rss logo

Transport Mode between two GNU/Linux hosts

Intro

  • Mode : Transport
  • Alice : Debian 8.1
    • ip : 192.168.0.84
  • Bob : Debian 8.1
    • ip : 192.168.0.85

Network diagram

Installation

Alice and Bob

root@host:~# apt-get install ipsec-tools

Without IKE (manual keyed) and with AH + ESP

128, 192 and 224 bits Key generation

$ dd if=/dev/random count=16 bs=1| xxd -ps
a9b3d99cd41ed7bc51e1a007c1ccc97f
16+0 records in
16+0 records out

$ dd if=/dev/random count=24 bs=1| xxd -ps
5e9acb64f38d4a9b76e6a6c28220c48f048955fa24104df6
24+0 records in
24+0 records out

$ dd if=/dev/random count=28 bs=1 | xxd -ps
d565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299
28+0 records in
28+0 records out
					

Alice

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

## AH security association (SA) 
#alice et bob 
add 192.168.0.84 192.168.0.85 ah 10000 -A hmac-md5 "1234567890123456"; 
add 192.168.0.85 192.168.0.84 ah 20000 -A hmac-md5 "1234567890123456"; 

#ESP 
#alice et bob 
add 192.168.0.84 192.168.0.85 esp 10001 -E aes-ctr 0xd565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299; 
#on peut choisir des clés différentes (entre Alice et Bob et Bob et Alice) :
add 192.168.0.85 192.168.0.84 esp 20001 -E aes-ctr "0xg565864f1e7d25f21b80af06afb2144eb9f9bcd8bb9d930e37600244"; 

## security policy 
#alice et bob 
spdadd 192.168.0.84 192.168.0.85 any -P out ipsec 
	esp/transport//require
	ah/transport//require;
spdadd 192.168.0.85 192.168.0.84 any -P in ipsec 
	esp/transport//require
	ah/transport//require;
							

Explanations :

  • flush : flush the SAD (Security Association Database)
  • spdflush : flush the SPD (Security Policy Database)
  • We add a SA inside the SAD (Security Association Database) : add 192.168.0.84 (source) 192.168.0.85 (destination) ah (protocol ipsec) 10000 (SPI) -A (Algorithm) hmac-md5 (algorithm) "1234567890123456" (ascii key);
  • add 192.168.0.84 (source) 192.168.0.85 (destination) esp 10001 -E (Encryption) aes-ctr (encryption type) 0x9d6c4a8275ab12fbfdcaf01f0ba9dcfb5f424c878e97f888 (hexadecimal key);
  • We add a SP inside the SPD (Security Policy Database) : spdadd 192.168.0.84 (source) 192.168.0.85 (destination) any (protocols and ports to crypt) -P (rule to use) out (direction : in or out) ipsec (action : ipsec/discard/none)
  • esp (protocol : ah, esp or ipcomp) /transport (mode) //require (level : use/require) ah/transport//require;

Some AH et ESP algorithms :

  • hmac-md5 and hmac-sha
  • des-cbc and 3des-cbc
  • blowfish-cbc, aes-cbc
  • hmac-sha2-256
  • hmac-sha2-512

Bob

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

## AH security association (SA) 
add 192.168.0.84 192.168.0.85 ah 10000 -A hmac-md5 "1234567890123456"; 
add 192.168.0.85 192.168.0.84 ah 20000 -A hmac-md5 "1234567890123456"; 

#ESP 
add 192.168.0.84 192.168.0.85 esp 10001 -E aes-ctr 0xd565864f1e6c25f21b80af06afb2144eb9f9bcd8bb9d930e37600299; 
add 192.168.0.85 192.168.0.84 esp 20001 -E aes-ctr 0xg565864f1e7d25f21b80af06afb2144eb9f9bcd8bb9d930e37600244; 

spdadd 192.168.0.85 192.168.0.84 any -P out ipsec 
	esp/transport//require 
	ah/transport//require;
spdadd 192.168.0.84 192.168.0.85 any -P in ipsec 
	esp/transport//require
	ah/transport//require;

Check with tcpdump tool (from the bridge)

tcpdump -i br0

We can see ESP and AH frames.

root@host:~# tcpdump -i br0
11:59:39.230708 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68d): ESP(spi=0x00004e21,seq=0x68d), length 88 
11:59:39.328125 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x746): ESP(spi=0x00002711,seq=0x746), length 88 
11:59:39.328307 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68e): ESP(spi=0x00004e21,seq=0x68e), length 88 
11:59:40.230594 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x747): ESP(spi=0x00002711,seq=0x747), length 88 
11:59:40.230949 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x68f): ESP(spi=0x00004e21,seq=0x68f), length 88 
11:59:40.327423 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x748): ESP(spi=0x00002711,seq=0x748), length 88 
11:59:40.327760 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x690): ESP(spi=0x00004e21,seq=0x690), length 88 
11:59:41.231482 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x749): ESP(spi=0x00002711,seq=0x749), length 88 
11:59:41.231717 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x691): ESP(spi=0x00004e21,seq=0x691), length 88 
11:59:41.326445 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x74a): ESP(spi=0x00002711,seq=0x74a), length 88 
11:59:41.326686 IP 192.168.0.85 > 192.168.0.84: AH(spi=0x00004e20,seq=0x692): ESP(spi=0x00004e21,seq=0x692), length 88 
11:59:42.230489 IP 192.168.0.84 > 192.168.0.85: AH(spi=0x00002710,seq=0x74b): ESP(spi=0x00002711,seq=0x74b), length 88

Useful commands

  • Load /etc/ipsec-tools.conf rules :
setkey -f /etc/ipsec-tools.conf
  • Run racoon with /etc/racoon/racoon.conf configuration file and see real time logs :
racoon -F -f /etc/racoon/racoon.conf
  • Flush the SAD entries :
setkey -F
  • Check SA entries :
setkey -D
  • Dump SAD and SPD entries :
setkey -DP

Summary

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address