• No results found

VPN with Windows 7 and Linux strongswan using IKEv2

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "VPN with Windows 7 and Linux strongswan using IKEv2"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

Swiss Cyber Storm II – Hack & Learn

VPN with Windows 7

and Linux strongSwan

using IKEv2

Prof. Dr. Andreas Steffen

(2)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 2

Road Warriors sign on to their home network via IKEv2 with varying IP addresses assigned dynamically by the local ISP.

The „Road Warrior“ Remote Access Case

Internet Home

Network IPsec Tunnel

VPN Gateway 77.56.157.76 10.10.0.0/23 Road Warrior x.x.x.x Dynamic IP Virtual IP 10.10.3.6

Authentication is preferably based on RSA public keys and X.509 certificates issued by the home network.

Virtual IP and internal name server information assigned by the home network. Remote hosts thus become part of an extruded net.

(3)

IKEv2 – Internet Key Exchange v2 (2005)

IKE_SA_INIT exchange pair

IKE_AUTH exchange pair

IKE Header

IKE

Header SA1SA1ii KEKEii NNii 1

2 IKE

Header

IKE

Header SA1SA1rr KEKErr NNrr

3 IKE Header IKE Header encrypted IDi IDi Cert i Certi Authi Authi IDr IDr SA2i SA2i TS i TSi TS r TSr 4 encrypted IKE Header IKE

Header IDIDrr CertCertrr AuthAuthrr

SA2r SA2r TS i TSi TS r TSr Responder Initiator UDP/500

(4)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 4

Swiss Cyber Storm II – Hack & Learn

Client Authentication with

Machine Certificates

(5)

Windows 7 Machine Certificates

Machine certificates (*.p12) must be imported via the Microsoft management console (mmc) into the Local Computer section of the Windows 7 registry!

(6)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 6

(7)
(8)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 8

Windows 7 VPN Client Configuration III

VPN gateway Arbitrary name

(9)

Windows 7 VPN Client Configuration IV

Username/Password information not used if

(10)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 10

(11)

Windows 7 VPN Client Configuration VI

Alternatively EAP-MS-CHAPv2 username/password based

authentication could be used with a Linux strongSwan gateway.

Unfortunately, Windows 7 Beta is prone to Man-in-the-Middle attacks since the gateway signature is not verified by the Windows 7 client!

(12)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 12

(13)

Windows 7 VPN Client Configuration VII

The Windows 7 Agile VPN Client supports the IKEv2 Mobility and Multihoming Protocol MOBIKE (RFC 4555).

A change of the IP address or network interface on the client side is communicated via IKEv2 to the VPN gateway so that an existing IPsec tunnel is migrated automatically!

(14)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 14

Linux strongSwan Gateway Configuration

#/etc/ipsec.conf conn win7 keyexchange=ikev2 authby=rsasig left=%any leftsubnet=0.0.0.0/0 leftcert=koalaCert.pem [email protected] leftfirewall=yes right=%any rightsourceip=10.10.3.0/24 auto=add #/etc/ipsec.secrets : RSA koalaKey.pem #/etc/strongswan.conf charon { dns1 = 62.2.17.60 dns2 = 62.2.24.162 nbns1 = 10.10.1.1 nbns2 = 10.10.0.1 }

The strongSwan gateway could narrow the traffic selector to the local network but Windows 7 does not allow split-tunneling!

(15)
(16)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 16

(17)

Linux strongSwan Logfile

[NET] received packet: from 193.247.250.37[506] to 77.56.157.76[500] [ENC] parsed IKE_SA_INIT request 0 [SA KE No N(NATD_S_IP) N(NATD_D_IP)]

[IKE] 193.247.250.37 is initiating an IKE_SA [IKE] remote host is behind NAT

[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

[NET] sending packet: from 77.56.157.76[500] to 193.247.250.37[506] [NET] received packet: from 193.247.250.37[3226] to 77.56.157.76[4500]

[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP SA TSi TSr ]

[IKE] authentication of 'C=CH, O=Linux strongSwan, CN=bonsai.strongswan.org‘ with RSA signature successful

[IKE] IKE_SA win7[1] established between 77.56.157.76[koala.strongswan.org] ...193.247.250.37[C=CH, O=Linux strongSwan, CN=bonsai.strongswan.org] [IKE] assigning virtual IP 10.10.3.6 to peer

[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]

[IKE] CHILD_SA win7{1} established with SPIs c97fa201_i e7d5941a_o and TS 0.0.0.0/0 === 10.10.3.6/32

(18)

Andreas Steffen, 19.04.2009, CyberStormII.pptx 18

Summary

The Windows 7 Agile VPN Client [and Windows Server 2008 R2] fully support version 2 of the Internet Key Exchange protocol

(IKEv2, RFC 4306) as well as the IKEv2 Mobility and Multihoming protocol (MOBIKE, RFC 4555).

The Windows 7 Agile VPN Client is easy to set up and fully interoperates e.g. with an Open Source Linux strongSwan VPN gateway available from www.strongswan.org.

The current Windows 7 Beta release does not implement the

EAP-MS-CHAPv2 authentication properly: The secret derived from the user password is vulnerable to Man-in-the-Middle attacks

because the Windows 7 client ignores the server certificate and corresponding digital signature!

For the time being use strong authentication based on machine certificates instead!

(19)

Swiss Cyber Storm II – Hack & Learn

More infos:

http://wiki.strongswan.org/wiki/Windows7

References

Download now ( PDF - 19 Page - 687.17 KB )

Related documents

National Solid Waste Management Strategy for the Cayman Islands

 Phase 1: The preparation of a National Solid Waste Management Strategy (NSWMS) for the Cayman islands and the delivery of environmental and site investigations at George Town,

Polygraph Examination of British Sexual Offenders: A Pilot Study on Sexual History Disclosure Testing.

The probation record data available at the time o f the polygraph examination and findings from the psychometric testing which are an integral part of the Sex

Avaya VPN Client Installation and Upgrades. Avaya VPN Client Release 10.06

If you mistakenly installed an Avaya VPN Client legacy version on a Windows Vista or Windows 7 machine, and then you installed Avaya VPN Client 10.01 on the same machine, you

New Trusted Partner Client-Based Access for Windows XP and Windows 7 Includes Juniper Netconnect VPN client and CyberGatekeeper client

• Trusted Partner Access is a Fidelity (Internet Based) remote access product, which gives Trusted Partners (non-full-time employees) access to applications and devices on

IP Office Technical Tip

The VPN Telephone is an H.323 IP Telephone with an integrated virtual private network (VPN) client. The built in client eliminates the need for a separate VPN gateway at the

Perceptions and Experiences of Perinatal Mental Disorders in Rural, Predominantly Ethnic Minority Communities in Northern Vietnam

CHC: commune health centre; DSM-IV: diagnostic and statistical manual of mental disorders IV; IDRC: International development research centre; LMIC: lower-middle income country;

Installing the VPN Client

Note If you are installing the VPN Client for Solaris, Release 3.7 or later on a Version 2.6 Solaris platform, you receive the following message during the VPN Client

Securing Networks with Cisco Routers and Switches ( )

2.2.b IPSec S2S VPN configuration using certificate based authentication 2.3 Implement basic IKEv2 based IPSEC S2S VPN operations using ASDM. 2.3.a IPSec IKEv2 based S2S