac_sha384, hmac_sha256, hmac_sha1; | |
compression_algorithm algorithms; | This directive allows the list of acceptable compression algorithms to be specified. As the only compression algorithm currently defined for use with IPcomp is the deflate algorithm this is the only practical option. |
compression_algorithm deflate; | |
pfs_group group; | When Perfect Forward Security (PFS) is required this directive should be used to select the Diffie-Hellman exponentiations for the phase 2 negotiation. Valid values for group are modp768, modp1024, modp1536, modp2048, modp3072, modp4096, modp6144 and modp8192. Larger values increase security at the expense of greater processing overhead during phase 2 negotiation. When Perfect Forward Security (PFS) is not required this directive may be omitted. |
pfs_group modp1024; | |
lifetime time number time_unit; | This directive specifies the proposed lifetime of the Security Association (SA) being negotiated. |
lifetime time 12 hour; |
In addition to the options discussed above there are three more configuration directives which deserve a mention at this stage.
log level;
The first of these controls the level of messages which will be sent to the system log. During configuration and testing a level of info or debug may be required to produce output which may be useful when debugging connection issues. During production use a value of notice or warning is more appropriate to avoid excessively large log files.
path pre_shared_key file;
The next significant configuration directive must be used to configure a path to the Pre Shared Key file which will be used when PSK authentication is selected.
complex_bundle (on | off);
Finally the complex_bundle directive controls how the racoon daemon will interpret proposals when using an SA bundle. When this directive is set to off an ESP tunnel within an outer AH transport will be proposed as AH tunnel and ESP tunnel instead of the more accurate AH transport and ESP tunnel which would be proposed with this directive set to on. For interoperability with older IKE implementations this directive may need to be set to off, which is the default.
Below is a basic example configuration for the racoon daemon.
The first three configuration directives set the log level, the path to the PSK file and the presentation of an SA bundle. As you can see, we have set the log level to info so that more detailed output will be produced as well as specifying that an SA bundle should be expressed accurately.
The next configuration block declares an anonymous remote block which will match any incoming connections. Inside that block we offer a single proposal.
Finally we declare an anonymoussainfo block which will be used to negotiate IPsec Security Associations (IPsec SAs).
log info;
path pre_shared_key "/etc/racoon/psk.txt";
complex_bundle on;
remote anonymous
{
exchange_mode main;
my_identifier fqdn "vpn.hacking.co.uk";
passive off;
nat_traversal on;
dpd_delay 30;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp2048;
lifetime time 24 hour;
}
}
sainfo anonymous
{
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha512, hmac_sha384, hmac_sha256, hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
lifetime time 12 hour;
}
The above configuration also requires a Pre Shared Key file, an example of which is provided below.
vpn.hacking.co.uk 0x5e0d1ba56cb3249e8a9d1ca243f01da16afc8d24c12f7c45
The PSK file will need to be secured so that it is only readable by the root user before racoon will consider it trustworthy. This can be easily accomplished as shown below.
With the relevant configuration files in place the racoon daemon may be started and added to the default run-level.
In the following section, we shall introduce some techniques for testing and diagnosing common configuration problems with the racoon daemon and IPsec.