Klips Manual Key Protected Connection Examples

Macros
Setup
Unload
Transport mode
- Setup
- Delete
Tunnel mode
Transform examples
- Authentication
  - AH-MD5
    - Setup
    - Delete
  - AH-SHA1
    - Setup
    - Delete
  - ESP-NULL-MD5
    - Setup
    - Delete
- Encryption
  - ESP-3DES-MD5
    - Setup
    - Delete
  - ESP-3DES with AH-MD5
    - Setup
    - Delete
  - ESP-DES-MD5
    - Setup
    - Delete
  - ESP-3DES-SHA1
    - Setup
    - Delete
IPSEC Status

Macros

These definitions of macros make the commands more readable and the scripts easier to use by centralising the information. Obviously, the keys are for example purposes only and cryptographically strong keys should be substituted.

		hmask=255.255.255.255
		nmask0=0.0.0.0
		nmask16=255.255.0.0
		nmask24=255.255.255.0
		nmask28=255.255.255.240
		nmask29=255.255.255.248

		local_sg=207.236.55.216
		local_nexthop=207.236.55.1
		local_sg_bcast=207.236.55.255
		local_sg_nmask=$nmask24
		local_net=192.168.2.0
		local_nmask=$nmask24

		remote_sg=209.157.90.146
		remote_net=209.157.90.160
		remote_nmask=$nmask29

		ext_sg=209.157.90.198
		ext_net=209.157.90.192
		ext_bcast=209.157.90.199
		ext_nmask=$nmask29

		default_net=0.0.0.0
		default_bcast=255.255.255.255
		default_nmask=$nmask0

		ipsecdev=ipsec1
		aliasdev=eth0:1
		physdev=eth2

		iv=0x0123456789abcdef
		enckey8=0x0123456789abcdef
		enckey24=0x0123456789abcdef0123456789abcdef0123456789abcdef
		authkey16=0x0123456789abcdef0123456789abcdef
		authkey20=0x0123456789abcdef0123456789abcdef01234567

Setup

These commands must be run before any of the connection-specific commands will work.

		depmod -a	# only if klips is compiled as a module
		modprobe ipsec	# only if klips is compiled as a module
		tncfg --attach --virtual $ipsecdev --physical $physdev
		ifconfig $ipsecdev $local_sg broadcast $local_sg_bcast netmask $local_sg_nmask

Unload

These commands must be run before the module can be unloaded.

		tncfg --detach --virtual $ipsecdev
		ifconfig $ipsecdev down
		rmmod ipsec	# only if klips is compiled as a module

Warning: Each of the Setup scripts first deletes the route for the destinations it needs to protect, if it exists. When the route gets deleted with the deletion of the protected connection, that route will no longer exist. This route must be put back manually, or reboot the network configuration if it was installed automatically.

Transport mode

Transport mode is used between two hosts that each have IPSEC capabilities. They don't rely on a security gateway since they are by definition same. This mode has a lower overhead per packet and is therefore more efficient. The outside header is protected against modification if authentication is used.

Assumptions: Both machines have had networking set up and can pass packets.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		# Return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

Tunnel mode

Tunnel mode is used between two security gateways to protect their own traffic to another security gateway, or any combination of hosts behind it who may or may not be IPSEC aware. Only the inner headers are protected if authentication is enabled. There is extra overhead since there is an internal IP header. This mode is often preferable to make traffic analysis more difficult.

Assumptions: Any subnets have been set up and all machines can see the internet.

Security Gateway to Security Gateway

This configuration is essentially the same as tunnel mode, except that traffic analysis is not as easy.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x223

		spi --edst $remote_sg --spi 0x223 --ip4 \
			--src $local_sg --dst $remote_sg
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		spigrp $remote_sg 0x223 \
			$remote_sg 0x225

		# return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		# forward path
		eroute --del --src $local_sg/$hmask \
			--dst $remote_sg/$hmask

		route del $remote_sg

		spi --edst $remote_sg --spi 0x223 --del

		# return path
		spi --edst $local_sg --spi 0x235 --del

Subnet to Subnet

Valid internet subnet to valid internet subnet is the simplest subnet configuration. It processes all traffic from one subnet behind a security gateway to another subnet behind its security gateway with the selected encryption and/or authentication transforms, effectively protecting all that traffic from interference from the internet.

Setup

		# forward path
		route del $remote_net
		route add -net $remote_net dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_net/$local_nmask \
			--dst $remote_net/$remote_nmask \
			--edst $remote_sg --spi 0x223

		spi --edst $remote_sg --spi 0x223 --ip4 \
			--src $local_sg --dst $remote_sg
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		spigrp $remote_sg 0x223 \
			$remote_sg 0x225

		# return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		eroute --del --src $local_net/$local_nmask \
			--dst $remote_net/$remote_nmask

		route del $remote_net

		spi --edst $local_sg --spi 0x235 --del

		# return path
		spi --edst $remote_sg --spi 0x223 --del

Road warrior mode (Subnet to Security Gateway)

"Road Warriors" are single machines that connect to a protected network via the internet and must keep the tunnel secure. It acts as a security gateway and speaks to the protected subnet via another security gateway. This is a hybrid of the security_gateway-to-security_gateway and subnet-to-subnet scenarios.

Assumptions: All machines are set up to see each other and the internet.

Local road warrior to remote subnet

Setup

		# forward path
		route del $remote_net
		route add -net $remote_net netmask $remote_nmask dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_net/$remote_nmask \
			--edst $remote_sg --spi 0x223

		spi --edst $remote_sg --spi 0x223 --ip4 \
			--src $local_sg --dst $remote_sg
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		spigrp $remote_sg 0x223 \
			$remote_sg 0x225

		# return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		# forward path
		route del $remote_net

		eroute --del --src $local_sg/$hmask \
			--dst $remote_net/$remote_nmask

		spi --edst $remote_sg --spi 0x223 --del

		# return path
		spi --edst $local_sg --spi 0x235 --del

Local subnet to remote road warrior

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_net/$local_nmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x223

		spi --edst $remote_sg --spi 0x223 --ip4 \
			--src $local_sg --dst $remote_sg
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		spigrp $remote_sg 0x223 \
			$remote_sg 0x225

		# return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		# forward path
		route del $remote_sg

		eroute --del --src $local_net/$local_nmask \
			--dst $remote_sg/$hmask

		spi --edst $remote_sg --spi 0x223 --del

		# return path
		spi --edst $local_sg --spi 0x235 --del

Subnet to Subnet masqueraded

Traffic from a valid internet subnet to a reserved address subnet can still be protected by IPSEC so long as all the reserved subnets that the valid subnet wishes to speak to are unique. Perhaps some IPMASQ work needs to be done to make this independant.

Assumptions: The masqueraded subnet has been set up and all machines can see the internet.

Setup

		# forward path
		route del $remote_net
		route add -net $remote_net dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_net/$local_nmask \
			--dst $remote_net/$remote_nmask \
			--edst $remote_sg --spi 0x223
		ipfwadm -F -i accept -S $local_net/$local_nmask -D $remote_net/$remote_nmask

		spi --edst $remote_sg --spi 0x223 --ip4 \
			--src $local_sg --dst $remote_sg
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		spigrp $remote_sg 0x223 \
			$remote_sg 0x225

		# return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		# forward path
		eroute --del --src $local_net/$local_nmask \
			--dst $remote_net/$remote_nmask
		ipfwadm -F -d accept -S $local_net/$local_nmask -D $remote_net/$remote_nmask

		route del $remote_net

		spi --edst $local_sg --spi 0x235 --del

		# return path
		spi --edst $remote_sg --spi 0x223 --del

Extruded Subnet to Internet

Subnet 'Extrusion' may be necessary if one site only has one IP routed to it and more IP's are needed, but the access provider is unable or unwilling to route more. This will extrude a valid subnet from another location (the site of the other security gateway) to the site needing more valid addresses. This example combines a masqueraded subnet and the extruded subnet on the same physical media. Note that the traffic on the remote security gateway will be at least double that of the extruded subnet traffic to the rest of the internet and twice the turnaround time.

Assumptions: A masqueraded subnet has been set up and all machines can see the internet. Each machine on the extruded subnet will need to route all packets to the remote subnet (in this case the entire internet) via the I/F (direct or aliased) that has been configured with an extruded valid internet address.

Setup

		# set up superimposed valid internet subnet with interface aliases
		ifconfig $aliasdev $ext_sg broadcast $ext_bcast netmask $ext_nmask
		route add -net $ext_net netmask $ext_nmask dev $aliasdev

		# forward path
		route del $default_net
		route add -net $default_net dev $ipsecdev gw $local_nexthop

		eroute --add --src $ext_net/$ext_nmask \
			--dst $default_net/$default_nmask \
			--edst $remote_sg --spi 0x223

		ipfwadm -F -i accept -S $ext_net/$ext_nmask -D $default_net/$default_nmask

		spi --edst $remote_sg --spi 0x223 --ip4 \
			--src $local_sg --dst $remote_sg
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		spigrp $remote_sg 0x223 \
			$remote_sg 0x225

		# return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		# forward path
		eroute --del --src $ext_net/$ext_nmask \
			--dst $default_net/$default_nmask
		ipfwadm -F -d accept -S $ext_net/$ext_nmask -D $default_net/$default_nmask

		route del $default_net

		spi --edst $local_sg --spi 0x235 --del

		# return pathf
		spi --edst $remote_sg --spi 0x223 --del

Transform Examples

A number of different transforms can be used to provide the protection intended by the IPSEC protocol suite. All these examples are using transport mode, but the techniques are equally applicable to tunnel mode, adding the extra SA to the spigrp command as necessary.

Assumptions: Both machines have had networking set up and can pass packets.

Authentication

Authentication provides the service of guaranteeing the identity of the sender. It also provides protection against packet modification in transit. It does not hide data.

AH-MD5

Authentication Header, using Message Digest-5 can be used to authenticate the contents of the packet and the immutable or predictable parts of the IP header outside the Authentication Header with a 128-bit key.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --ah hmac-md5-96 \
			--authkey $authkey16

		# Return path
		spi --edst $local_sg --spi 0x235 --ah hmac-md5-96 \
			--authkey $authkey16

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

AH-SHA1

Authentication Header, using Secure Hash Algorithm-1 can be used to authenticate the contents of the packet and the immutable or predictable parts of the IP header outside the Authentication Header with a 160-bit key.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --ah hmac-sha1-96 \
			--authkey $authkey20

		# Return path
		spi --edst $local_sg --spi 0x235 --ah hmac-sha1-96 \
			--authkey $authkey20

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

ESP-NULL-MD5

Encapsulation Security Protocol, using the NULL transform with Secure Hash Algorithm-1 can be used to authenticate the contents of the packet only with a 160-bit key.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --esp null-md5-96 \
			--authkey $authkey20

		# Return path
		spi --edst $local_sg --spi 0x235 --esp null-md5-96 \
			--authkey $authkey20

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

Encryption

Encryption provides the service of data hiding using symmetric key methods.

ESP-3DES-MD5

Encapsulation Security Payload, using triple-Data Encryption Standard for encryption and Message Digest-5 can be used to hide the contents of the packet and authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 168-bit encryption key and a 128-bit authentication key.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

		# Return path
		spi --edst $local_sg --spi 0x235 --esp 3des-md5-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey16

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

ESP-3DES with AH-MD5

The combination of Encapsulation Security Payload, using triple-Data Encryption Standard for encryption with a 168-bit encryption key can be used to hide the contents of the packet with an external Authentication Header using Message Digest-5 can authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 128-bit authentication key.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --esp 3des \
			--iv $iv \
			--enckey $enckey24
		spi --edst $remote_sg --spi 0x226 --ah hmac-md5 \
			--authkey $authkey16

		spigrp $local_sg 0x225 \
			$local_sg 0x226

		# Return path
		spi --edst $local_sg --spi 0x235 --esp 3des \
			--iv $iv \
			--enckey $enckey24
		spi --edst $local_sg --spi 0x236 --ah hmac-md5 \
			--authkey $authkey16

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

ESP-DES-MD5

Encapsulation Security Payload, using Data Encryption Standard for encryption and Message Digest-5 can be used to hide the contents of the packet and authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 56-bit encryption key and a 128-bit authentication key.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --esp des-md5-96 \
			--iv $iv \
			--enckey $enckey8 \
			--authkey $authkey16

		# Return path
		spi --edst $local_sg --spi 0x235 --esp des-md5-96 \
			--iv $iv \
			--enckey $enckey8 \
			--authkey $authkey16

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

ESP-3DES-SHA1

Encapsulation Security Payload, using triple-Data Encryption Standard for encryption and Secure Hash Algorithm-1 can be used to hide the contents of the packet and authenticate both the contents of the packet and the immutable or predictable parts of the IP header outside the Encapsulation Security Payload with a 168-bit encryption key and a 160-bit authentication key.

Setup

		# forward path
		route del $remote_sg
		route add -host $remote_sg dev $ipsecdev gw $local_nexthop

		eroute --add --src $local_sg/$hmask \
			--dst $remote_sg/$hmask \
			--edst $remote_sg --spi 0x225
		spi --edst $remote_sg --spi 0x225 --esp 3des-sha1-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey20

		# Return path
		spi --edst $local_sg --spi 0x235 --esp 3des-sha1-96 \
			--iv $iv \
			--enckey $enckey24 \
			--authkey $authkey20

Delete

		# forward path
		spi --edst $remote_sg --spi 0x225 --del

		eroute --del --src $local_sg/$hmask --dst $remote_sg/$hmask

		route del $remote_sg

		# Return path
		spi --edst $local_sg --spi 0x235 --del

IPSEC Status

The files in /proc/net/ipsec_* will reveal the current status of the Klips subsystem. If they don't exist, then IPSEC is not available.

		cat /proc/net/ipsec_*