VPN with Windows 7 and Linux strongswan using IKEv2

Similar documents

Internet Protocol Security IPSec

The strongswan IPsec Solution

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

VPN Tracker for Mac OS X

Protecting Internet Key Exchange (IKE) Implementations from Distributed Denial of Service Attacks

Chapter 5 Virtual Private Networking Using IPsec

Case Study for Layer 3 Authentication and Encryption

Android BYOD Security using Trusted Network Connect Protocol Suite

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Application Note: Onsight Device VPN Configuration V1.1

How To Configure Apple ipad for Cyberoam L2TP

IKEv2-based VPNs using strongswan

How to Set Up an IPsec Connection Between Two Ingate Firewalls/SIParators (including SIP)

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Configuring IPsec VPN between a FortiGate and Microsoft Azure

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

VPN Solutions. Lesson 10. etoken Certification Course. April 2004

Lecture 5.1: IPsec Basics

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

VPN. VPN For BIPAC 741/743GE

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

SonicOS Enhanced 3.2 IKE Version 2 Support

Joe Davies Principal Writer Windows Server Documentation

strongswan/ipsec Primer on Ubuntu

Firewall Troubleshooting

Linux StrongS/Wan, FreeS/Wan or OpenS/Wan

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

TNC Endpoint Compliance and Network Access Control Profiles

Cisco RV 120W Wireless-N VPN Firewall

Configuring IKEv2 Load Balancer

Laboratory Exercises V: IP Security Protocol (IPSec)

Chapter 4 Virtual Private Networking

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

ZyXEL ZyWALL P1 firmware V3.64

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

How to Set Up an IPsec Connection with RADIUS Authentication (with SIP)

Configuration Procedure

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

IPsec Details 1 / 43. IPsec Details

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Understanding the Cisco VPN Client

Network Security. Lecture 3

T Cryptography and Data Security

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

ISG50 Application Note Version 1.0 June, 2011

Virtual Private Networks

Scenario: Remote-Access VPN Configuration

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Configuring a Dial-up VPN Using Windows XP Client with L2TP Over IPSec (without NetScreen-Remote)

Configuring a VPN for Dynamic IP Address Connections

TABLE OF CONTENTS NETWORK SECURITY 2...1

Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates

Scenario: IPsec Remote-Access VPN Configuration

How to configure MAC authentication on a ProCurve switch

Introduction to Security and PIX Firewall

How to Set Up an IPsec Connection To a Road Warrior (with SIP) Lisa Hallingström Paul Donald Bogdan Musat Adnan Khalid Per Johnsson Rickard Nilsson

If you have questions or find errors in the guide, please, contact us under the following address:

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Juniper NetScreen 5GT

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Configuring IPsec VPN with a FortiGate and a Cisco ASA

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

VPN Wizard Default Settings and General Information

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Watchguard Firebox X Edge e-series

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Cisco SA 500 Series Security Appliance

HOWTO: How to configure IPSEC gateway (office) to gateway

Internet Protocol Security (IPSec)

IP Office Technical Tip

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Quick Note 051. Common Passwords/ID errors in IPsec VPN negotiation for TransPort routers. DRAFT July 2015

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Implementing and Managing Security for Network Communications

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

School of Electrical Engineering & Informatics Institut Teknologi Bandung, Indonesia

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Nokia Mobile VPN Client

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Preliminary Course Syllabus

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Advanced Computer Network Technologies Project Configuration of mvpn. Noha Pavol noh031

WatchGuard Mobile User VPN Guide

Transcription:

Swiss Cyber Storm II Hack & Learn VPN with Windows 7 and Linux strongswan using IKEv2 Prof. Dr. Andreas Steffen andreas.steffen@hsr.ch Andreas Steffen, 19.04.2009, CyberStormII.pptx 1

The Road Warrior Remote Access Case Home Network 10.10.0.0/23 VPN Gateway 77.56.157.76 Internet IPsec Tunnel Virtual IP 10.10.3.6 x.x.x.x Dynamic IP Road Warrior Road Warriors sign on to their home network via IKEv2 with varying IP addresses assigned dynamically by the local ISP. Authentication is preferably based on RSA public keys and X.509 certificates issued by the home network. Virtual IP and internal name server information assigned by the home network. Remote hosts thus become part of an extruded net. Andreas Steffen, 19.04.2009, CyberStormII.pptx 2

IKEv2 Internet Key Exchange v2 (2005) Initiator UDP/500 Responder IKE IKE Header Header SA1 SA1 i i KE KE i i N i i IKE_SA_INIT exchange pair 1 IKE 2 IKE Header Header SA1 SA1 r r KE KE r r N r r IKE IKE Header Header ID ID i i Cert Cert i i ID ID r r 3 Auth Auth i i SA2 SA2 i i TS TS i i TS TS r r encrypted 4 IKE IKE Header Header ID ID r r Cert Cert r r Auth Auth r r IKE_AUTH exchange pair encrypted SA2 SA2 r r TS TS i i TS TS r r Andreas Steffen, 19.04.2009, CyberStormII.pptx 3

Swiss Cyber Storm II Hack & Learn Client Authentication with Machine Certificates Andreas Steffen, 19.04.2009, CyberStormII.pptx 4

Windows 7 Machine Certificates Machine certificates (*.p12) must be imported via the Microsoft management console (mmc) into the Local Computer section of the Windows 7 registry! Do not double-click on machine certificates! Andreas Steffen, 19.04.2009, CyberStormII.pptx 5

Windows 7 VPN Client Configuration I Andreas Steffen, 19.04.2009, CyberStormII.pptx 6

Windows 7 VPN Client Configuration II Andreas Steffen, 19.04.2009, CyberStormII.pptx 7

Windows 7 VPN Client Configuration III VPN gateway Arbitrary name Andreas Steffen, 19.04.2009, CyberStormII.pptx 8

Windows 7 VPN Client Configuration IV Username/Password information not used if authentication is based on machine certificates. Andreas Steffen, 19.04.2009, CyberStormII.pptx 9

Windows 7 VPN Client Configuration V Andreas Steffen, 19.04.2009, CyberStormII.pptx 10

Windows 7 VPN Client Configuration VI Alternatively EAP-MS-CHAPv2 username/password based authentication could be used with a Linux strongswan gateway. Unfortunately, Windows 7 Beta is prone to Man-in-the-Middle attacks since the gateway signature is not verified by the Windows 7 client! Andreas Steffen, 19.04.2009, CyberStormII.pptx 11

Windows 7 VPN Client Configuration VIa Andreas Steffen, 19.04.2009, CyberStormII.pptx 12

Windows 7 VPN Client Configuration VII The Windows 7 Agile VPN Client supports the IKEv2 Mobility and Multihoming Protocol MOBIKE (RFC 4555). A change of the IP address or network interface on the client side is communicated via IKEv2 to the VPN gateway so that an existing IPsec tunnel is migrated automatically! Andreas Steffen, 19.04.2009, CyberStormII.pptx 13

Linux strongswan Gateway Configuration #/etc/ipsec.secrets : RSA koalakey.pem #/etc/ipsec.conf conn win7 keyexchange=ikev2 authby=rsasig left=%any leftsubnet=0.0.0.0/0 leftcert=koalacert.pem leftid=@koala.strongswan.org leftfirewall=yes right=%any rightsourceip=10.10.3.0/24 auto=add #/etc/strongswan.conf charon { dns1 = 62.2.17.60 dns2 = 62.2.24.162 nbns1 = 10.10.1.1 nbns2 = 10.10.0.1 } The strongswan gateway could narrow the traffic selector to the local network but Windows 7 does not allow split-tunneling! Andreas Steffen, 19.04.2009, CyberStormII.pptx 14

Windows 7 VPN Client Connect Andreas Steffen, 19.04.2009, CyberStormII.pptx 15

Windows 7 Status Information Andreas Steffen, 19.04.2009, CyberStormII.pptx 16

Linux strongswan Logfile [NET] received packet: from 193.247.250.37[506] to 77.56.157.76[500] [ENC] parsed IKE_SA_INIT request 0 [SA KE No N(NATD_S_IP) N(NATD_D_IP)] [IKE] 193.247.250.37 is initiating an IKE_SA [IKE] remote host is behind NAT [ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] [NET] sending packet: from 77.56.157.76[500] to 193.247.250.37[506] [NET] received packet: from 193.247.250.37[3226] to 77.56.157.76[4500] [ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP SA TSi TSr ] [IKE] authentication of 'C=CH, O=Linux strongswan, CN=bonsai.strongswan.org with RSA signature successful [IKE] IKE_SA win7[1] established between 77.56.157.76[koala.strongswan.org]...193.247.250.37[C=CH, O=Linux strongswan, CN=bonsai.strongswan.org] [IKE] assigning virtual IP 10.10.3.6 to peer [ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] [IKE] CHILD_SA win7{1} established with SPIs c97fa201_i e7d5941a_o and TS 0.0.0.0/0 === 10.10.3.6/32 [NET] sending packet: from 77.56.157.76[4500] to 193.247.250.37[3226] Andreas Steffen, 19.04.2009, CyberStormII.pptx 17

Summary The Windows 7 Agile VPN Client [and Windows Server 2008 R2] fully support version 2 of the Internet Key Exchange protocol (IKEv2, RFC 4306) as well as the IKEv2 Mobility and Multihoming protocol (MOBIKE, RFC 4555). The Windows 7 Agile VPN Client is easy to set up and fully interoperates e.g. with an Open Source Linux strongswan VPN gateway available from www.strongswan.org. The current Windows 7 Beta release does not implement the EAP-MS-CHAPv2 authentication properly: The secret derived from the user password is vulnerable to Man-in-the-Middle attacks because the Windows 7 client ignores the server certificate and corresponding digital signature! For the time being use strong authentication based on machine certificates instead! Andreas Steffen, 19.04.2009, CyberStormII.pptx 18

Swiss Cyber Storm II Hack & Learn More infos: http://wiki.strongswan.org/wiki/windows7 Questions? Andreas Steffen, 19.04.2009, CyberStormII.pptx 19