DEPARTMENT OF ELECTRONICS, MICROELECTRONICS, COMPUTER AND INTELLIGENT SYSTEMSFACULTY OF ELECTRICAL ENGINEERING AND COMPUTING

UNIVERSITY OF ZAGREB

Racoon roadwarrior configurationMatija Zeman

Zagreb, 2006.

Table of Contents1. Roadwarrior scenario....................................................................................................... 1

2. VPN gateway configuration.............................................................................................. 3

3. Roadwarrior client configuration....................................................................................... 6

4. Connecting....................................................................................................................... 9

5. Windows XP client – ShrewSoft VPN Client.................................................................. 11

6. Creating certificates........................................................................................................ 15

7. Literature........................................................................................................................ 16

1. Roadwarrior scenarioRoadwarrior is a client that uses unknown, dynamically assigned IP address to connect to a VPN gateway (in this case also firewall). This situation is shown on picture 1.1 and is one of the most interesting and today most needed scenarios in business environment. Here are some of the reasons why that is so:

● Client can be any computer (with any IP address assigned) that has Internet access and can initiate connection to VPN gateway.

● When connecting to VPN network, client is assigned an internal IP address on the network he is connecting to, which gives an impression that it is directly connected to VPN network, instead of connecting by tunneling through Internet.

● When internal IP address is assigned, network administration is easier.

● Traffic is protected on the route from the client to the VPN gateway.

● When connected, client doesn't have direct access to Internet because traffic is routed through VPN network and firewall (VPN gateway).

In combination with racoon, roadwarrior scenario presents a few problems:

● Client's IP address is unknown and cannot be defined in racoon.conf configuration file, or in the PSK keys file. Therefore, another way of client authentication is needed.

● It is not possible to define SPs according to which racoon on the gateway will behave, because destination address of the client is unknown. Racoon has to create any needed SPs or SAs when the connection is initiated.

1

Picture 1.1. Roadwarrior scenario

Racoon roadwarrior configuration

Picture 1.1. shows roadwarrior scenario simulated by the local network 192.168.112.0/24 inside which is 192.168.112.131 computer and the network is connected to Internet through VPN gateway (also a firewall) with public IP address 192.168.111.129 (address toward local network is 192.168.112.202). Internet is simulated by 192.168.111.0/24 network, containing two computers besides VPN gateway. These computers are roadwarrior client (IP address 192.168.111.203) and the other computer connected to Internet, which is not depended on this roadwarrior scenario (192.168.111.3). To achieve roadwarrior scenario, it is necessary to configure computers that this connection depends to.

2

2. VPN gateway configurationVPN gateway needs to have a configuration file for racoon, stored in /etc/racoon/racoon.conf. Configuration options are commented below.

#path to the certificatepath certificate "/etc/racoon";#option of controlling racoon by racoonctl tool is disabledlisten {

adminsock disabled;}#remote section – anonymous address of roadwarrior clientremote anonymous {

#work mode in IKE first phaseexchange_mode aggressive,main;#certificate type, certificate and secret key file namecertificate_type x509 "cert.pem" "key.pem";#claiming the options requested by other peerproposal_check claim;#automatic generation of SPs from the initial connection requestgenerate_policy on;#verifying certificates set to offverify_cert off;#nat-t set to offnat_traversal off;#DPD activation and 20 sec. delay allowed between 2 proof of liveness requestsdpd_delay 20;#IKE fragmentation enabledike_frag on;#agreement proposal in IKE first phaseproposal {

#cryptography and hash algorithmencryption_algorithm aes;hash_algorithm md5;#authentication methodauthentication_method hybrid_rsa_server;#Diffie-Hellman exponential groupdh_group 2;

}}#local network informationmode_cfg {

#starting address of the IP address poolnetwork4 192.168.112.5;#maximum number of clientspool_size 20;#network masknetmask4 255.255.255.0; #authentication source – user database on the systemauth_source system;#configuration source – from data given in this sectionconf_source local;#DNS and WINS servers IP addressesdns4 192.168.112.202;wins4 192.168.112.202;#banner file – welcome messagebanner "/etc/racoon/motd";

} #SA information for IKE second phasesainfo anonymous {

#Diffie-Hellman exponential grouppfs_group 2;#second phase information lifetimelifetime time 1 hour;#cryptography, authentication and compression algorithmencryption_algorithm aes;authentication_algorithm hmac_md5;compression_algorithm deflate;

}

3

Racoon roadwarrior configuration

Very important parts of this configuration file are mode_cfg section and generate_policy directive inside remote section. Generate_policy directive instructs racoon to automatically generate the needed SPs from data given inside initial connection request. The mod_cfg section defines IP address pool used for roadwarrior clients, authentication method and the welcome message. Remote and sainfo sections are defined for anonymous IP address so that they would accept connections from any IP address, while the client will be authenticated by hybrid RSA authentication method from systems user database which implies hybrid_rsa_server authentication method in the remote section of gateway configuration file. On the other hand, gateway is authenticated to a client through his certificate.

Besides the racoon configuration file, traffic needs to be limited by firewall rules. The simplest security policy is defined in the following shell script and saved as fw.sh. The rules are commented inside the script listing.

#flushing NAT tablesiptables -F -t nat#flushing INPUT chain inside filter tableiptables -F INPUT#flushing FORWARD chain inside filter tableiptables -F FORWARD#flushing OUTPUT chain inside filter tableiptables -F OUTPUT#setting default policy for INPUT chainiptables -P INPUT DROP #setting default policy for FORWARD chainiptables -P FORWARD DROP#setting default policy for OUTPUT chainiptables -P OUTPUT ACCEPT#accepting AH (50) protocol coming to interface eth0iptables -A INPUT -i eth0 -p 50 -j ACCEPT#accepting ESP (51) protocol coming to interface eth0iptables -A INPUT -i eth0 -p 51 -j ACCEPT#accepting UDP protocol on source port 500 - ISAKMPiptables -A INPUT -i eth0 -p udp --source-port 500 -j ACCEPT#accepting UDP protocol on source port 4500 - NAT-Tiptables -A INPUT -i eth0 -p udp --source-port 4500 -j ACCEPT#masquerading packets coming from local network or roadwarrior clients and going to #Internetiptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.112.0/24 -j MASQUERADE#forwarding packets from roadwarrior client back to Internet if destination is not #inside the local networkiptables -A FORWARD -i eth0 -d ! 192.168.112.0/24 -o eth0 -j ACCEPT#forwarding packets from local network towards Internetiptables -A FORWARD -i eth1 -o eth0 -j ACCEPT#forwarding packets from roadwarriors towards Internetiptables -A FORWARD -i eth0 -s 192.168.112.0/27 -o eth0 -j ACCEPT#forwarding packets from Internet to local network if connections are already #establishediptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT#forwarding packets from Internet to roadwarriors if connections are already #establishediptables -A FORWARD -i eth0 -o eth0 -d 192.168.112.0/27 -m state –state / ESTABLISHED,RELATED -j ACCEPT#accepting packets from Internet if connections are already establishediptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT#marking packets that came by ESP protocoliptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1#accepting packets of all protocols if they are markediptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT#forwarding packets of all protocols if they are markediptables -A FORWARD -i eth0 -m mark --mark 1 -j ACCEPT

In order to make the purpose of above mentioned rules, the computers in local network need a route to roadwarrior address pool, set by the following command.

# ip route add 192.168.112.0/27 via 192.168.112.202 dev eth1

4

2. VPN gateway configuration

Also, VPN gateway needs to know where the roadwarriors are, so the following route should be added on the gateway.

# ip route add 192.168.112.0/27 dev eth0 src 192.168.111.129

Besides the mentioned files, VPN gateway must have a server certificate and a server key in files /etc/racoon/cert.pem i /etc/racoon/key.pem respectively, as stated in racoon configuration file. Creating of the certificates is described in chapter 6.

Optionally, the console welcome message for users who connect to VPN gateway can be defined in /etc/racoon/motd file as stated in racoon configuration file.

5

3. Roadwarrior client configurationRoadwarrior clients also need racoon configuration file /etc/racoon/racoon.conf, whose directives are commented in the file listed below.

#path to the certificatepath certificate "/etc/racoon";#option of controlling racoon by racoonctl tool is enabledlisten {

adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;}#remote section – known address of VPN gatewayremote 192.168.111.129 {

#work mode in IKE first phaseexchange_mode aggressive;#certificate type and file nameca_type x509 "root-ca.pem";#obeying the options requested by other peer

proposal_check obey;#nat-t set to offnat_traversal off;#IKE fragmentation enabledike_frag on;#accepting information about the network being connected tomode_cfg on;#verifying certificates set to offverify_cert off;#IKE first phase starting scriptscript "/etc/racoon/phase1-up.sh" phase1_up;#IKE first phase ending scriptscript "/etc/racoon/phase1-down.sh" phase1_down;#agreement proposal in IKE first phaseproposal {

#cryptography and hash algorithm encryption_algorithm aes; hash_algorithm md5;

#authentication method authentication_method hybrid_rsa_client;

#Diffie-Hellman exponential group dh_group 2; }}#SA information for IKE second phasesainfo anonymous {

#Diffie-Hellman exponential grouppfs_group 2;#second phase information lifetimelifetime time 1 hour;#cryptography, authentication and compression algorithmencryption_algorithm aes;authentication_algorithm hmac_md5;compression_algorithm deflate ;

}

Important directives in remote section of the client are mode_cfg directive which instructs racoon to accept network information from the VPN gateway, including assigned internal IP address, and hybrid_rsa_client authentication method. In this example, remote section is pointing to a VPN gateway IP address, while sainfo section is pointing to an anonymous IP address. Because racoonctl will be used to connect to VPN gateway, it doesn't matter if any one of this sections are pointing to a VPN gateway or to an anonymous IP address. Also, as shown in racoon configuration file, racoon will invoke two shell scripts, that have commands to set the environment (routes, internal IP address, SPs) needed for the roadwarrior connection to function properly. Phase1-up.sh shell script is being ran while setting the connection to a VPN gateway. The necessary commands are listed below.

6

3. Roadwarrior client configuration

#!/bin/sh#listing known IP addresses and setting PATH environment variableecho "internal address: ${INTERNAL_ADDR4}" #internal address in local networkecho "local address: ${LOCAL_ADDR}" #current global IP addressecho "remote address: $REMOTE_ADDR" #VPN gateway IP addressPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin#defining variable to hold the name of virtual network interfaceif=dummy0#adding internal IP address to virtual network interfaceip address add dev ${if} ${INTERNAL_ADDR4}#deleting default routeip route del default#adding route to VPN gatewayip route add ${REMOTE_ADDR} via 192.168.111.129#adding default route with new source addressip route add default via 192.168.111.129 src ${INTERNAL_ADDR4}#deleting existing route towards local networkip route delete 192.168.112.0/24 via 192.168.111.129 dev eth0#deleting existing route towards Internetip route delete 192.168.111.0/24 dev eth0#setting SPs form local network address towards all other IP addresses through tunnel #from roadwarrior client to VPN gateway, and vice verse, and also deleting the #forwarding SPecho "spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;" | setkey -cecho "spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P fwd ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;" | setkey -c

This shell script defines a virtual network interface and assigns it an internal IP address that is given by the VPN gateway, deletes existing routes and sets the new routes towards local network, VPN gateway and the default route. Besides, it adds needed SPs on the client side.

Phase1-down.sh shell script is being ran while disconnecting from the VPN gateway, and the commands are listed below.

#!/bin/sh#listing known IP addresses and setting PATH environment variableecho "----------------"echo "internal address: ${INTERNAL_ADDR4}"echo "local address: ${LOCAL_ADDR}"echo "remote address: $REMOTE_ADDR"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin#defining variable to hold the name of virtual network interfaceif=dummy0#deleting internal IP address from virtual network interfaceip address delete ${INTERNAL_ADDR4} dev ${if}#deleting route towards VPN gatewayip route delete ${REMOTE_ADDR} via 192.168.111.129#adding default route through network interface eth0ip route add default dev eth0#adding routes towards local network and Internetip route add 192.168.112.0/24 via 192.168.111.129 dev eth0ip route add 192.168.111.0/24 dev eth0 src ${LOCAL_ADDR}#flushing SPD and SADsetkey -Fsetkey -FP

This shell script returns the client to a state it was before the connection by erasing assigned internal IP address, as well as routes that are not needed any more, and setting back up previously deleted routes. The script also deletes SPD and SAD databases, but it's important to mention that in more complex cases (for example, client connecting on two VPN gateways at the same time), deleting of

7

Racoon roadwarrior configuration

this database entries should be done in a way which will not delete all entries, but only the ones that define the connection in closing.

Besides already mentioned files, roadwarrior client must have a root certificate stored as /etc/racoon/root-ca.pem as defined in racoon configuration file. As it was already pointed out, creation of the needed certificates is described in chapter 6.

8

4. Making a connectionIn order to make a connection, first the VPN gateway should be set up. The firewall rules are set by running a shell script that was stored as fw.sh. After that, racoon is started with the following command.

# ./fw.sh# racoon -F -f /etc/racoon/racoon.conf

VPN gateway is now ready and is waiting for the clients to initiate connection.

Racoon is then started on roadwarrior client with the following command.# racoon -f /etc/racoon.conf

After racoon is active, it can be controlled using racoonctl tool. The connection is initiated by running the following command.

# racoonctl vc -u username 192.168.111.129

Username is a name of the one of the existing users on the VPN gateway. Racoonctl will ask for his password, and if the requested information are correct, client is presented with the information about assigned internal IP address, and a welcome message.

# racoonctl vc -u mac 192.168.111.129Password:Bound to address 192.168.112.5Welcome

#

Ping can now be run on the client side, trying to ping computer 192.168.112.131 that is inside the local network.

# ping 192.168.112.131connect: Resource temporarily unavailable# ping 192.168.112.131PING 192.168.112.131 (192.168.112.131) 56(84) bytes of data.64 bytes from 192.168.112.131: icmp_seq=1 ttl=63 time=164 ms64 bytes from 192.168.112.131: icmp_seq=2 ttl=63 time=8.75 ms64 bytes from 192.168.112.131: icmp_seq=3 ttl=63 time=5.86 ms64 bytes from 192.168.112.131: icmp_seq=4 ttl=63 time=37.7 ms64 bytes from 192.168.112.131: icmp_seq=5 ttl=63 time=16.5 ms64 bytes from 192.168.112.131: icmp_seq=6 ttl=63 time=6.10 ms--- 192.168.112.131 ping statistics ---6 packets transmitted, 6 received, 0% packet loss, time 5011msrtt min/avg/max/mdev = 5.860/39.901/164.394/56.744 ms#

The “connect: Resource temporarily unavailable” message is normal. It is a message from the ping command trying to connect to the VPN gateway, which results in VPN gateway getting the information about needed SPs. When this information is available to VPN gateway, it sets needed SPs. If ping is repeated, as in example above, the computer is available and the connection is set up.

For checking of proper connection setup, traffic can be recorded by any available tool (Ethereal, tcpdump) while preforming the pinging. Traffic can be recorded on the route from roadwarrior client toward VPN gateway, as well as the traffic on the local network. On the outside network, ESP

9

Racoon roadwarrior configuration

packets will be seen between the public IP addresses of the roadwarrior client and the VPN gateway. Inside these ESP packets are encapsulated ICMP Echo Request and ICMP Echo Reply packets between the assigned internal IP address of the roadwarrior client and the computer that is being pinged, which can be seen by recording packets on the local network. Also, if the roadwarrior client tries to ping some other computer on the Internet (192.168.111.3), traffic recording will show that the client sends ESP packets toward VPN gateway, and then VPN gateway sends ICMP Echo Request packet toward the pinged computer. When VPN gateway recieves the ICMP Echo Reply as an answer to his packet, VPN gateway encapsulates it into ESP and sends it back to the roadwarrior client. This shows that all the traffic towards Internet from the roadwarrior client passes through the VPN gateway, which is also used as a firewall protecting the local network. This shows that the roadwarrior client is considered as a part of the local network, all the time while the secure connection is running.

To disconnect from the VPN gateway, the following command is used on the roadwarrior client.# racoonctl vd 192.168.111.129VPN connexion terminated#

10

5. Windows XP client – ShrewSoft VPN ClientShrewSoft VPN Client is a free software. It was made to ensure interoperability between IPsec-tools (racoon) and Microsoft Windows. The focus of this chapter is not exploring all its possibilities, but setting it up as a client in roadwarrior scenario. After it's installed and ran, a window as shown in picture 5.1. opens. The new connection can be added here.

On the first tab of the configuration window are network preferences. IP address of VPN gateway should be inserted, as well as other options shown in picture 5.2.

On the second tab of the configuration window are options to manually set internal IP address of the client. This should be set to be obtained automatically, as shown on picture 5.3.

11

Picture 5.1. Main window of the ShrewSoft VPN Client tool

Picture 5.2. Network options of the ShrewSoft VPN Client tool

Racoon roadwarrior configuration

First authentication tab configures the clients identity as shown on picture 5.4, and the authentication method is set to Hybrid RSA + XAuth.

The second authentication tab configures the gateway identity in a same way as clients identity above. The third authentication tab configures path of the used root certificate, as shown on picture 5.5.

12

Picture 5.4: First authentication tab of the ShrewSoft VPN

Client tool

Picture 5.3. Client options of the ShrewSoft VPN Client tool

5. Windows XP client – ShrewSoft VPN Client

The fourth tab configures IKE first phase options. These should be set as shown on picture 5.6. to correspond to the options set on racoon roadwarrior client.

The fifth tab defines IKE second phase options. These should be set as shown on picture 5.7. to also correspond to the options set on racoon roadwarrior client.

13

Picture 5.5. Third authentication tab of the

ShrewSoft VPN Client tool

Picture 5.6. IKE first phase options of the ShrewSoft VPN

Client tool

Racoon roadwarrior configuration

Finally, the last tab defines the needed SPs. The simplest is to add the needed local network 192.168.112.0 with 255.255.255.0 net mask, as shown in picture 5.8.

After configuration, the connection is established by clicking the “Connect” button after inserting necessary user name and password. The connection is then established, as it can be seen by traffic recording explained in the previous chapter. It should be mentioned that this doesn't apply to all the traffic because the needed routes are not set up in the Windows environment. For that purpose, the Windows console tools (ipconfig and route) are available.

14

Picture 5.8. SP policy configuration of the ShrewSoft

VPN Client tool

Picture 5.7. IKE second phase options of the ShrewSoft VPN

Client tool

6. Creating certificatesTo create needed OpenSSL certificates, few commands have to be executed. These commands are shown in this chapter, but to insure the correct certificate creation, the reader should refer to literature 4. and 11.

To create a root certificate the following command needs to be executed.# openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out / cacert.pem -days 3650 -config ./openssl.conf

This creates two files, the key file cakey.pem and the root certificate file cacert.pem. After that, the certificate request should be created by executing the following command.

# openssl req -new -nodes -out req.pem -config ./openssl.conf

This command also creates two files, key file key.pem and the certificate request file req.pem. The last step is to sign the certificate request by executing the following command.

# openssl ca -out cert.pem -config ./openssl.conf -infiles req.pem

The result is the necessary certificate file cert.pem.

The roadwarrior client needs to have the root certificate created in the first step, while the VPN gateway needs to have the key file created in the second step, and the signed certificate created in the last step.

15

7. Literature1. NETFILTER/iptables, available on Internet address http://www.netfilter.org/projects/iptables/index.html, (11/12/2005)

2. Packet Filtering HOWTO, available on Internet address http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html, (11/12/2005)

3. NAT HOWTO, available on Internet address http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html, (11/12/2005)

4. Ralf Spenneberg, IPsec HOWTO, available on Internet addresshttp://www.ipsec-howto.org, (15/5/2006)

5. Shrew Soft Inc. , ShrewSoft VPN Client, available on Internet address http://www.shrew.net/, (10/6/2006)

6. IPsec-tools, available on Internet address http://ipsec-tools.sourceforge.net/, (15/5/2006)

7. Setkey manual, available on Internet addresshttp://netbsd.gw.com/cgi-bin/man-cgi?setkey++NetBSD-current, (15/5/2006)

8. Racoon manual, available on Internet addresshttp://netbsd.gw.com/cgi-bin/man-cgi?racoon++NetBSD-current, (15/5/2006)

9. Racoon.conf manual, available on Internet addresshttp://netbsd.gw.com/cgi-bin/man-cgi?racoon.conf+5+NetBSD-current, (15/5/2006)

10. Racoonctl manual, available on Internet addresshttp://netbsd.gw.com/cgi-bin/man-cgi?racoonctl++NetBSD-current, (15/5/2006)

11. Ana Kukec, OpenSSL certifikati, available on Internet address http://anchie.esa.fer.hr/My_Documents/Dokumenti/OpenSSL-certifikati.pdf, (2/6/2006)

16