IPv6 Enkripsi: Automatic key exchange (IKE)

From OnnoWiki
Jump to navigation Jump to search

IPsec membutuhkan pertukaran kunci rahasia. Hal ini dilakukan secara automatis oleh daemon IKE. IKE juga menangani authentikasi peer, baik melalui kunci rahasia yang di ketahui bersama (biasa di sebut “pre-shared secret”) atau melalui kunci RSA (yang dapat digunakan dari sertifikat X.509).

Saat ini, ada dua implementasi IKE daemon yang tersedia di Linux, yang sangat berbeda dalam cara konfigurasi maupun penggunaan.

Tampaknya, “pluto” lebih sederhana daripada implementasi *S/WAN.

IKE daemon “racoon”

IKE daemon “racoon” di ambil dari KAME project dan di porting ke Linux. Distribusi Linux Modern berisi paket deamon ini di “ipsec-tools”. Ada dua executable untuk bisa mensetup IPsec dengan baik. Ada baiknya membaca-baca Linux Advanced Routing & Traffic Control HOWTO / IPSEC.

Manipulasi database IPsec SA/SP menggunakan tool “setkey”

“setkey” sangat penting untuk mendefinisikan security policy (SP) untuk kernel. 

File: /etc/racoon/setkey.sh

Contoh untuk sambungan terenkripsi end-to-end di mode transport 

#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/transport//require;
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec esp/transport//require;

Contoh untuk sambungan terenkripsi end-to-end di mode tunnel 

#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/tunnel/2001:db8:1:1::1-2001:db8:2:2::2/require;
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec esp/tunnel/2001:db8:2:2::2-2001:db8:1:1::1/require;


Untuk peer yang lain, kita harus mengubah "in" dengan "out".

Konfigurasi IKE daemon “racoon”

“racoon” membutuhkan file konfigurasi agar dapat di jalankan dengan benar. Ini termasuk setting untuk security policy, yang harusnya bisa di set menggunakan “setkey”.

File: /etc/racoon/racoon.conf 

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

listen
{
        isakmp 2001:db8:1:1::1;
}

remote 2001:db8:2:2::2
{
        exchange_mode main;
        lifetime time 24 hour;
        proposal
        {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        } 
}

# gateway-to-gateway
sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

Juga set up pre-shared secret:

File: /etc/racoon/psk.txt 

# file for pre-shared keys used for IKE authentication
# format is: 'identifier' 'key'

2001:db8:2:2::2 verysecret

Jalankan IPsec dengan IKE daemon “racoon”

Paling tidak daemin perlu di jalankan. Untuk pertama kali, gunakan debug di mode foreground. Contoh berikut memperlihatkan negosisasi IKE phase 1 (ISAKMP-SA) dan 2 (IPsec-SA): 

# racoon -F -v -f /etc/racoon/racoon.conf

Foreground mode. 
2005-01-01 20:30:15: INFO: @(#)ipsec-tools 0.3.3
¬ (http://ipsec-tools.sourceforge.net)
2005-01-01 20:30:15: INFO: @(#)This product linked
¬ OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
2005-01-01 20:30:15: INFO: 2001:db8:1:1::1[500] used as isakmp port (fd=7)
2005-01-01 20:31:06: INFO: IPsec-SA request for 2001:db8:2:2::2
¬ queued due to no phase1 found.
2005-01-01 20:31:06: INFO: initiate new phase 1 negotiation:
¬ 2001:db8:1:1::1[500]<=>2001:db8:2:2::2[500]
2005-01-01 20:31:06: INFO: begin Identity Protection mode.
2005-01-01 20:31:09: INFO: ISAKMP-SA established
¬ 2001:db8:1:1::1[500]-2001:db8:2:2::2[500] spi:da3d3693289c9698:ac039a402b2db401
2005-01-01 20:31:09: INFO: initiate new phase 2 negotiation:
¬ 2001:6f8:900:94::2[0]<=>2001:db8:2:2::2[0]
2005-01-01 20:31:10: INFO: IPsec-SA established:
¬ ESP/Tunnel 2001:db8:2:2::2->2001:db8:1:1::1 spi=253935531(0xf22bfab) 
2005-01-01 20:31:10: INFO: IPsec-SA established:
¬ ESP/Tunnel 2001:db8:1:1::1->2001:db8:2:2::2 spi=175002564(0xa6e53c4)

Masing-masing tujuan mempunyai sendiri IPsec-SA (seperti di definisikan di standard IPsec). Dengan “tcpdump” pada interface yang di maksud, kita akan melihat haisl dari IPv6 ping: 

20:35:55.305707 2001:db8:1:1::1 > 2001:db8:2:2::2: ESP(spi=0x0a6e53c4,seq=0x3)
20:35:55.537522 2001:db8:2:2::2 > 2001:db8:1:1::1: ESP(spi=0x0f22bfab,seq=0x3)

Seperti di kita inginkan, SPI hasil negosiasi digunakan disini.

Dan menggunakan “setkey”, parameter aktif yang digunakan diperlihatkan disini: 

# setkey -D
2001:db8:1:1::1 2001:db8:2:2::2
        esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000)
        E: 3des-cbc  bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd
        A: hmac-md5  60c2c505 517dd8b7 c9609128 a5efc2db
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jan  1 20:31:10 2005   current: Jan  1 20:40:47 2005
        diff: 577(s)    hard: 3600(s)   soft: 2880(s)
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
        current: 540(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
        sadb_seq=1 pid=22358 refcnt=0
2001:db8:2:2::2 2001:db8:1:1::1
        esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000)
        E: 3des-cbc  c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce
        A: hmac-md5  3f957db9 9adddc8c 44e5739d 3f53ca0e
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jan  1 20:31:10 2005   current: Jan  1 20:40:47 2005
        diff: 577(s)    hard: 3600(s)   soft: 2880(s)
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
        current: 312(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
        sadb_seq=0 pid=22358 refcnt=0

IKE daemon “pluto”

IKE daemon “pluto” ternasuk dalam distribusi *S/WAN project. *S/WAN project dimulai diawali dengan FreeS/WAN. Sangat di sayangkan, FreeS/WAN project berhenti dari pengembangan stopped di tahun 2004. Because of the slow pace of development in the past, two spin-offs started: strongSwan and Openswan. Today, readily installable packages are available for at least Openswan (included in Fedora Core 3).

A major difference to “racoon”, only one configuration file is required. Also, an initscript exists for automatic setup after booting.

Configuration of the IKE daemon “pluto”

The configuration is very similar to the IPv4 one, only one important option is necessary.

File: /etc/ipsec.conf 

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn ipv6-p1-p2 
        connaddrfamily=ipv6       # Important for IPv6!
        left=2001:db8:1:1::1
        right=2001:db8:2:2::2
         authby=secret
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        type=transport
        #type=tunnel
        compress=no
        #compress=yes
        auto=add
        #auto=start

Don't forget to define the pre-shared secret here also.

File: /etc/ipsec.secrets 

2001:db8:1:1::1 2001:db8:2:2::2 : PSK      "verysecret"

Running IPsec with IKE daemon “pluto”

If installation of Openswan was successfully, an initscript should exist for starting IPsec, simply run (on each peer): 

# /etc/rc.d/init.d/ipsec start

Afterwards, start this connection on one peer. If you saw the line “IPsec SA established”, all worked fine. 

# ipsec auto --up ipv6-peer1-peer2
104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established
112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate
004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa98b7710 <0xa51e1f22}

Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, “setkey” can be used here too to show current active parameters: 

# setkey -D
2001:db8:1:1::1 2001:db8:2:2::2
        esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001)
        E: aes-cbc  082ee274 2744bae5 7451da37 1162b483
        A: hmac-sha1  b7803753 757417da 477b1c1a 64070455 ab79082c
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jan  1 21:16:32 2005   current: Jan  1 21:22:20 2005
        diff: 348(s)    hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=23825 refcnt=0
2001:db8:2:2::2 2001:db8:1:1::1
        esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001)
        E: aes-cbc  6f59cc30 8d856056 65e07b76 552cac18
        A: hmac-sha1  c7c7d82b abfca8b1 5440021f e0c3b335 975b508b
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jan  1 21:16:31 2005   current: Jan  1 21:22:20 2005
        diff: 349(s)    hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=23825 refcnt=0
Retrieved from "https://onnocenter.or.id/wiki/index.php?title=IPv6_Enkripsi:_Automatic_key_exchange_(IKE)&oldid=37790"