|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
I don't understand your question.
Sorry for my stupidity. |
|
||||
Hey s2scott I am in the middle of setting this up
I have x509 CERTIP auth setup (on my LAN from a lan server its default gateway - the OpenBSD firewall. I will be testing from the public Internet at the weekend), moving onto FQDN and User_FQDN next. Been basing my initial configs from this setup and migrating them to ipsec.conf instead of isakmpd.conf. Although I do believe that you are required to configure a isakmpd.policy for use with x509v3 CERTUFQDN properties. However I am not sure of this. It is quite surprising that the large majority of the documentation for cert based authentication is all around OpenBSD 3.8 and the use of certpatch. There are some guides that are more up to date but none of them document using USER_FQDN x509v3 certificate extensions. There is this guide which details the use of x509 USER_FQDN with OpenBSD using isakmpd.conf and isakmpd.policy. The plan is to evenaully be able to VPN back to home from anywhere with any OS as I have XP, Debian and FreeBSD on my two laptops from a wide range of Internet connections. After I get this done I will go one to setup OpenVPN and I also be following your wonderful guide on building an OpenSSH based VPN.
__________________
It was a new day yesterday, but it's an old day now. |
|
||||
Quote:
With openVPN, a pivotal decision you need to make is the server/gateway side "role." Is it one client to one gateway. Or is it many clients to one gateway. If your gateway is "personal," and it's one road-warrior connecting to the gateway, then openVPN is quick, easy and effective. If your gateway is "multi-user," and it's many road-warriors connecting to the gateway, then there is -- in all practical sense -- one true operating server-side configuration. This many-to-one use config, like most things worth doing well, is more complicated. It's not that it's especially "hard" as it is that it is a "layered" configuration. This many-to-one TLS server mode is available is the 2.0 version stream BUT IT'S VASTLY IMPROVED (read: works properly) IN THE RELEASE 2.1 version stream WITH MAJOR TLS FIXES IN RC7. I can't recommend strongly enough that you use the 2.1rc7 (or higher) for this mode. The "packages" branch is 2.1rc7 (as of this posting). The ports branch, at http://openports.se/net/openvpn, is 2.1rc13. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
||||
Quote:
Perhaps others here may know of one (or a good way of getting there from here). So, on that sweat-equity basis, depending on the importance of WIndows clients in your mix, the ssh route may not get you all the way across your goal(s) line. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. Last edited by s2scott; 26th November 2008 at 10:12 PM. |
|
||||
Since we're talking about ports and packages, I'll offer the following "food for thought."
It is contrary to good practice to install a development environment and tools on the perimeter gateway/firewall machine. If you need to "role your own," it's unwise to do the "rolling" on the bastion machine itself. When I have to do this, and the openVPN ports was such a case for me, I used VirtualBox (free) on another machine (Windows XP), created a 640MB RAM, 4GB disk virtual machine, installed a full-on version of openBSD into it, rolled the openVPN stuff and, then scp the results over to the bastion gateway. This keeps the bastion box clean and purpose-specific. The VirtualBox VM with the developer-wise openBSD instance can be stopped, started, or destroyed as needed. There are, of course, other VM engines, but VirtualBox is the one I like because it runs on both Solaris and Windows which are my two primary desktop O/S's. (let the this VM vs. that VM flame wars begin ). Good luck, /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
|
|||||
Quote:
Quote:
This is mostly a learning excercise for the moment that I'll apply to enterprise requirements later on but for now I want to learn and occupy my time at night. Quote:
Quote:
Quote:
I've gotten x509 certs working authenticating using the IP address however I am having some difficulty with FQDN and x509 certificates. Firstly I don't plan to use USER_FQDN as I have read that the FQDN set in the x509 cert does not need to exist. When checking this field the FQDN does not need to resolve only that the cert property matches what the peer expected. ALL!! the documentation I have read thus far uses OpenBSD's old way of using isakmpd.conf and isakmpd.policy instead of isakmpd.policy and ipsec.conf. For FQDN stuff anyway. If you are to look at this guide http://www.bsdlover.cn/html/12/n-1912.html It has the following in /etc/ipsec.conf on OpenBSD ike esp from 192.168.1.0/24 to 192.168.0.0/24 peer 10.0.0.1 main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha2-256 enc blowfish group modp1024 This causes ipsec to authenticate the user based on the CERTIP (the default) if you want to use FQDN you have to specify a srcid and dstid for your local fqdn and the remote sites/clients FQDN based on what was applied in the certificate. ie..: (taken from OpenBSD isakmpd man page) Code:
For a FQDN certificate, do: # env CERTFQDN=somehost.somedomain openssl x509 -req \ -days 365 -in somehost.somedomain.csr \ -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \ -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_FQDN -out somehost.somedomain.crt Code:
path include "/usr/local/etc/racoon"; path certificate "/usr/local/etc/racoon/certs"; # "padding" defines some padding parameters. # You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 10.0.0.1; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier asn1dn; certificate_type x509 "10.0.0.1.crt" "10.0.0.1.key"; peers_certfile x509 "10.0.0.2.crt"; nonce_size 16; initial_contact on; proposal_check obey; proposal { encryption_algorithm blowfish; hash_algorithm sha1; authentication_method rsasig; dh_group modp1024; } } sainfo anonymous { pfs_group modp1024; encryption_algorithm blowfish; authentication_algorithm hmac_sha256; compression_algorithm deflate; } The racoon manual page says the following: Code:
... my_identifier asn1dn [string]; The type is an ASN.1 distinguished name. If string is omitted, racoon(8) will get the DN from the Subject field in the certificate. ... peers_identifier idtype ...; Specifies the peer's identifier to be received. If it is not defined then racoon(8) will not verify the peer's identifier in ID payload transmitted from the peer. If it is defined, the behavior of the verification depends on the flag of verify_identifier. The usage of idtype is the same as my_identifier except that the individual com- ponent values of an asn1dn identifier may specified as * to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine"). Alternative acceptable peer identifiers may be specified by repeating the peers_identifier statement. Code:
$ openssl x509 -noout -text -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt Certificate: Data: Version: 3 (0x2) Serial Number: a3:93:db:ab:be:3d:a3:46 Signature Algorithm: md5WithRSAEncryption Issuer: C=IE, ST=Leinster, O=Konundrum, OU=CA, CN=dynamic_dns.fromdydyns.com/emailAddress=name@domainname.tld Validity Not Before: Nov 25 22:47:06 2008 GMT Not After : Nov 23 22:47:06 2018 GMT Subject: C=IE, ST=Leinster, O=Konundrum, OU=Road Warrior, CN=entity.domainname.tld/emailAddress=name@domainname.tld Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:93:9c:7b:7c:d7:e7:e7:5c:0d:a9:f0:e4:f7:ad: b5:73:44:98:51:a7:e4:77:39:33:c4:12:77:61:a3: 69:eb:f9:5c:5d:e0:52:b6:d5:a9:7d:49:63:cd:2b: a1:29:f1:44:6e:c3:61:57:76:89:2f:11:5c:58:ea: 29:9f:33:26:99:f1:f6:67:50:e0:c7:5e:0a:4f:d2: d7:66:d4:93:b4:79:79:00:52:50:55:cd:d2:f0:5f: 85:54:cb:52:d5:ac:73:c2:94:f0:01:5f:d6:98:fc: dd:ab:8d:db:7f:86:82:46:89:51:04:cc:8b:74:8a: 6a:62:a1:e2:ac:c5:41:62:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:entity.domainname.tld $ openssl x509 -noout -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt -subject subject= /C=IE/ST=Leinster/O=Konundrum/OU=Road Warrior/CN=entity.domainname.tld/emailAddress=christian_name@domainname.tld $ openssl asn1parse -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt <<<OUTPUT TRUNCATED>>> 518:d=4 hl=2 l= 31 cons: SEQUENCE 520:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name 525:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168214656E746974792E6B6F6E756E6472756D2E6F7267 551:d=1 hl=2 l= 13 cons: SEQUENCE 553:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 564:d=2 hl=2 l= 0 prim: NULL 566:d=1 hl=3 l= 129 prim: BIT STRING s2scott thank you for your replies. They were most appreciated.
__________________
It was a new day yesterday, but it's an old day now. Last edited by schrodinger; 10th October 2009 at 04:35 PM. |
|
|||
identifier (user_)fqdn
Try:
my_identifier fqdn "enter_fqdn_here"; or for ufqdn: my_identifier user_fqdn "enter_ufqdn_here"; First one is running fine here, ufqdn strangely not, but i don't see any point in using it anyways, as the cert-fqdn don't gets verified by dns and imho there's no difference in using "username.domain.com" or "username@domain.com". Also the emailadress is included in its own field, or is this ment to always hold the email of the parent CA? ( think this would not make sense, thats why i'm using it for user-emailadresses and upto now it works fine). Somebody can shed some light whats the 'real' reason for using ufqdn? greets, cp |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD 4.6 i386 boot hangs with old gateway system - resolved | comet--berkeley | OpenBSD Installation and Upgrading | 6 | 22nd July 2011 08:15 AM |
mobile client to ipsec gateway | milo974 | OpenBSD Security | 8 | 22nd July 2009 05:19 AM |
Securing wifi networks with ipsec/ssh and openbsd | Oko | OpenBSD Security | 4 | 16th April 2009 07:32 AM |
Ipsec freebsd openbsd failure | kasse | OpenBSD General | 3 | 31st December 2008 01:42 AM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |