[gentoo-user] Traffic Intensive IPSec Tunnel

[gentoo-user] Traffic Intensive IPSec Tunnel

[Nick Khamis]

Hello Everyone,

Our service provider requires all connections between us be done
through IPSec IKE. From the little bit of research, I found that this
is achieved using a system with IPSec kernel modules enabled, along
with cryptography modules. On the application level, I saw ipsec tool,
OpenSWAN, and OpenVPN.

What I was wondering is which should be used for traffic intensive
connections in a deployment environment. Without starting any OpenVPN
vs OpenSwan debate, we would really like to keep the application level
to a minimum. Meaning if we could achieve the tunnel using the
required kernel modules, ipsec-tools and iptables, we see that as
keeping it simple and effective.

Your insight, suggested how-to pages are greatly appreciated.

Thanks in Advance,

Nick.

Re: [gentoo-user] Traffic Intensive IPSec Tunnel

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

On 05/11/2013 03:13 PM, Nick Khamis wrote:
> Hello Everyone,
> 
> Our service provider requires all connections between us be done
> through IPSec IKE. From the little bit of research, I found that this
> is achieved using a system with IPSec kernel modules enabled, along
> with cryptography modules. On the application level, I saw ipsec tool,
> OpenSWAN, and OpenVPN.
> 
> What I was wondering is which should be used for traffic intensive
> connections in a deployment environment. Without starting any OpenVPN
> vs OpenSwan debate, we would really like to keep the application level
> to a minimum. Meaning if we could achieve the tunnel using the
> required kernel modules, ipsec-tools and iptables, we see that as
> keeping it simple and effective.
> 
> Your insight, suggested how-to pages are greatly appreciated.

To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates
either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your
service provider requires IPSec and IKE, best forget about OpenVPN.

http://www.ipsec-howto.org/x304.html

Look under "Automatic keyed connections using racoon"



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]

Re: [gentoo-user] Traffic Intensive IPSec Tunnel

[Nick Khamis]

Thanks yet again Michael! Enjoy your weekend.

N.

On 5/11/13, Michael Mol <mikemol@gmail.com> wrote:
> On 05/11/2013 03:13 PM, Nick Khamis wrote:
>> Hello Everyone,
>>
>> Our service provider requires all connections between us be done
>> through IPSec IKE. From the little bit of research, I found that this
>> is achieved using a system with IPSec kernel modules enabled, along
>> with cryptography modules. On the application level, I saw ipsec tool,
>> OpenSWAN, and OpenVPN.
>>
>> What I was wondering is which should be used for traffic intensive
>> connections in a deployment environment. Without starting any OpenVPN
>> vs OpenSwan debate, we would really like to keep the application level
>> to a minimum. Meaning if we could achieve the tunnel using the
>> required kernel modules, ipsec-tools and iptables, we see that as
>> keeping it simple and effective.
>>
>> Your insight, suggested how-to pages are greatly appreciated.
>
> To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates
> either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your
> service provider requires IPSec and IKE, best forget about OpenVPN.
>
> http://www.ipsec-howto.org/x304.html
>
> Look under "Automatic keyed connections using racoon"
>
>
>

Re: [gentoo-user] Traffic Intensive IPSec Tunnel

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2443 bytes --]

On Sunday 12 May 2013 03:37:48 Nick Khamis wrote:
> Thanks yet again Michael! Enjoy your weekend.
> 
> N.
> 
> On 5/11/13, Michael Mol <mikemol@gmail.com> wrote:
> > On 05/11/2013 03:13 PM, Nick Khamis wrote:
> >> Hello Everyone,
> >> 
> >> Our service provider requires all connections between us be done
> >> through IPSec IKE. From the little bit of research, I found that this
> >> is achieved using a system with IPSec kernel modules enabled, along
> >> with cryptography modules. On the application level, I saw ipsec tool,
> >> OpenSWAN, and OpenVPN.
> >> 
> >> What I was wondering is which should be used for traffic intensive
> >> connections in a deployment environment. Without starting any OpenVPN
> >> vs OpenSwan debate, we would really like to keep the application level
> >> to a minimum. Meaning if we could achieve the tunnel using the
> >> required kernel modules, ipsec-tools and iptables, we see that as
> >> keeping it simple and effective.
> >> 
> >> Your insight, suggested how-to pages are greatly appreciated.
> > 
> > To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates
> > either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your
> > service provider requires IPSec and IKE, best forget about OpenVPN.
> > 
> > http://www.ipsec-howto.org/x304.html
> > 
> > Look under "Automatic keyed connections using racoon"

If your ISP is using IKEv1 Racoon *should* do what you want, but you may need 
to set up the routes manually.  The up/down scripts in /etc/racoon/scripts do 
not work in my case and I have to set them up with ifconfig and ip.  
Apparently they work if you use xauth, according to this thread:

  http://forums.gentoo.org/viewtopic-p-6977674.html


Instead, I opted for using StrongSwan, which is *much* better documented, 
supports additional ciphers, RADIUS, etc. and allocation of IKEv1 pools using 
a database back end.  More importantly it also works with IKEv2 and MOBIKE.  
With racoon you will have to try racoon2 if you need IKEv2, which was in 
development back in 2010.

You can read a comparison between the *Swans here, but things have moved on 
since; e.g. StrongSwan supports IKEv1 in Aggressive Mode, OpenSwan supports 
part of IKEv2, etc:

  https://lists.strongswan.org/pipermail/users/2010-September/005293.html

Ask if you need particular details in setting up your implementation.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Traffic Intensive IPSec Tunnel

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 345 bytes --]

>
> You can read a comparison between the *Swans here, but things have moved on
> since; e.g. StrongSwan supports IKEv1 in Aggressive Mode,
>

Aggressive mode with pre-shared keys is vulnerable to offline dictionary
attack so you might as well use main mode. If for some reason you have to
use aggressive mode use a long randomly generated PSK.

[-- Attachment #2: Type: text/html, Size: 586 bytes --]

Re: [gentoo-user] Traffic Intensive IPSec Tunnel

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1013 bytes --]

On Monday 13 May 2013 03:13:27 Adam Carter wrote:
> > You can read a comparison between the *Swans here, but things have moved
> > on since; e.g. StrongSwan supports IKEv1 in Aggressive Mode,
> 
> Aggressive mode with pre-shared keys is vulnerable to offline dictionary
> attack so you might as well use main mode. If for some reason you have to
> use aggressive mode use a long randomly generated PSK.

Indeed it is vulnerable, because the hash of the PSK is sent out in the 
initial handshake.  This can be captured by eavesdropping and cracked by brute 
force off line.  As suggested long keys help, especially if they are changed 
often.

It is best, however, to not use a PSK at all and instead set up SSL 
certificates for VPN gateway and client machines authentication and RSA 
encryption.  This makes it easy to revoke a single SSL certificate if a client 
is compromised, instead of having to change PSKs for any number of machines 
that are using the VPN network.
-- 
Regards,
Mick

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 3898 bytes --]