Mode Transport avec Racoon et Windows et authentification x509

Préambule

• Mode : Transport, avec authentification x509
• Alice : Debian 6.0.5
• ip : 192.168.0.84
• Régis : Windows 7
• ip : 192.168.0.85

Synoptique

Création de l’autorité de certification

On créer un répertoire qui contiendra les certificats dans /var/certs :

root@host:~# cd /var/;  mkdir certs; cd certs/; mkdir v01; cd v01/ 
				

NB : C'est le fichier /usr/lib/ssl/openssl.cnf qui permet de pré-remplir les infos du certificat (Country Name, State Or Privince etc...).
On créer son autorité de certification grâce au script /usr/lib/ssl/misc/CA.pl :

root@host:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create) 

aking CA certificate ... 
Generating a 1024 bit RSA private key 
.............................................++++++ 
............++++++ 
writing new private key to './demoCA/private/cakey.pem' 
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:FR 
State or Province Name (full name) [Some-State]:MP 
Locality Name (eg, city) []:MARS 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SOCIETE 
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:RootCA 
Email Address []:admin@societe.fr 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:  
Using configuration from /usr/lib/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
	Serial Number: 
		d9:34:84:c4:17:20:26:8b 
	Validity 
		Not Before: Oct  1 13:41:51 2012 GMT 
	Not After : Oct  1 13:41:51 2015 GMT 
	Subject: 
		countryName               = FR
		stateOrProvinceName       = MP
		organizationName          = SheBang
		commonName                = RootCA
		emailAddress              = admin@societe.fr 
	X509v3 extensions: 
		X509v3 Subject Key Identifier:
		B4:B6:FD:F4:33:62:76:B7:7B:3C:8A:18:9D:00:A4:0A:E0:5A:3C:DB 
		X509v3 Authority Key Identifier:
		keyid:C4:B6:FD:F4:33:63:76:B7:7A:30:8A:18:9D:00:B4:0A:E0:5B:3C:DB 
			DirName:/C=FR/ST=MP/O=SheBang/CN=RootCA/emailAddress=admin@societe.fr 
			serial:D9:34:84:C4:17:20:26:8B 

	X509v3 Basic Constraints: 
		CA:TRUE 
Certificate is to be certified until Oct  1 13:41:51 2015 GMT (1095 days) 

Write out database with 1 new entries 
Data Base Updated

Alice

Installation des paquets nécessaires

root@host:~# apt-get install racoon ipsec-tools

• NB  : Il faut choisir l'option modification directe lors de l'installation de raccon.

Certificats pour la passerelle Debian :

root@host:~# openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout privkey.pem -outform PEM -out newreq.pem

Generating a 1024 bit RSA private key 
.++++++ 
..............++++++ 
writing new private key to 'privkey.pem' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:FR 
State or Province Name (full name) [Some-State]:MP 
Locality Name (eg, city) []:MA_VILLE 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SheBang 
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:VPN-Gateway-Debian 
Email Address []:admin@societe.fr 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:  
					

On signe le certificat via l'autorité de certification:

root@host:~# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
	Serial Number: 
		d9:34:84:c4:17:20:26:8c 
	Validity 
		Not Before: Oct  1 13:44:34 2012 GMT 
		Not After : Oct  1 13:44:34 2013 GMT 
	Subject: 
		countryName               = FR 
		stateOrProvinceName       = MP 
		localityName              = MARS 
		organizationName          = SheBang 
		commonName                = VPN-Gateway-Debian 
		emailAddress              = admin@societe.fr 
	X509v3 extensions: 
		X509v3 Basic Constraints: 
			CA:FALSE 
		Netscape Comment: 
			OpenSSL Generated Certificate 
		X509v3 Subject Key Identifier:
			65:DF:0F:06:02:6F:34:8D:AB:63:E0:5B:1E:26:31:5E:B8:50:19:13
		X509v3 Authority Key Identifier:
			keyid:B4:B6:FD:F4:33:62:76:B7:7A:30:8A:18:9D:00:A4:0A:E0:5B:3C:DB

Certificate is to be certified until Oct  1 13:44:34 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
Signed certificate is in newcert.pem 
				

• On déplace notre certificat nouvellement créé et signé dans un dossier debian et dans le dossier /etc/racoon/certs :

root@host:~# mkdir debian; mv newcert.pem newreq.pem privkey.pem -t debian/; cp debian/* /etc/racoon/certs

Reconnaitre l'autorité de certification

• Pour que l'hôte debian puisse reconnaître les certificats générés par le CA il faudra exécuter la commande suivante dans /etc/racoon/certs

root@host:~# ln -s /var/certs/v01/demoCA/cacert.pem `openssl x509 -noout -hash -in /var/certs/v01/demoCA/cacert.pem`.0

Contenu de /etc/racoon/certs

user@alice # ls /etc/racoon/certs/
3fda260d.0  cacert.pem  newcert.pem  privkey.pem

/etc/racoon/racoon.conf

#path pre_shared_key "/etc/racoon/psk.txt"; 
path certificate "/etc/racoon/certs"; 

remote 192.168.0.85 { 
	exchange_mode main; 
	my_identifier asn1dn; 
	peers_identifier asn1dn; 
	verify_identifier on; 
	certificate_type x509 "newcert.pem" "privkey.pem"; 
	proposal { 
		encryption_algorithm 3des; 
		hash_algorithm sha1; 
		authentication_method rsasig ; 
		dh_group 2; 
	} 
} 
 
sainfo address 192.168.0.84 any address 192.168.0.85 any { 
	#pfs_group modp768; 
	#pfs_group 2; 
	lifetime time 1 hour; 
	encryption_algorithm 3des; 
	authentication_algorithm hmac_sha1; 
	compression_algorithm deflate; 
} 
					

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

# 
## Flush the SAD and SPD 
flush; 
spdflush; 

# 
spdadd 192.168.0.84 192.168.0.85 any -P out ipsec 
    esp/transport//require; 
#                      
spdadd 192.168.0.85 192.168.0.84 any -P in ipsec 
   esp/transport//require; 
# 
					

Régis

Création du certificat pour l'hôte Windows 7

user@alice # openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout privkey.pem -outform PEM -out newreq.pem 

Generating a 1024 bit RSA private key 
.................................++++++ 
......++++++ 
writing new private key to 'privkey.pem' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:FR 
State or Province Name (full name) [Some-State]:MP 
Locality Name (eg, city) []:MARS 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SOCIETE 
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:Host-Windows 
Email Address []:admin@societe.fr 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
					

Signature du certificat par l'autorité de certification

user@alice # /usr/lib/ssl/misc/CA.pl -sign 
Using configuration from /usr/lib/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
	Serial Number: 
		d9:34:84:c4:17:20:26:8d 
	Validity 
		Not Before: Oct  1 13:48:48 2012 GMT 
		Not After : Oct  1 13:48:48 2013 GMT 
	Subject: 
		countryName               = FR 
		stateOrProvinceName       = MP 
		localityName              = MARS 
		organizationName          = SOCIETE 
		commonName                = Host-Windows 
		emailAddress              = admin@societe.fr 
	X509v3 extensions:  
		X509v3 Basic Constraints: 
			CA:FALSE 
		Netscape Comment: 
			OpenSSL Generated Certificate 
		X509v3 Subject Key Identifier:
			3F:8B:22:32:82:01:3A:5A:F6:F4:67:70:BF:06:19:B4:FF:9A:6C:38 
		X509v3 Authority Key Identifier:
			keyid:B4:B6:FD:F4:33:62:76:B7:7A:30:8A:18:9D:00:A4:0A:E0:5B:3C:DB 

Certificate is to be certified until Oct  1 13:48:48 2013 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
Signed certificate is in newcert.pem 
					

Exporter le certificat au format PKCS12

• La façon la plus simple de transférer le certificat vers un hôte Windows est de l'exporter au format PKCS#12. On peut le faire via la commande openssl suivante :

user@alice # openssl pkcs12 -export -inkey privkey.pem -in newcert.pem -certfile demoCA/cacert.pem -out export.p12 -name "Windows Cert" 
Enter Export Password: 
Verifying - Enter Export Password:
					

Contenu du dossier contenant les certificats

user@alice # ls -R 
debian  demoCA  export.p12  newcert.pem  newreq.pem  privkey.pem 

./debian: 
newcert.pem  newreq.pem  privkey.pem 

./demoCA: 
cacert.pem  careq.pem  certs  crl  crlnumber  index.txt  index.txt.attr  index.txt.attr.old  index.txt.old  newcerts  private  serial  serial.old 

./demoCA/certs: 

./demoCA/crl: 

./demoCA/newcerts: 
D93484C41720268B.pem  D93484C41720268C.pem  D93484C41720268D.pem 

./demoCA/private: 
cakey.pem

Quelques commandes utiles

user@alice # setkey -FP

user@alice # racoon -F -f /etc/racoon/racoon.conf

user@alice # setkey -f /etc/ipsec-tools.conf

Installation du certificat sur l'hôte Windows

Ouverture de la Microsoft Management Console :

• Démarrer > MMC

• File > Add/Remove Snap-in...

• On ajoute les composants "IP Security Monitor", "Certificates (Computer Account, Local Computer)" et "IP Security Policies (Local Computer)" :

Et on rajoute les même informations que précisé ici

On installe le certificat

• Dans la console MMC : Console Root > Certificates (Local Computer) > Clic droit sur Personal > All Tasks > Import

• La fenêtre suivante apparaît, on clique sur suivant :

• On clique sur "Browse" :

• On se déplace dans le dossier ou se trouve le fichier p12 (ne pas oublier de mettre "All Files *.*" en bas à droite) et on clique sur "Open" :

• On entre le mot de passe si paramétré durant l'étape 5.3.b et on clique sur suivant :

• On choisit "Automatically select..." :

• En cliquant sur "Finish" on valide l'importation du certficat :

On retourne ensuite dans la console MMC :

• Console Root > IP Security Policies on Local Computer
  Clic droit sur notre stratégie , Properties :
  

• La fenêtre IPsec Properties apparaît et on clique sur "Edit" pour éditer notre filtre :

• Dans l'onglet Authentification Methods, on clique sur "Edit" :

• On choisit "Use a certificate..." :

• Et on choisit le certificat nouvellement installé :

Sommaire

• Mode Transport entre deux stations GNU/Linux
• Mode Transport avec Racoon et Windows et authentification PSK
• Mode Transport avec Racoon et Windows et authentification x509
• Mode Tunnel avec Racoon et Windows avec authentification x509
• Mode Tunnel entre deux stations GNU/Linux avec Racoon et authentification x509
• Mode Transport entre deux stations GNU/Linux avec Racoon et authentification x509
• Erreurs rencontrées et Références