View Single Post
  #7   (View Single Post)  
Old 27th November 2008
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Ireland
Posts: 69
Default

Quote:
Originally Posted by s2scott View Post
Given openBSD-as-the-gateway and a broad client-side O/S base, then, on both a sweat-equity basis (i.e. best return/outcome for your time) and a likihood of success, go openVPN.

With openVPN, a pivotal decision you need to make is the server/gateway side "role." Is it one client to one gateway. Or is it many clients to one gateway.

....
The primary concept for my idea is site to site VPN where "my" site is being connected to from other sites. And then as a remote access gateway to my LAN from multiple OS road warriors in different scenarios such as one where they are able to get IPSEC out and other where an SSL VPN would be there only option - for instances where they can't get out on all ports or protocols.

Quote:
Originally Posted by s2scott View Post
......
If your gateway is "personal," and it's one road-warrior connecting to the gateway, then openVPN is quick, easy and effective.

If your gateway is "multi-user," and it's many road-warriors connecting to the gateway, then there is -- in all practical sense -- one true operating server-side configuration. This many-to-one use config, like most things worth doing well, is more complicated. It's not that it's especially "hard" as it is that it is a "layered" configuration.

This many-to-one TLS server mode is available is the 2.0 version stream BUT IT'S VASTLY IMPROVED (read: works properly) IN THE RELEASE 2.1 version stream WITH MAJOR TLS FIXES IN RC7. I can't recommend strongly enough that you use the 2.1rc7 (or higher) for this mode. The "packages" branch is 2.1rc7 (as of this posting). The ports branch, at http://openports.se/net/openvpn, is 2.1rc13.

/S
I'll definitely be giving OpenVPN a go and as with most things i tend to go for the latest release possible - feature depending.

This is mostly a learning excercise for the moment that I'll apply to enterprise requirements later on but for now I want to learn and occupy my time at night.

Quote:
Originally Posted by s2scott View Post
If Windows-O/S clients are in your mix, then the shortfall you'll likely hit with an openSSH -w "VPN" is that there isn't a Windows O/S based ssh client with the "-w" feature (that I'm aware of as of this posting), unless you're willing and able to role your own (i.e. compile from source or port) or go a cygwin hybrid route.

Perhaps others here may know of one (or a good way of getting there from here).

So, on that sweat-equity basis, depending on the importance of WIndows clients in your mix, the ssh route may not get you all the way across your goal(s) line.

/S
There is no major importance for Windows clients in my setup but that is because I don't use Windows much The requirement to work with Windows is generally for enterprise application. But I already know withouth really looking too bar into it that OpenVPN will be the best bet. Although IPSEC with x509 certs shouldn't be too much hassle to setup. Even the Cisco and Sonicwall VPN clients work quite well and support certificate based authentication.

Quote:
Originally Posted by s2scott View Post
Since we're talking about ports and packages, I'll offer the following "food for thought."

It is contrary to good practice to install a development environment and tools on the perimeter gateway/firewall machine. If you need to "role your own," it's unwise to do the "rolling" on the bastion machine itself.

...
I couldn't agree more. I deploy a lot of firewall for clients and one of our main focusses in work is security. If i were ever deploying any of the solutions I document from my messing about they'd need to be hardened and well though out and tested for enterprise setups and requirements.

Quote:
Originally Posted by s2scott View Post
...
When I have to do this, and the openVPN ports was such a case for me, I used VirtualBox (free) on another machine (Windows XP), created a 640MB RAM, 4GB disk virtual machine, installed a full-on version of openBSD into it, rolled the openVPN stuff and, then scp the results over to the bastion gateway.

This keeps the bastion box clean and purpose-specific.

The VirtualBox VM with the developer-wise openBSD instance can be stopped, started, or destroyed as needed.

There are, of course, other VM engines, but VirtualBox is the one I like because it runs on both Solaris and Windows which are my two primary desktop O/S's.

(let the this VM vs. that VM flame wars begin ).

Good luck,
/S
I'm primarily doing all this at home for the moment purely so I don't mess up anything in work or with a customer plus I don't care if I keep completely changing my LANs topology.

I've gotten x509 certs working authenticating using the IP address however I am having some difficulty with FQDN and x509 certificates. Firstly I don't plan to use USER_FQDN as I have read that the FQDN set in the x509 cert does not need to exist. When checking this field the FQDN does not need to resolve only that the cert property matches what the peer expected.

ALL!! the documentation I have read thus far uses OpenBSD's old way of using isakmpd.conf and isakmpd.policy instead of isakmpd.policy and ipsec.conf. For FQDN stuff anyway.

If you are to look at this guide

http://www.bsdlover.cn/html/12/n-1912.html

It has the following in /etc/ipsec.conf on OpenBSD

ike esp from 192.168.1.0/24 to 192.168.0.0/24 peer 10.0.0.1
main auth hmac-sha1 enc blowfish group modp1024
quick auth hmac-sha2-256 enc blowfish group modp1024

This causes ipsec to authenticate the user based on the CERTIP (the default) if you want to use FQDN you have to specify a srcid and dstid for your local fqdn and the remote sites/clients FQDN based on what was applied in the certificate. ie..: (taken from OpenBSD isakmpd man page)

Code:
For a FQDN certificate, do:

                # env CERTFQDN=somehost.somedomain openssl x509 -req \
                        -days 365 -in somehost.somedomain.csr \
                        -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
                        -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
                        -extensions x509v3_FQDN -out somehost.somedomain.crt
Now when connecting with racoon you are supposed to use the following type of config.

Code:
path include "/usr/local/etc/racoon";
path certificate "/usr/local/etc/racoon/certs";

# "padding" defines some padding parameters.
# You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        isakmp 10.0.0.1;
}

remote anonymous
{
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier asn1dn;
        certificate_type x509 "10.0.0.1.crt" "10.0.0.1.key";
        peers_certfile x509 "10.0.0.2.crt";

        nonce_size 16;
        initial_contact on;
        proposal_check obey;

        proposal {
                encryption_algorithm blowfish;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group modp1024;
        }
}

sainfo anonymous
{
        pfs_group modp1024;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha256;
        compression_algorithm deflate;
}
The line I have highlighted "my_identifier asn1dn;" is supposed to use the right identifier when connecting to the VPN. However this is where I am confused. How the whole fqdn is used by the local and remote peers.

The racoon manual page says the following:

Code:
...
                     my_identifier asn1dn [string];
                             The type is an ASN.1 distinguished name.  If
                             string is omitted, racoon(8) will get the DN from
                             the Subject field in the certificate.
...
             peers_identifier idtype ...;
                     Specifies the peer's identifier to be received.  If it is
                     not defined then racoon(8) will not verify the peer's
                     identifier in ID payload transmitted from the peer.  If
                     it is defined, the behavior of the verification depends
                     on the flag of verify_identifier.  The usage of idtype is
                     the same as my_identifier except that the individual com-
                     ponent values of an asn1dn identifier may specified as *
                     to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
                     Alternative acceptable peer identifiers may be specified
                     by repeating the peers_identifier statement.
But if asn1dn equates to the entire certificate Subject how does this match the FQDN when the FQDN saved to the certificate is an x509v3 subjectALTName extension???

Code:
$ openssl x509 -noout -text -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a3:93:db:ab:be:3d:a3:46
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=IE, ST=Leinster, O=Konundrum, OU=CA, CN=dynamic_dns.fromdydyns.com/emailAddress=name@domainname.tld
        Validity
            Not Before: Nov 25 22:47:06 2008 GMT
            Not After : Nov 23 22:47:06 2018 GMT
        Subject: C=IE, ST=Leinster, O=Konundrum, OU=Road Warrior, CN=entity.domainname.tld/emailAddress=name@domainname.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:93:9c:7b:7c:d7:e7:e7:5c:0d:a9:f0:e4:f7:ad:
                    b5:73:44:98:51:a7:e4:77:39:33:c4:12:77:61:a3:
                    69:eb:f9:5c:5d:e0:52:b6:d5:a9:7d:49:63:cd:2b:
                    a1:29:f1:44:6e:c3:61:57:76:89:2f:11:5c:58:ea:
                    29:9f:33:26:99:f1:f6:67:50:e0:c7:5e:0a:4f:d2:
                    d7:66:d4:93:b4:79:79:00:52:50:55:cd:d2:f0:5f:
                    85:54:cb:52:d5:ac:73:c2:94:f0:01:5f:d6:98:fc:
                    dd:ab:8d:db:7f:86:82:46:89:51:04:cc:8b:74:8a:
                    6a:62:a1:e2:ac:c5:41:62:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:entity.domainname.tld

$ openssl x509 -noout -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt -subject
subject= /C=IE/ST=Leinster/O=Konundrum/OU=Road Warrior/CN=entity.domainname.tld/emailAddress=christian_name@domainname.tld

$ openssl asn1parse -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt
<<<OUTPUT TRUNCATED>>>

  518:d=4  hl=2 l=  31 cons: SEQUENCE          
  520:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
  525:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168214656E746974792E6B6F6E756E6472756D2E6F7267
  551:d=1  hl=2 l=  13 cons: SEQUENCE          
  553:d=2  hl=2 l=   9 prim: OBJECT            :md5WithRSAEncryption
  564:d=2  hl=2 l=   0 prim: NULL              
  566:d=1  hl=3 l= 129 prim: BIT STRING
All the data is there but I can't sem to get the config right. I can provide all the configs and cert if anyone can help....

s2scott thank you for your replies. They were most appreciated.
__________________
It was a new day yesterday, but it's an old day now.

Last edited by schrodinger; 10th October 2009 at 04:35 PM.
Reply With Quote