ipsec, how?

loolooyyyy · 06-08-2012, 11:37 AM

sorry for this question:

i want ipsec to secure my connection from my laptop to my server, where they have blocked SSH, (yes they have! and changing the port does not work! it's a long story...), i have read thousand howtos, but no luck
i think i dont have a good understanding of ipsec, see:
i install openswan, i config ipsec.conf and generate keys in ipsec.secrets
i scp ipsec.conf/secret from server to laptop (where i somehow manage to gain ssh for a few seconds) so they have exact configuration, now i want tell both machines to communicate using ipsec, so i run: "ipsec auto --up conn-name" on both
the server will be running the command, and showing nothing (no verbosity) the laptop gives errors, before i fix them, i want to know "am i actually doing it right?" is it what ipsec is all about? by running the "ipsec auto...." i will have secure connection?

and these are the configs:

Code:

config setup
	klipsdebug=all
	protostack=netkey
	nat_traversal=yes
conn conn-name
        authby=secret
        pfs=no
        rekey=no
        left=server ip   #ip valid
        leftprotoport=17/1701
        right=my laptop ip   #ip valid
        rightprotoport=17/1701
        auto=add
	leftid=@vhost.mywebsite.com
	rightid=@123.231.111.222     #my laptop ip
	leftrsasigkey="THE VERY LONG KEY"
	rightrsasigkey="THE VERY LONG KEY"   #both keys are the same

and ipsec.secrets:

Code:

	include /etc/ipsec.d/my.secrets

and my.secrets

Code:

	# RSA 2048 bits   website   Fri Jun  8 08:14:08 2012
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey= same long key which was on ipsec.conf
	Modulus: 0x"THE VERY LONG KEY"
	PublicExponent: 0x"a number"
	# everything after this point is CKA_ID in hex format when using NSS
	PrivateExponent: 0x"some string"
	Prime1: 0x"same stinrg"
	Prime2: 0x"same stinrg"
	Exponent1: 0x"same stinrg"
	Exponent2: 0x"same stinrg"
	Coefficient: 0x"same stinrg"
	CKAIDNSS: 0x"same stinrg"
	}

Ser Olmy · 06-09-2012, 08:20 PM

IPsec uses protocol 50 (ESP) for encrypted connections, possibly encapsulated in UDP packets with port number 4500 if NAT-T is enabled.

If TCP port 22 (SSH) is blocked, are you sure that ESP or IPsec NAT-T is allowed through?

And why are you using manual keying? Are they blocking IKE as well?

loolooyyyy · 06-09-2012, 08:32 PM

they are not blocking IKE, i thought ( and by the way you're saying seems to be wrong!) that it was easier
and yes i'm pretty sure ipsec is open

they dont simply block ssh port 22, they eavesdrop all ip packets, see which is ssh, and block it!

Ser Olmy · 06-09-2012, 08:52 PM

Manual IPsec Phase 2 keying is not especially difficult to configure, but it certainly is less secure than IKE. I'd go with IKE if at all possible.

If SSH is blocked by deep packet inspection, expect IPsec to get blocked as well. Compared to SSH on a random port, IPsec is trivial to block.

HTTP tunneling or ICMP tunneling might work, but be advised that depending on who "they" are, you may be violating a TOS or worse by attempting to bypass network restrictions.

loolooyyyy · 06-09-2012, 09:11 PM

oh no i checked that before: no rules violated!
but i really really want to try ipsec once! to even see that it wont work with my own eyes!

nikmit · 06-11-2012, 04:05 AM

I would say use pluto or charon for IKE and turn debugging on - that helped me find the problems and get it working.
You can monitor traffic going through with 'ip xfrm [monitor|state|policy]'

loolooyyyy · 06-11-2012, 03:14 PM

tanx nikmit
but would you be so kind to provide a little bit more basic but not technical information? i can follow the documentation but there is a big gap between my basic and technical knowledge on the subject! i have no idea what am i doing.
following your advice i'd be running pluto, but what is pluto really?
(sorry if I'm talking in a very very basic manner) would i dial a connection to server, with the help of some special application, and get connected, and all my traffic would be sent using ipsec automatically? is ipsec a private network? or is it just encryption?
(probably i'm asking too much but if you had free time) do you know the simplest way to get pluto running?

nikmit · 06-12-2012, 02:43 AM

Pluto and charon are parts of strongswan/openswan that deal with the automatic key exchange (IKE). I say use them for IKE as presently you are not and are doing a manual key exchange - I don't know how the latter works as I have never done it but I trust Ser Olmy knows.
You start the daemons and debugging for them in the general setup section of you ipsec.conf. This is what I have:

Code:

config setup
        plutodebug=none   # you should change that to 'all' or at least 'control' until you are up and running
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=no
        charonstart=no
        plutostart=yes

On my machine the logs from pluto were sent to /var/log/auth.log - I run Debian Squeeze.

It is worth finishing what you have started but still you should know htere are other options too. If you don't know much about VPNs, I think you will find it easier to use OpenVPN. It will create a tun0 interface, and everything you point through that interface will get encrypted. I find it more intuitive. In your case another benefit might be that it is not the standard IPSec VPN, and you choose an arbitrary port for the connection to run over.
Complications could come from the NATting however, I haven't tried making a tunnel from behind NAT.

loolooyyyy · 06-12-2012, 04:55 AM

you indeed have a point there: it's worth finishing what i have started, i have learned many aspects of networking while i never had to deal with it directly
i didn't have any luck with openswan, i'll give strongswan a try, i think i'll do it on a VM first!
thanks again nikmit

nikmit · 06-12-2012, 06:12 AM

It's a great idea to do it in a virtual setup first. If you can create two VM hosts, one bridged to the local NIC and the other NATed to it, then you will have a scenario close to the real setup. What you need is to test this in the same topology/set up but without the blocking policies of the ISP. Keep posting and best of luck.