wiki:WikiImunesIPsecExample

IPsec

Open the topology Examples/IPsec/IPsec.imn and you should see this:

IPsec example - topology picture.

You can use any of the following examples on this topology.

strongswan

This example uses strongswan with certificate authentification to establish an IPsec connection.
The tool strongswan is not installed in IMUNES by default.

Execute the experiment.

An automated script start_strongswan.sh is available if you don't wish to execute the following commands yourself.

Open the shell on your computer and position yourself to the Examples/IPsec/ folder. To copy configuration files to router1 (moon)
and router2 (sun) respectively, use the following commands:

# hcp -r moon/* router1:/usr/local/etc/
# hcp -r sun/* router2:/usr/local/etc/

For more information about using the hcp command, visit WikiImunesExamples.

Double click on the router1 and router2 and enter the command:

# ipsec start

for both of them.

Next, return to the router1 (or router2) shell and execute:

# ipsec up net-net

The IPsec connection should be established. To test it, right click on routerX and start capturing packets with Wireshark.
Then, double click on the pc1 node and ping the pc2 node:

# ping 10.0.3.20

The only packets Wireshark should be showing are ESP packets.

racoon2

This example uses racoon2 with IKE to establish an IPsec connection.
The tool racoon2 is not installed in IMUNES by default.

Execute the experiment.

An automated script start_racoon2.sh is available if you don't wish to execute the following commands yourself.

Open the shell on your computer and position yourself to the Examples/IPsec/ folder. To copy configuration files to router1
and router2 respectively and to set the files' permissions, use the following commands:

# hcp -r n1_racoon2_conf_files/* router1:/usr/local/etc/racoon2/
# hcp -r n2_racoon2_conf_files/* router2:/usr/local/etc/racoon2/
# himage router1 chmod -R 600 /usr/local/etc/racoon2/psk
# himage router2 chmod -R 600 /usr/local/etc/racoon2/psk
# himage router1 mkdir -p -m 700 /var/run/racoon2
# himage router2 mkdir -p -m 700 /var/run/racoon2

For more information about using the hcp and himage commands, visit WikiImunesExamples.

Double click on the router1 and router2 and enter the command:

# spmd

for both of them.

Next, execute:

# iked

for both of the routers.

The IPsec connection should be established. To test it, right click on routerX and start capturing packets with Wireshark.
Then, double click on the pc1 node and ping the pc2 node:

# ping 10.0.3.20

The only packets Wireshark should be showing are ESP packets.

setkey

This example uses setkey with custom authorisation to establish an IPsec connection.
The tool setkey is installed in IMUNES by default.

Execute the experiment.

An automated script start_setkey.sh is available if you don't wish to execute the following commands yourself.

Double click the router1 and execute:

# setkey -c <<EOF
add 10.0.1.1 10.0.2.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
add 10.0.2.2 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.0.0/24 10.0.3.0/24 any -P out ipsec esp/tunnel/10.0.1.1-10.0.2.2/require ;
EOF

Double click the router2 and execute:

# setkey -c <<EOF
add 10.0.1.1 10.0.2.2 esp 0x06f0a592 -E 3des-cbc 0xa2d1986d4d382befdb2ecd48601936470ec5e1673e23eda3 -A hmac-sha1 0x22cd641883f3b5424349817b7a8258e4f674b588 ;
add 10.0.2.2 10.0.1.1 esp 0x0c41304e -E 3des-cbc 0x3e6487e1adc44705aedbca9ebb8a9691dbcfd3c37088c813 -A hmac-sha1 0x7f03e71601d7fbd86ad71fb1089ac056c1e31ca5 ; 
spdadd 10.0.3.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.2.2-10.0.1.1/require ;
EOF

The IPsec connection should be established. To test it, right click on routerX and start capturing packets with Wireshark.
Then, double click on the pc1 node and ping the pc2 node:

# ping 10.0.3.20

The only packets Wireshark should be showing are ESP packets.

Decrypting IPsec packets

Capture the IPsec traffic flowing between two IPsec endpoints (n0 is one of the endpoints):

root@n0# tcpdump -ni eth0 -w ipsec.pcap

List your SA data that will be used for decryption:

root@n0# setkey -D
192.168.71.1 192.168.71.2 
        esp mode=tunnel spi=3417721099(0xcbb6490b) reqid=1(0x00000001)
        E: rijndael-cbc  23028dc5 c4212de8 051e9d56 24375718
        A: hmac-sha1  6f298b6f 053a5c14 929d88ec c53714f3 d2daa030
        seq=0x00000034 replay=32 flags=0x00000000 state=mature 
        created: Nov 25 07:52:22 2014   current: Nov 25 08:02:58 2014
        diff: 636(s)    hard: 1200(s)   soft: 922(s)
        last: Nov 25 07:53:13 2014      hard: 0(s)      soft: 0(s)
        current: 6240(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 52   hard: 0 soft: 0
        sadb_seq=1 pid=383 refcnt=2
192.168.71.2 192.168.71.1 
        esp mode=any spi=3339251311(0xc708ee6f) reqid=1(0x00000001)
        E: rijndael-cbc  16bd4344 008c3dc0 9f7be384 86d3bdf7
        A: hmac-sha1  a5894f9f 685a0f5d f9fee2db 99f1cc5f c1db85a7
        seq=0x00000034 replay=32 flags=0x00000000 state=mature 
        created: Nov 25 07:52:22 2014   current: Nov 25 08:02:58 2014
        diff: 636(s)    hard: 1200(s)   soft: 878(s)
        last: Nov 25 07:53:13 2014      hard: 0(s)      soft: 0(s)
        current: 3952(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 52   hard: 0 soft: 0
        sadb_seq=0 pid=383 refcnt=1

Stop the capture and transfer the packet file to the host FreeBSD machine:

root@IMUNES# hcp n0:ipsec.pcap .

Open the capture with Wireshark. Go to Edit -> Preferences. Choose Protocols -> ESP. Click Edit to configure your ESP SAs. Add a new ESP SA by clicking New and using the following data:

Src IP: 192.168.71.1
Dest IP: 192.168.71.2
SPI: 0xcbb6490b
Encryption: rijndael-cbc -> AES-CBC
Encryption key: 0x23028dc5c4212de8051e9d5624375718
Authentication: hmac-sha1 -> HMAC-SHA-1-96
Authentication key: 0x6f298b6f053a5c14929d88ecc53714f3d2daa030

Click OK and repeat for the other SA.

Last modified 2 years ago Last modified on Nov 25, 2014 9:23:38 AM

Attachments (2)

Download all attachments as: .zip