strongSwan 4.2 - ConfigurationContents
1. OverviewstrongSwan is an OpenSource IPsec solution for the Linux operating system. It currently supports the following major functions:
2. QuickstartIn the following examples we assume for reasons of clarity that left designates the local host and that right is the remote host. Certificates for users, hosts and gateways are issued by a ficticious strongSwan CA. How to generate private keys and certificates using OpenSSL will be explained in section 3. The CA certificate strongswanCert.pem must be present on all VPN end points in order to be able to authenticate the peers. 2.1 Site-to-site caseIn this scenario two security gateways moon and sun will connect the two subnets moon-net and sun-net with each other through a VPN tunnel set up between the two gateways:
Configuration on gateway moon: /etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
Configuration on gateway sun: /etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
2.2 Host-to-host caseThis is a setup between two single hosts which don't have a subnet behind them. Although IPsec transport mode would be sufficient for host-to-host connections we will use the default IPsec tunnel mode.
Configuration on host moon: /etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
Configuration on host sun: /etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
2.3 Four tunnel caseIn a site-to-site setup a system administrator logged into the local gateway often would like to access the peer gateway or a server in the subnet behind the peer gateway over a secure IPsec tunnel.Since IP packets leaving a gateway via the outer network interface carry the IP address of this NIC, four IPsec Security Associations (SAs) must be set up to achieve full connectivity. The example below shows how this can be done without much additional typing work , using the "also" macro which includes connection definitions defined farther down in the ipsec.conf file.
Configuration on gateway moon:
/etc/ipsec.conf:
Configuration on gateway sun: /etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
2.4 Four Tunnel case the elegant way with source routingAs you certainly agree, the full four tunnel case described in the previous section becomes quite complex. If we could force the source address of the IP packets leaving the gateway through the outer interface to take on the IP address of the inner interface then we could use the single subnet-to-subnet tunnel from section 2.1. Such a setup becomes possible if we use the source routing capabilites of the ip route command that is already used by strongSwan 's updown scripts.
If we assume that the inner IP address of gateway moon is 10.1.0.1 and the inner IP address of gateway sun is 10.2.0.1, then the insertion of the parameter
in the connection definition of moon and
on sun, respectively, will install source routing on both gateways. As a result the command
executed on moon will leave the gateway with a source address of 10.1.0.1 and will therefore take the net-net IPsec tunnel. Configuration on gateway moon: /etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
Configuration on gateway sun: /etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
2.5 Roadwarrior caseThis is a very common case where a strongSwan gateway serves an arbitrary number of remote VPN clients usually having dynamic IP addresses.
Configuration on gateway moon:
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
Configuration on roadwarrior carol:
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
2.6 Roadwarrior case with virtual IP
Roadwarriors usually have dynamic IP addresses assigned by the ISP they are
currently attached to. In order to simplify the routing from
moon-net back to
the remote access client it would be desirable if the roadwarrior had
This virtual IP address can be assigned to a strongSwan roadwarrior by adding the parameter
to the roadwarrior's ipsec.conf. Of course the virtual IP of each roadwarrior must be distinct. In our example it is chosen from the address pool
which can be added to the gateway's ipsec.conf so that a single connection definition can handle multiple roadwarriors. Configuration on gateway moon:
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
Configuration on roadwarrior carol:
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.conf:
3. Generating certificates and CRLs with OpenSSLThis section is not a full-blown tutorial on how to use OpenSSL. It just lists a few points that are relevant if you want to generate your own certificates and CRLs for use with strongSwan. 3.1 Generating a CA certificateThe OpenSSL statement
creates a 2048 bit RSA private key strongswanKey.pem and a self-signed CA certificate strongswanCert.pem with a validity of 4 years (1460 days).
lists the properties of a X.509 certificate cert.pem. It allows you to verify whether the configuration defaults in openssl.cnf have been inserted correctly. If you prefer the CA certificates to be in binary DER format then the following command achieves this transformation:
The directory /etc/ipsec.d/cacerts/ contains all required CA certificates either in binary DER or in base64 PEM format. Irrespective of the file suffix, Pluto "automagically" determines the correct format. 3.2 Generating a host or user certificateThe OpenSSL statement
generates a 1024 bit RSA private key hostKey.pem and a certificate request hostReq.pem which has to be signed by the CA. If you want to add a subjectAltName field to the host certificate you must edit the OpenSSL configuration file openssl.cnf and add the following line in the [ usr_cert ] section:
if you want to identify the host by its Fully Qualified Domain Name (FQDN ), or
if you want the ID to be of type IPV4_ADDR . Of course you could include both ID types with
but the use of an IP address for the identification of a host should be discouraged anyway. For user certificates the appropriate ID type is USER_FQDN which can be specified as
or if the user's e-mail address is part of the subject's distinguished name
If you want to use the dynamic CRL fetching feature described in section 4.7 then you may include one or several crlDistributionPoints in your end certificates. This is also done in the [ usr_cert ] section of the openssl.cnf configuration file
If you have only a single http distribution point then the short form
also works. Due to a known bug in OpenSSL the latter notation fails with ldap URIs. Now the certificate request can be signed by the CA with the command
If you omit the -days option then the default_days value (365 days) specified in openssl.cnf is used. The -notext option avoids that a human readable listing of the certificate is prepended to the base64 encoded certificate body. Usually a Windows-based VPN client needs its private key, its host or user certificate, and the CA certificate. The most convenient way to load this information is to put everything into a PKCS#12 file:
3.3 Generating a CRLAn empty CRL that is signed by the CA can be generated with the command
If you omit the -crldays option then the default_crl_days value (30 days) specified in openssl.cnf is used. If you prefer the CRL to be in binary DER format, then this conversion can be achieved with
The directory /etc/ipsec.d/crls/ contains all CRLs either in binary DER or in base64 PEM format. Irrespective of the file suffix, pluto "automagically" determines the correct format. 3.4 Revoking a certificateA specific host certificate stored in the file host.pem is revoked with the command
Next the CRL file must be updated
The content of the CRL file can be listed with the command
in the case of a base64 CRL, or alternatively for a CRL in DER format
4. Configuring the connections - ipsec.conf4.1 Configuring my sideUsually the local side is the same for all connections. Therefore it makes sense to put the definitions characterizing the strongSwan security gateway into the conn %default section of the configuration file /etc/ipsec.conf. If we assume throughout this document that the strongSwan security gateway is left and the peer is right (of course you could define the directions also the other way round) then we can write conn %default The X.509 certificate by which the strongSwan security gateway will authenticate itself by sending it in binary form to its peers as part of the Internet Key Exchange (IKE) is specified by the line
The certificate can either be stored in base64 PEM-format or in the binary DER-format. Irrespective of the file suffix, Pluto "automagically" determines the correct format. Therefore
or
would also be valid alternatives. When using relative pathnames as in the examples above, the certificate files must be stored in in the directory /etc/ipsec.d/certs. In order to distinguish strongSwan's own certificates from locally stored trusted peer certificates (see section 5.5 for details), they could also be stored in a subdirectory within the default directory /etc/ipsec.d/certs, as e.g. in
Absolute pathnames are also possible, as in
As an ID for the VPN gateway we recommend the use of a Fully Qualified Domain Name (FQDN) of the form conn rw Important: When an FQDN identifier is used it must be explicitly included as a so called subjectAltName of type dnsName (DNS:) in the certificate indicated by leftcert. For details on how to generate certificates with subjectAltNames, please refer to section 3.2. If you don't want to mess with subjectAltNames, you can use the certificate's Distinguished Name (DN) instead, which is an identifier of type DER_ASN1_DN and which can be written e.g. in the LDAP-type format conn rw Since the subject's DN is part of the certificate, the leftid does not have to be declared explicitly. Thus the entry conn rw 4.2 Multiple certificatesstrongSwan supports multiple local host certificates and corresponding RSA private keys:conn rw1 conn rw2 4.3 Configuring the peer side using CA certificatesNow we can proceed to define our connections. In many applications we might have dozens of mostly Windows-based road warriors connecting to a central strongSwan security gateway. The following most simple statement: conn rw defines the general roadwarrior case. The line right=%any literally means that any IPSec peer is accepted, regardless of its current IP source address and its ID, as long as the peer presents a valid X.509 certificate signed by a CA the strongSwan security gateway puts explicit trust in. Additionally the signature during IKE main mode gives proof that the peer is in possession of the private RSA key matching the public key contained in the transmitted certificate. The ID by which a peer is identifying itself during IKE main mode can by any of the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of the first three ID types is used, then the accompanying X.509 certificate of the peer must contain a matching subjectAltName field of the type ipAddress (IP:), dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type DER_ASN1_DN, the identifier must completely match the subject field of the peer's certificate. One of the two possible representations of a Distinguished Name (DN) is the LDAP-type format rightid="C=CH,O=Linux strongSwan, CN=sun.strongswan.org" Additional whitespace can be added everywhere as desired since it will be automatically eliminated by the X.509 parser. An exception is the single whitespace between individual words , like e.g. in Linux strongSwan, which is preserved by the parser. The Relative Distinguished Names (RDNs) can alternatively be separated by a slash ( '/') instead of a comma (',')
This is the representation extracted from the certificate by the OpenSSL command line option
The following X.501 RDNs are supported by strongSwan
With the roadwarrior connection definition listed above, an IPsec SA for the strongSwan security gateway moon.strongswan.org itself can be established. If any roadwarrior should be able to reach e.g. the two subnets 10.0.1.0/24 and 10.0.3.0/24 behind the security gateway then the following connection definitions will make this possible conn rw1 If not all peers in possession of a X.509 certificate signed by a specific certificate authority shall be given access to the Linux security gateway, then either a subset of them can be barred by listing the serial numbers of their certificates in a certificate revocation list (CRL) as specified in section 5.2 or as an alternative, access can be controlled by explicitly putting a roadwarrior entry for each eligible peer into ipsec.conf: conn sun When the IP address of a peer is known to be stable, it can be specified as well. This entry is mandatory when the strongSwan host wants to act as the initiator of an IPSec connection. conn sun In the last example the ID types FQDN, USER_FQDN, DER_ASN1_DN and IPV4_ADDR, respectively, were used. Of course all connection definitions presented so far have included the lines in the conn %defaults section, comprising among others a left and leftcert entry,. 4.4 Handling Virtual IPs and wildcard subnetsOften roadwarriors are behind NAT-boxes with IPsec passthrough, which causes the inner IP source address of an IPsec tunnel to be different from the outer IP source address usually assigned dynamically by the ISP. Whereas the varying outer IP address can be handled by the right=%any construct, the inner IP address or subnet must always be declared in a connection definition. Therefore for the three roadwarriors rw1 to rw3 connecting to a strongSwan security gateway the following entries are required in /etc/ipsec.conf: conn rw1 With the new wildcard parameter rightsubnetwithin these three entries can be reduced to the single connection definition conn rw Any host will be accepted (of course after successful authentication based on the peer's X.509 certificate only) if it declares a client subnet lying totally within the brackets defined by the wildcard subnet definition (in our example 10.0.1.0/24). For each roadwarrior a connection instance tailored to the subnet of the particular client will be created, based on the generic rightsubnetwithin template. This strongSwan feature can also be helpful with VPN clients getting a dynamically assigned inner IP from a DHCP server located on the NAT router box. 4.5 Protocol and port selectors strongSwan offers the possibility to restrict the protocol and
optionally the ports in an IPsec SA using the rightprotoport and
leftprotoport parameters. conn icmp Protocols and ports can be designated either by their numerical values or by their acronyms defined in /etc/services.
lists the following connection definitions: "icmp": 192.168.0.1[@moon.strongswan.org]:1/0...%any:1/0 Based on the protocol and port selectors, appropriate eroutes will be set up, so that only the specified payload types will pass through the IPsec tunnel. 4.6 IPsec policies based on wildcardsIn large VPN-based remote access networks there is often a requirement that access to the various parts of an internal network must be granted selectively, e.g. depending on the group membership of the remote access user. strongSwan makes this possible by applying wildcard filtering on the VPN user's distinguished name (ID_DER_ASN1_DN)Let's make a practical example: An organization has a sales department (OU=Sales) and a research group (OU=Research). In the company intranet there are separate subnets for Sales (10.0.0.0/24) and Research (10.0.1.0/24) but both groups share a common web server (10.0.2.100). The VPN clients use Virtual IP addresses that are either assigned statically or via DHCP-over-IPsec. The sales and research departments use IP addresses from separate DHCP address pools (10.1.0.0/24) and (10.1.1.0/24), respectively. An X.509 certificate is issued to each employee, containing in its subject distinguished name the country (C=CH), the company (O=ACME), the group membership (OU=Sales or OU=Research) and the common name (e.g. CN=Bart Simpson).The IPsec policy defined above can now be enforced with the following three IPsec security associations:
conn sales Of course group specific tunneling could be implemented on the basis of the Virtual IP range specified by the rightsubnetwithin parameter alone, but the wildcard matching mechanism guarantees that only authorized user can access the corresponding subnets. The '*' character is used as a wildcard in relative distinguished names (RDNs). In order to match a wildcard template, the ID_DER_ASN1_DN of a peer must contain the same number of RDNs (selected from the list in section 4.3) appearing in the exact order defined by the template."C=CH, O=ACME, OU=Research, OU=Special Effects, CN=Bart Simpson" matches the templates but not the template "C=CH, O=ACME, OU=*, CN=*" which doesn't have the same number of RDNs. 4.7 IPsec policies based on CA certificatesAs an alternative to the wildcard based IPsec policies described in section 4.6,access to specific client host and subnets can also be controlled on the basis of the CA that issued the peer certificate.
In the example above, the connection "sales" can be used by peers presenting certificates issued by the Sales CA, only. In the same way, the use of the connection "research" is restricted to owners of certificates issued by the Research CA. The connection "web" is open to both "Sales" and "Research" peers because the required ACME Root CA is the issuer of the Research and Sales intermediate CAs. If no rightca parameter is present then any valid certificate issued by one of the trusted CAs in /etc/ipsec.d/cacerts can be used by the peer. The leftca parameter usually doesn't have to be set explicitly because by default it is set to the issuer field of the certificate loaded vialeftcert. The statement
sets the CA requested from the peer to the CA used by the left side itself as e.g. in
4.8 Sending certificate requestsThe presence of a rightca parameter also causes the CA to be sent as part of the certificate request message when strongSwan is the initiator. A special case occurs when strongSwan responds to a roadwarrior. If several roadwarrior connections based on different CAs are defined then all eligible CAs will be listed in Pluto's certificate request message.4.9 IPsec policies based on group attributesX.509 attribute certificates (RFC 3281) are the most powerful mechanism for implementing IPsec security policies. The rightgroups parameter in a connection definition restricts the access to members of the listed groups only. An IPsec peer must have a valid attribute certificate issued by a trusted Authorization Authority and listing one of the required group attributes in order to get admitted.conn sales In the examples above membership of the group Sales is required for connection sales and membership of Research for connection research whereas connection web is accessible for both groups. Currently the attribute certificates of the peers must be loaded statically via the /etc/ipsec.d/acerts/ directory. In future releases of strongSwan it will be possible to fetch them from an LDAP directory server. 5. Configuring certificates and CRLs5.1 Installing the CA certificatesX.509 certificates received by strongSwan during the IKE protocol are automatically authenticated by going up the trust chain until a self-signed root CA certificate is reached. Usually host certificates are directly signed by a root CA, but strongSwan also supports multi-level hierarchies with intermediate CAs in between. All CA certificates belonging to a trust chain must be copied in either binary DER or base64 PEM format into the directory
Multiple CAs are supported, but presently they just create a large pool of valid user or host certificates and cannot be assigned to specific connection definitions in /etc/ipsec.conf. 5.2 Installing optional certificate revocation lists (CRLs)By copying a CA certificate into /etc/ipsec.d/cacerts/, automatically all user or host certificates issued by this CA are declared valid. Unfortunately private keys might get compromised inadvertently or intentionally, personal certificates of users leaving a company have to be blocked immediately, etc. To this purpose certificate revocation lists (CRLs) have been created. CRLs contain the serial numbers of all user or host certificates that have been revoked due to various reasons. After successful verification of the X.509 trust chain, Pluto searches its list of CRLs either obtained by loading them from the /etc/ipsec.d/crls/ directory or fetching them dynamically from a http or ldap server for the presence of a CRL issued by the CA that has signed the certificate. If the serial number of the certificate is found in the CRL then the public key contained in the certificate is declared invalid and the IPSec SA will not be established. If no CRL is found or if the deadline defined in the nextUpdate field of the CRL has been reached, a warning is issued but the public key will nevertheless be accepted. CRLs must be stored in either binary DER or base64 PEM format in the crls directory. Section 3.3 will explain in detail how CRLs can be created using OpenSSL. 5.3 Dynamic update of certificates and CRLsPluto reads certificates and CRLs from their respective files during system startup and keeps them in memory in the form of chained lists. X.509 certificates have a finite life span defined by their validity field. Therefore it must be possible to replace CA or OCSP certificates kept in system memory without disturbing established ISAKMP SAs. Certificate revocation lists should also be updated in the regular intervals indicated by the nextUpdate field in the CRL body. The following interactive commands allow the dynamic replacement of the various files:
CRLs can also be automatically fetched from an http or ldap server using the CRL distribution points contained in X.509 certificates. The command
shows any pending fetch requests: Oct 31 00:29:53 2002, trials: 2 In the example above, a http and a ldap URL were extracted from a received end certificate. An independent thread then tries to fetch a CRL from the designated distribution points. The same thread also periodically checks if any loaded CRLs are about to expire. The check interval can be defined in the config setup section of the ipsec.conf file:
In our example the thread wakes up every 600 seconds or 10 minutes in order to check the validity of the CRLs or to retry any pending fetch requests: List of X.509 CRLs: The first trial to update a CRL is started 2*crlcheckinterval before the nextUpdate time, i.e. when less than 20 minutes are left in our practical example. When crlcheckinterval is set to 0 (this is also the default value when the parameter is not set in ipsec.conf) then the CRL checking and updating thread is not started and dynamic CRL fetching is disabled. 5.4 Local caching of CRLsThe ipsec.conf option config setup activates the local caching of CRLs that were dynamically fetched from an HTTP or LDAP server. Cached copies are stored in /etc/ipsec.d/crls under a unique filename formed from the issuer's SubjectKeyIdentifier and the suffix .crl. With the cached copy the CRL is immediately available after pluto's startup. When the local copy is about to expire it is automatically replaced with an updated CRL fetched from one of the defined CRL distribution points. 5.5 Online Certificate Status Protocol (OCSP)The Online Certificate Status Protocol is defined by RFC 2560. It can be used to query an OCSP server about the current status of an X.509 certificate and is often used as a more dynamic alternative to a static Certificate Revocation List (CRL). Both the OCSP request sent by the client and the OCSP response returned by the server are transported via a standard tcp/http connection. Therefore cURL support must be enabled in pluto/Makefile:
In the most simple OCSP setup, a default URI under which the OCSP server for a given CA can be accessed is defined in ipsec.conf: config setup The HTTP port can be freely chosen. In our example we have assumed tcp port 8880. The crlcheckinterval must be set to a value different from zero. Otherwise the OCSP fetching thread will not be started. The well-known openssl-0.9.7 package from http://www.openssl.org implements an OCSP server that can be used in conjunction with an OpenSSL-based Public Key Infrastructure. The OCSP client integrated into Pluto does not contain any OpenSSL code though, but is based on the existing ASN.1 functionality of the X.509 patch. The OpenSSL-based OCSP server is started with the following command:
The command consists of the parameters
How does Pluto get hold of the OCSP signer certificate? There are two possibilities: Either you put the OCSP certificate into the default directory
or alternatively Pluto can receive it as part of the OCSP response from the remote OCSP server. In the latter case, how can Pluto make sure that the server has indeed been authorized by the CA to deal out certificate status information? In order to ascertain the OCSP signer authority, an extended key usage attribute can be included in the OCSP server certificate. Just insert the parameter
in the [ usr_cert ] section of your openssl.cnf configuration file before the CA signs the OCSP server certificate. For a given CA the corresponding ca section in ipsec.conf (see section 7) allows to define the URI of a single OCSP server. As an alternative an OCSP URI can be embedded into the VPN host and user certificates by putting the line authorityInfoAccess=OCSP;URI:http://ocsp.strongswan.org:8880 into the [ usr_cert ] section of your openssl.cnf configuration file. If an OCSP authorityInfoAccess extension is present in a certificate then this record overrides the default URI defined by the ca section. 5.6 CRL PolicyBy default Pluto is quite tolerant concerning the handling of CRLs. It is not mandatory for a CRL to be present in /etc/ipsec.d/crls/ and if the expiration date defined by the nextUpdate field of a CRL has been reached just a warning is issued, but a peer certificate will always be accepted if it has not been revoked. If you want to enforce a stricter CRL policy then this can be done by setting the strictcrlpolicy option in the config setup section of the ipsec.conf file:
config setup A certificate received from a peer will not be accepted if no corresponding CRL is present in /etc/ipsec.conf. And if an ISAKMP SA re-negotiation takes place after the nextUpdate deadline has been reached, the peer certificate will be declared invalid and the cached RSA public key will be deleted causing the connection in question to fail. Therefore if you are going to use the strictcrlpolicy=yes option, make sure that the CRLs will always be updated in time. Otherwise a total stand still will ensue. As mentioned earlier the default setting is strictcrlpolicy=no 5.7 Configuring the peer side using locally stored certificatesIf you don't want to use trust chains based on CA certificates as proposed in section 4.3, you can alternatively import trusted peer certificates directly into Pluto. Thus you do not have to rely on the certificate to be transmitted by the peer as part of the IKE protocol. With the conn %default section defined in section 4.1 and the use of the rightcert keyword for the peer side, the connection definitions in section 4.3 can alternatively be written as
conn sun the other side. In these cases it is recommended to add
to the connection definition[s] in order to avoid the sending of the host's own certificate. The default value is
If a peer certificate contains a subjectAltName extension, then this can be used to specify an alternative rightid or leftid type, respectively, as the example "conn sun" shows. If no rightid or leftid entry is present then the subject distinguished name contained in the certificate is taken as the ID. Using the same rules concerning pathnames that apply to strongSwan's own certificates, the following two definitions are also valid for trusted peer certificates: or
6. Installing the private key - ipsec.secrets6.1 Loading private key files in PKCS#1 formatBesides the standard FreeS/WAN RSA private key format, Pluto has been enabled to load RSA private keys in the PKCS#1 file format. The key files can be optionally secured with a passphrase. RSA private key files are declared in /etc/ipsec.secrets using the syntax
The key file can be either in base64 PEM-format or binary DER-format. The actual coding is detected "automagically" by Pluto. The example
uses a relative pathname. In that case Pluto will look for the private key file in the directory
As an alternative an absolute pathname can be given as in
In both cases make sure that the key files are root readable only. Often a private key must be transported from the Certification Authority where it was generated to the target security gateway where it is going to be used. In order to protect the key it can be encrypted with 3DES using a symmetric transport key derived from a cryptographically strong passphrase.
Because of the weak security, key files protected by single DES will not be accepted by Pluto!!! Once on the security gateway the private key can either be permanently unlocked so that it can be used by Pluto without having to know a passphrase
or as an option the key file can remain secured. In this case the passphrase unlocking the private key must be added after the pathname in /etc/ipsec.secrets
Some CAs distribute private keys embedded in a PKCS#12 file. Since Pluto is not able yet to read this format directly, the private key part must first be extracted using the command
if the key file moonKey.pem is to be secured again by a passphrase, or
if the private key is to be stored unlocked. 6.2 Entering passphrases interactivelyOn a VPN gateway you would want to put the passphrase protecting the private
key file right into /etc/ipsec.secrets as described in the previous paragraph,
so that the gateway can be booted in unattended mode. The risk of keeping
unencrypted secrets on a server can be minimized by putting the box into a
locked room. As long as no one can get root access on the machine the private
keys are safe.
Since strongSwan is usually started during the boot process, no interactive console windows is available which can be used by Pluto to prompt for the passphrase. This must be initiated by the user by typing
which actually is an alias for the existing command
and which causes the prompt
to appear. If the passphrase was correct and the private key file could be successfully decrypted then
results. Otherwise the prompt
will give you another try. Entering a carriage return will abort the passphrase prompting. 6.3 Multiple private keysstrongSwan supports multiple private keys. Because the connections defined in ipsec.conf can find the correct private key on the basis of the public key contained in the certificate which assigned via the leftcert parameter, private key definitions without specific IDs can be used
7. Configuring CA properties - ipsec.confBesides the definition of IPsec connections the ipsec.conf file can also be used to configure a few properties of the certification authorities needed to establish the X.509 trust chains. The following example shows the parameters that are currently available: ca strongswan In a similar way as conn sections are used for connection definitions, an arbitrary number of optional ca sections define the basic properties of CAs. Each ca section is named with a unique label ca strongswan The only mandatory parameter is
which points to the CA certificate which usually resides in the default directory /etc/ipsec.d/cacerts/ but could also be retrieved via an absolute path name. If the CA certificate is stored on a smartcard then the notation or alternatively can be used. The selection of smartcard slots is described in more detail in section 8.1. From the certificate the CA's distinguished name and the serial number is extracted. If an optional subjectKeyAuthentifier is present then it can be used to uniquely identify consecutive generations of CA certificates carrying the same distinguished name. The OCSP URI
allows to define an individual OCSP server per CA. Also up to two additional CRL distribution points (CDPs) can be defined
which are added to any CDPs already present in the received certificates themselves. The last parameter
can be used to fill in the actual server name in LDAP CDPs where the host is missing as e.g. in the crluri2 above. In future releases this ldaphost parameter might be used to retrieve user, host and attribute certificates. With the auto=add statement the ca definition is automatically loaded into Pluto during system startup. Setting auto=ignore will ignore the ca section. Additional ca definitions can be loaded from ipsec.conf during runtime with the command
and
deletes the labeled ca entry. And finally the command
first deletes the old definition in Pluto's memory and then loads the updated version from ipsec.conf. Any parameters which appear in several ca definitions can be put in a common ca %default section ca %default 8. Smartcard Support8.1 Configuring a smartcard-based connectionDefining a smartcard-based connection in ipsec.conf is easy:
In most cases there is a single smartcard reader or cryptotoken and only one RSA private key safely stored on the crypto device. Thus usually the entry
which stands for the full notation
is sufficient where the first certificate/private key object enumerated by PKCS#11 module is used. If several certificate/private key objects are present then the nth object can be selected using
The command
gives an overview over all certifcate objects made available by the PKCS#11 module. CA certificates are automatically available as trust anchors without the need to copy them into the /etc/ipsec.d/cacerts/ directory first. As an alternative the certificate ID and/or the slot number defined by the PKCS#11 standard can be specified using the notation
Thus
will look in all available slots for ID 0x50 starting with the first slot (usually slot 0) whereas
will directly check slot 4 (which is usually the first slot on the second reader/token when using the OpenSC library) for a key with ID 0x50. 8.2 Entering the PIN codeSince the smartcard signing operation needed to sign the hash with the
RSA private key during IKE Main Mode is protected by a PIN code,
the secret PIN must be made available to Pluto.
or with the general notation
or alternatively
On a personal notebook computer that could get stolen, you wouldn't want to store your PIN in ipsec.secrets. Thus the alternative form
will prompt you for the PIN when you start up the first IPsec connection using the command
The ipsec up command calls the whack function which in turn communicates with Pluto over a socket. Since the whack function call is executed from a command window, Pluto can prompt you for the PIN over this socket connection. Unfortunately roadwarrior connections which just wait passively for peers cannot be initiated via the command window:
But if there is a corresponding entry
in ipsec.secrets, then the standard command
or the alias
can be used to enter the PIN code for this connection interactively. The command
can be executed at any time to check the current status of the PIN code[s]. 8.3 PIN-pad equipped smartcard readersSmartcard readers with an integrated PIN pad offer an increased security level because the PIN entry cannot be sniffed on the host computer e.g. by a surrepticiously installed key logger. In order to tell pluto not to prompt for the PIN on the host itself, the entry
can be used in ipsec.secrets. Because the key pad does not cache the PIN in the smartcard reader, it must be entered for every PKCS #11 session login. By default pluto does a session logout after every RSA signature. In order to avoid the repeated entry of the PIN code during the periodic IKE main mode rekeyings, the following parameter can be set in the config setup section of ipsec.conf:
The default setting is pkcs11keepstate=no. 8.4 Configuring a smartcard with pkcsc15-initstrongSwan's smartcard solution is based on the PKCS#15 "Cryptographic Token Information Format Standard" fully supported by OpenSC library functions. Using the command
a fresh PKCS#15 file structure is created on a smartcard or cryptotoken. With the next command
a secret PIN code with auth-id 1 is stored in an unretrievable location on
the smart card. The PIN will protect the RSA signing operation. If the PIN
is entered incorrectly more than three times then the smartcard will be locked
and the PUK code can be used to unlock the card again.
By default the PKCS#15 smartcard record will be assigned the ID 45.
Using the --id option, multiple key records can be stored on a smartcard.
The pkcs15-tool can now be used to verify the contents of the smartcard.
If everything is ok then you are ready to use the generated PKCS#15 structure with strongSwan. 8.5 PKCS#11 proxy functionsWith the setting pkcs11keepstate=yes some PKCS#11 implementations (e.g. OpenSC) will lock the access to the smartcard as soon as pluto has opened a session and will thus prevent other application from sharing the smartcard resource. In order to solve this locking problem, strongSwan offers a PKCS#11 proxy service making use of the whack socket communication channel. The settingconfig setup will enable the proxy mode that is disabled by default.
The default settings for inbase and outbase is hexadecimal. Thus the simplest call has the form
and the returned result might be a decrypted 128 bit AES key
The leading three characters represent the return code of the whack channel with 000 signifying that no error has occured. Here is another example showing the use of the inbase and outbase attributes ipsec scdecrypt m/ewDnTs0k...woE= --inbase base64 --outbase text where the result has the form
By default the first RSA private key found by the PKCS#11 enumeration is used. If a different key should be selected then the notation introduced in sections 8.1 and 8.2 can be used:
with --keyid %smartcard#1 being the default. If supported by the smartcard and PKCS#11 library RSA encryption can be used with the notation
with the example ipsec scencrypt "This is a secret" --inbase ascii --outbase 64 returning the expected output
9. Configuring the clients9.1 strongSwanA strongSwan to strongSwan connection is symmetrical. Any of the four defined ID types can be used, even different types on either end of the connection, although this wouldn't make much sense.
9.2 PGPnetUse the file peerCert.p12 to import PGPnet's X.509 certificate, the CA certificate, plus the encrypted private key in binary PKCS#12 format into the PGPkey tool. You will be prompted for the passphrase securing the private key. Use the file myCert.pem to import the X.509 certificate of the strongSwan security gateway into the PGPkey tool. The PGPkeyTool does not accept X.509 certificates in binary DER format, so it must be imported in base64 format:
Make sure that there is no human-readable listing of the X.509 certificate in front of the line
otherwise PGPnet will refuse to load the *.PEM file. Any surplus lines can either be deleted by loading the certificate into a text editor or you can apply the command
to achieve the same effect. With authentication based on X.509 certificates, PGPnet always sends the ID type DER_ASN1_DN, therefore rightid in the connection definition of the strongSwan security gateway must be an ASN.1 distinguished name. In the receiving direction PGPnet accepts all four ID types from strongSwan.
9.3 SafeNet/Soft-PK/Soft-RemoteSafeNet/Soft-PK and SafeNet/Soft-Remote can be configured to send their identity either as DER_ASN1_DN, IPV4_ADDR, FQDN, or USER_FQDN. In the receiving direction SafeNet/Soft-PK or SafeNet/Soft-Remote accept all four ID types coming from strongSwan.
9.4 SSH SentinelSSH Sentinel sends its identity as DER_ASN1_DN if the subjectAltName field of its certificate is empty. If a subjectAltName field is present, then the corresponding type IPV4_ADDR, FQDN, or USER_FQDN is automatically chosen. With several subjectAltName entries, the precedence of the different ID types is not quite clear. In the receiving direction SSH Sentinel accepts all four ID types from strongSwan.
9.5 Windows 2000/XPWindows 2000 and Windows XP always send the ID type DER_ASN1_DN, therefore rightid in the connection definition of the strongSwan security gateway must be an ASN.1 distinguished name. In the receiving direction Windows 2000 or Windows XP accept all four ID types from strongSwan.
10. Monitoring functionsstrongSwan offers the following monitoring functions:
lists all IKE and ESP cryptographic algorithms that are currently registered with strongSwan. The listing has the following form: List of registered IKE Encryption Algorithms: #3 OAKLEY_BLOWFISH_CBC, blocksize: 64,
keylen: 128-128-256 List of registered IKE Hash Algorithms: #1 OAKLEY_MD5, hashsize: 128 List of registered IKE DH Groups: #2 OAKLEY_GROUP_MODP1024, groupsize: 1024 List of registered ESP Encryption Algorithms: #3 ESP_3DES, blocksize: 64, keylen: 168-168 List of registered ESP Authentication Algorithms: #1 AUTH_ALGORITHM_HMAC_MD5, keylen: 128-128 The command
lists all public keys currently installed in the chained list of public keys. These keys were statically loaded from ipsec.conf or aquired either from received certificates or retrieved from secure DNS servers using opportunistic mode. The public key listing has the following form:
Feb 11 14:40:18 2005, 2048 RSA Key AwEAAa+uL, until Sep 09 13:17:25 2009 ok It consists of
A public key can be associated with several IDs, e.g. using class=subjectAltNames in certificates and an ID can possess several public keys, e.g. retrieved from a secure DNS server. The commandipsec listcerts [--utc] lists all local certificates, both strongSwan's own and those of trusted peer loaded via leftcert and rightcert, respectively. The output has the formFeb 11 13:36:47 2005, count: 4 and shows
The command
lists all CA certificates that have been loaded from /etc/ipsec.d/cacerts. The output has the form
Feb 11 13:36:52 2005, count: 1 and shows
lists all Authorization Authority certificates that have been loaded from the directory /etc/ipsec.d/aacerts/. The output has the form Dec 20 13:29:55 2004, count: 1 and shows
The command
lists all OCSP signer certificates that have either been loaded from /etc/ipsec.d/ocspcerts/ or have been received include in the OCSP server response. The output has the form
Feb 09 22:56:17 2005, count: 1 and shows
lists all X.509 attribute certificates that have been loaded from the directory /etc/ipsec.d/acerts/. The output has the form Dec 20 13:29:56 2004 and shows
|