Transport mode between Racoon and Windows hosts with PSK authentication

Intro

• Mode : Transport, with PSK authentication
• Alice : Debian 8
• ip : 192.168.0.84
• Régis : Windows 7
• ip : 192.168.0.85

Network diagram

Alice

Install racoon and ipsec-tools :

root@host:~# apt-get install racoon ipsec-tools

NB : choose direct modification during raccon installation process.

racoon configuration file is /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt"; 
#path certificate "/etc/racoon/certs"; 

remote 192.168.0.85 { 
	exchange_mode main; 
	proposal { 
		encryption_algorithm 3des; 
		hash_algorithm sha1; 
		authentication_method pre_shared_key; 
		#dh_group modp1024; 
		dh_group 2; 
	} 
#        generate_policy off; 
} 

sainfo address 192.168.0.84 any address 192.168.0.85 any { 
	#pfs_group modp768; 
	#pfs_group 2; 
	lifetime time 1 hour; 
	encryption_algorithm 3des; 
	authentication_algorithm hmac_sha1; 
	compression_algorithm deflate; 
} 
				

Inside /etc/racoon/psk.txt we set the pre-shared key :

# IPv4/v6 addresses 
192.168.0.85	TEST

We set SA/SP inside /etc/ipsec-tools.conf :

#!/usr/sbin/setkey -f 

## Flush the SAD and SPD 
# 
flush; 
spdflush; 

spdadd 192.168.0.84 192.168.0.85 any -P out ipsec 
esp/transport//require; 
#                      
spdadd 192.168.0.85 192.168.0.84 any -P in ipsec 
esp/transport//require; 
#

Useful commands

• Load /etc/ipsec-tools.conf rules :

setkey -f /etc/ipsec-tools.conf

• Run racoon with /etc/racoon/racoon.conf configuration file and see real time logs :

racoon -F -f /etc/racoon/racoon.conf

• Flush the SAD entries :

setkey -F

• Check SA entries :

setkey -D

• Dump SAD and SPD entries :

setkey -DP

• Manage IPSec policies :

ip -s xfrm policy

ip -s xfrm state

Regis

Windows 7

Open Microsoft Management Console :

Add Snap-in :

• File > Add/Remove Snap-in :

• IP Security Policy Management > Add IP Security Monitor then IP Security Policies Management

• Local Computer :

• Right click on IP Security Policies on Local Computer and Create IP Security Policy... :

• This windows appears :

• Click on "Next" then set a policy name :

• Unset "Activate the default response rule" :

• Then click on "Finish" to edit policy :

• The IPsec Properties window appears. Unset Use Add Wizard then click on "Add" in order to create a new filter :

• click on "Add" :

• Set a Name, Unset Use Add Wizard then click on "Add" :

• Set Addresses :

• Set Protocol :

• Filter Action > Phase > Edit

• Security Methods > Negociate security > Add

• Custom > Settings

• Set the Security Method

• Authentication Methods > Edit

• Set Use this string... with a preshared key

• Tunnel Setting > This rule does not specified by these IPsec tunnel

• Connection Type > Local area network (LAN)

• Don't forget to enable the policy by selecting Assign

• Wireshark check from the bridge machine

Summary

• Intro
• Transport mode between two GNU/Linux hosts
• Transport mode between Racoon and Windows hosts with PSK authentication
• Transport mode between Racoon and Windows hosts with x509 authentication
• Tunnel mode between Racoon and Windows hosts with x509 authentication
• Tunnel mode between two Racoon hosts with x509 authentication
• Transport mode between two Racoon hosts with x509 authentication
• Errors and References