Transport Mode between two GNU/Linux hosts

Intro

• Mode : Transport
• Alice : Debian 8.1
• ip : 192.168.0.84
• Bob : Debian 8.1
• ip : 192.168.0.85

Network diagram

Installation

Alice and Bob

root@host:~# apt-get install ipsec-tools

Without IKE (manual keyed) and with AH + ESP

128, 192 and 224 bits Key generation

$ dd if=/dev/random count=16 bs=1| xxd -ps
a9b3d99cd41ed7bc51e1a007c1ccc97f
16+0 records in
16+0 records out

$ dd if=/dev/random count=24 bs=1| xxd -ps
5e9acb64f38d4a9b76e6a6c28220c48f048955fa24104df6
24+0 records in
24+0 records out

$ dd if=/dev/random count=28 bs=1 | xxd -ps
d565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299
28+0 records in
28+0 records out
					

Alice

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

## AH security association (SA) 
#alice et bob 
add 192.168.0.84 192.168.0.85 ah 10000 -A hmac-md5 "1234567890123456"; 
add 192.168.0.85 192.168.0.84 ah 20000 -A hmac-md5 "1234567890123456"; 

#ESP 
#alice et bob 
add 192.168.0.84 192.168.0.85 esp 10001 -E aes-ctr 0xd565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299; 
#on peut choisir des clés différentes (entre Alice et Bob et Bob et Alice) :
add 192.168.0.85 192.168.0.84 esp 20001 -E aes-ctr "0xg565864f1e7d25f21b80af06afb2144eb9f9bcd8bb9d930e37600244"; 

## security policy 
#alice et bob 
spdadd 192.168.0.84 192.168.0.85 any -P out ipsec 
	esp/transport//require
	ah/transport//require;
spdadd 192.168.0.85 192.168.0.84 any -P in ipsec 
	esp/transport//require
	ah/transport//require;
							

Explanations :

• flush : flush the SAD (Security Association Database)
• spdflush : flush the SPD (Security Policy Database)
• We add a SA inside the SAD (Security Association Database) : add 192.168.0.84 (source) 192.168.0.85 (destination) ah (protocol ipsec) 10000 (SPI) -A (Algorithm) hmac-md5 (algorithm) "1234567890123456" (ascii key);
• add 192.168.0.84 (source) 192.168.0.85 (destination) esp 10001 -E (Encryption) aes-ctr (encryption type) 0x9d6c4a8275ab12fbfdcaf01f0ba9dcfb5f424c878e97f888 (hexadecimal key);
• We add a SP inside the SPD (Security Policy Database) : spdadd 192.168.0.84 (source) 192.168.0.85 (destination) any (protocols and ports to crypt) -P (rule to use) out (direction : in or out) ipsec (action : ipsec/discard/none)
• esp (protocol : ah, esp or ipcomp) /transport (mode) //require (level : use/require) ah/transport//require;

Some AH et ESP algorithms :

• hmac-md5 and hmac-sha
• des-cbc and 3des-cbc
• blowfish-cbc, aes-cbc
• hmac-sha2-256
• hmac-sha2-512

Bob

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

## AH security association (SA) 
add 192.168.0.84 192.168.0.85 ah 10000 -A hmac-md5 "1234567890123456"; 
add 192.168.0.85 192.168.0.84 ah 20000 -A hmac-md5 "1234567890123456"; 

#ESP 
add 192.168.0.84 192.168.0.85 esp 10001 -E aes-ctr 0xd565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299; 
add 192.168.0.85 192.168.0.84 esp 20001 -E aes-ctr 0xg565864f1e7d25f21b80af06afb2144eb9f9bcd8bb9d930e37600244; 

spdadd 192.168.0.85 192.168.0.84 any -P out ipsec 
	esp/transport//require 
	ah/transport//require;
spdadd 192.168.0.84 192.168.0.85 any -P in ipsec 
	esp/transport//require
	ah/transport//require;

Check with tcpdump tool (from the bridge)

tcpdump -i br0

We can see ESP and AH frames.

root@host:~# tcpdump -i br0
11:59:39.230708 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68d): ESP(spi=0x00004e21,seq=0x68d), length 88 
11:59:39.328125 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x746): ESP(spi=0x00002711,seq=0x746), length 88 
11:59:39.328307 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68e): ESP(spi=0x00004e21,seq=0x68e), length 88 
11:59:40.230594 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x747): ESP(spi=0x00002711,seq=0x747), length 88 
11:59:40.230949 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68f): ESP(spi=0x00004e21,seq=0x68f), length 88 
11:59:40.327423 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x748): ESP(spi=0x00002711,seq=0x748), length 88 
11:59:40.327760 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x690): ESP(spi=0x00004e21,seq=0x690), length 88 
11:59:41.231482 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x749): ESP(spi=0x00002711,seq=0x749), length 88 
11:59:41.231717 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x691): ESP(spi=0x00004e21,seq=0x691), length 88 
11:59:41.326445 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x74a): ESP(spi=0x00002711,seq=0x74a), length 88 
11:59:41.326686 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x692): ESP(spi=0x00004e21,seq=0x692), length 88 
11:59:42.230489 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x74b): ESP(spi=0x00002711,seq=0x74b), length 88

Useful commands

• Load /etc/ipsec-tools.conf rules :

setkey -f /etc/ipsec-tools.conf

• Run racoon with /etc/racoon/racoon.conf configuration file and see real time logs :

racoon -F -f /etc/racoon/racoon.conf

• Flush the SAD entries :

setkey -F

• Check SA entries :

setkey -D

• Dump SAD and SPD entries :

setkey -DP

Summary

• Intro
• Transport mode between two GNU/Linux hosts
• Transport mode between Racoon and Windows hosts with PSK authentication
• Transport mode between Racoon and Windows hosts with x509 authentication
• Tunnel mode between Racoon and Windows hosts with x509 authentication
• Tunnel mode between two Racoon hosts with x509 authentication
• Transport mode between two Racoon hosts with x509 authentication
• Errors and References