DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default openBSD IPSEC gateway w/WINDOWS XP roadwarrior

Does anyone have a working windows xp pro to openBSD gateway IPSEC configuration?

The isakmpd.conf, or an ipsec.conf, example(s) appreciated.

Thanks,
/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 12th September 2008 at 01:53 AM.
Reply With Quote
  #2   (View Single Post)  
Old 14th June 2008
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

I don't understand your question.
Sorry for my stupidity.
Reply With Quote
  #3   (View Single Post)  
Old 25th November 2008
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Ireland
Posts: 69
Default

Hey s2scott I am in the middle of setting this up

I have x509 CERTIP auth setup (on my LAN from a lan server its default gateway - the OpenBSD firewall. I will be testing from the public Internet at the weekend), moving onto FQDN and User_FQDN next.

Been basing my initial configs from this setup and migrating them to ipsec.conf instead of isakmpd.conf. Although I do believe that you are required to configure a isakmpd.policy for use with x509v3 CERTUFQDN properties. However I am not sure of this. It is quite surprising that the large majority of the documentation for cert based authentication is all around OpenBSD 3.8 and the use of certpatch. There are some guides that are more up to date but none of them document using USER_FQDN x509v3 certificate extensions.

There is this guide which details the use of x509 USER_FQDN with OpenBSD using isakmpd.conf and isakmpd.policy.

The plan is to evenaully be able to VPN back to home from anywhere with any OS as I have XP, Debian and FreeBSD on my two laptops from a wide range of Internet connections.

After I get this done I will go one to setup OpenVPN and I also be following your wonderful guide on building an OpenSSH based VPN.
__________________
It was a new day yesterday, but it's an old day now.
Reply With Quote
  #4   (View Single Post)  
Old 26th November 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by schrodinger View Post
...The plan is to eventuality be able to VPN back to home from anywhere with any OS as I have XP, Debian and FreeBSD on my two laptops from a wide range of Internet connections.
Given openBSD-as-the-gateway and a broad client-side O/S base, then, on both a sweat-equity basis (i.e. best return/outcome for your time) and a likihood of success, go openVPN.

With openVPN, a pivotal decision you need to make is the server/gateway side "role." Is it one client to one gateway. Or is it many clients to one gateway.

If your gateway is "personal," and it's one road-warrior connecting to the gateway, then openVPN is quick, easy and effective.

If your gateway is "multi-user," and it's many road-warriors connecting to the gateway, then there is -- in all practical sense -- one true operating server-side configuration. This many-to-one use config, like most things worth doing well, is more complicated. It's not that it's especially "hard" as it is that it is a "layered" configuration.

This many-to-one TLS server mode is available is the 2.0 version stream BUT IT'S VASTLY IMPROVED (read: works properly) IN THE RELEASE 2.1 version stream WITH MAJOR TLS FIXES IN RC7. I can't recommend strongly enough that you use the 2.1rc7 (or higher) for this mode. The "packages" branch is 2.1rc7 (as of this posting). The ports branch, at http://openports.se/net/openvpn, is 2.1rc13.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #5   (View Single Post)  
Old 26th November 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by schrodinger View Post
After I get this done I will go one to setup OpenVPN and I also be following your wonderful guide on building an OpenSSH based VPN.
If Windows-O/S clients are in your mix, then the shortfall you'll likely hit with an openSSH -w "VPN" is that there isn't a Windows O/S based ssh client with the "-w" feature (that I'm aware of as of this posting), unless you're willing and able to role your own (i.e. compile from source or port) or go a cygwin hybrid route.

Perhaps others here may know of one (or a good way of getting there from here).

So, on that sweat-equity basis, depending on the importance of WIndows clients in your mix, the ssh route may not get you all the way across your goal(s) line.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 26th November 2008 at 10:12 PM.
Reply With Quote
  #6   (View Single Post)  
Old 26th November 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Since we're talking about ports and packages, I'll offer the following "food for thought."

It is contrary to good practice to install a development environment and tools on the perimeter gateway/firewall machine. If you need to "role your own," it's unwise to do the "rolling" on the bastion machine itself.

When I have to do this, and the openVPN ports was such a case for me, I used VirtualBox (free) on another machine (Windows XP), created a 640MB RAM, 4GB disk virtual machine, installed a full-on version of openBSD into it, rolled the openVPN stuff and, then scp the results over to the bastion gateway.

This keeps the bastion box clean and purpose-specific.

The VirtualBox VM with the developer-wise openBSD instance can be stopped, started, or destroyed as needed.

There are, of course, other VM engines, but VirtualBox is the one I like because it runs on both Solaris and Windows which are my two primary desktop O/S's.

(let the this VM vs. that VM flame wars begin ).

Good luck,
/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #7   (View Single Post)  
Old 27th November 2008
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Ireland
Posts: 69
Default

Quote:
Originally Posted by s2scott View Post
Given openBSD-as-the-gateway and a broad client-side O/S base, then, on both a sweat-equity basis (i.e. best return/outcome for your time) and a likihood of success, go openVPN.

With openVPN, a pivotal decision you need to make is the server/gateway side "role." Is it one client to one gateway. Or is it many clients to one gateway.

....
The primary concept for my idea is site to site VPN where "my" site is being connected to from other sites. And then as a remote access gateway to my LAN from multiple OS road warriors in different scenarios such as one where they are able to get IPSEC out and other where an SSL VPN would be there only option - for instances where they can't get out on all ports or protocols.

Quote:
Originally Posted by s2scott View Post
......
If your gateway is "personal," and it's one road-warrior connecting to the gateway, then openVPN is quick, easy and effective.

If your gateway is "multi-user," and it's many road-warriors connecting to the gateway, then there is -- in all practical sense -- one true operating server-side configuration. This many-to-one use config, like most things worth doing well, is more complicated. It's not that it's especially "hard" as it is that it is a "layered" configuration.

This many-to-one TLS server mode is available is the 2.0 version stream BUT IT'S VASTLY IMPROVED (read: works properly) IN THE RELEASE 2.1 version stream WITH MAJOR TLS FIXES IN RC7. I can't recommend strongly enough that you use the 2.1rc7 (or higher) for this mode. The "packages" branch is 2.1rc7 (as of this posting). The ports branch, at http://openports.se/net/openvpn, is 2.1rc13.

/S
I'll definitely be giving OpenVPN a go and as with most things i tend to go for the latest release possible - feature depending.

This is mostly a learning excercise for the moment that I'll apply to enterprise requirements later on but for now I want to learn and occupy my time at night.

Quote:
Originally Posted by s2scott View Post
If Windows-O/S clients are in your mix, then the shortfall you'll likely hit with an openSSH -w "VPN" is that there isn't a Windows O/S based ssh client with the "-w" feature (that I'm aware of as of this posting), unless you're willing and able to role your own (i.e. compile from source or port) or go a cygwin hybrid route.

Perhaps others here may know of one (or a good way of getting there from here).

So, on that sweat-equity basis, depending on the importance of WIndows clients in your mix, the ssh route may not get you all the way across your goal(s) line.

/S
There is no major importance for Windows clients in my setup but that is because I don't use Windows much The requirement to work with Windows is generally for enterprise application. But I already know withouth really looking too bar into it that OpenVPN will be the best bet. Although IPSEC with x509 certs shouldn't be too much hassle to setup. Even the Cisco and Sonicwall VPN clients work quite well and support certificate based authentication.

Quote:
Originally Posted by s2scott View Post
Since we're talking about ports and packages, I'll offer the following "food for thought."

It is contrary to good practice to install a development environment and tools on the perimeter gateway/firewall machine. If you need to "role your own," it's unwise to do the "rolling" on the bastion machine itself.

...
I couldn't agree more. I deploy a lot of firewall for clients and one of our main focusses in work is security. If i were ever deploying any of the solutions I document from my messing about they'd need to be hardened and well though out and tested for enterprise setups and requirements.

Quote:
Originally Posted by s2scott View Post
...
When I have to do this, and the openVPN ports was such a case for me, I used VirtualBox (free) on another machine (Windows XP), created a 640MB RAM, 4GB disk virtual machine, installed a full-on version of openBSD into it, rolled the openVPN stuff and, then scp the results over to the bastion gateway.

This keeps the bastion box clean and purpose-specific.

The VirtualBox VM with the developer-wise openBSD instance can be stopped, started, or destroyed as needed.

There are, of course, other VM engines, but VirtualBox is the one I like because it runs on both Solaris and Windows which are my two primary desktop O/S's.

(let the this VM vs. that VM flame wars begin ).

Good luck,
/S
I'm primarily doing all this at home for the moment purely so I don't mess up anything in work or with a customer plus I don't care if I keep completely changing my LANs topology.

I've gotten x509 certs working authenticating using the IP address however I am having some difficulty with FQDN and x509 certificates. Firstly I don't plan to use USER_FQDN as I have read that the FQDN set in the x509 cert does not need to exist. When checking this field the FQDN does not need to resolve only that the cert property matches what the peer expected.

ALL!! the documentation I have read thus far uses OpenBSD's old way of using isakmpd.conf and isakmpd.policy instead of isakmpd.policy and ipsec.conf. For FQDN stuff anyway.

If you are to look at this guide

http://www.bsdlover.cn/html/12/n-1912.html

It has the following in /etc/ipsec.conf on OpenBSD

ike esp from 192.168.1.0/24 to 192.168.0.0/24 peer 10.0.0.1
main auth hmac-sha1 enc blowfish group modp1024
quick auth hmac-sha2-256 enc blowfish group modp1024

This causes ipsec to authenticate the user based on the CERTIP (the default) if you want to use FQDN you have to specify a srcid and dstid for your local fqdn and the remote sites/clients FQDN based on what was applied in the certificate. ie..: (taken from OpenBSD isakmpd man page)

Code:
For a FQDN certificate, do:

                # env CERTFQDN=somehost.somedomain openssl x509 -req \
                        -days 365 -in somehost.somedomain.csr \
                        -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
                        -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
                        -extensions x509v3_FQDN -out somehost.somedomain.crt
Now when connecting with racoon you are supposed to use the following type of config.

Code:
path include "/usr/local/etc/racoon";
path certificate "/usr/local/etc/racoon/certs";

# "padding" defines some padding parameters.
# You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        isakmp 10.0.0.1;
}

remote anonymous
{
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier asn1dn;
        certificate_type x509 "10.0.0.1.crt" "10.0.0.1.key";
        peers_certfile x509 "10.0.0.2.crt";

        nonce_size 16;
        initial_contact on;
        proposal_check obey;

        proposal {
                encryption_algorithm blowfish;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group modp1024;
        }
}

sainfo anonymous
{
        pfs_group modp1024;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha256;
        compression_algorithm deflate;
}
The line I have highlighted "my_identifier asn1dn;" is supposed to use the right identifier when connecting to the VPN. However this is where I am confused. How the whole fqdn is used by the local and remote peers.

The racoon manual page says the following:

Code:
...
                     my_identifier asn1dn [string];
                             The type is an ASN.1 distinguished name.  If
                             string is omitted, racoon(8) will get the DN from
                             the Subject field in the certificate.
...
             peers_identifier idtype ...;
                     Specifies the peer's identifier to be received.  If it is
                     not defined then racoon(8) will not verify the peer's
                     identifier in ID payload transmitted from the peer.  If
                     it is defined, the behavior of the verification depends
                     on the flag of verify_identifier.  The usage of idtype is
                     the same as my_identifier except that the individual com-
                     ponent values of an asn1dn identifier may specified as *
                     to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
                     Alternative acceptable peer identifiers may be specified
                     by repeating the peers_identifier statement.
But if asn1dn equates to the entire certificate Subject how does this match the FQDN when the FQDN saved to the certificate is an x509v3 subjectALTName extension???

Code:
$ openssl x509 -noout -text -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a3:93:db:ab:be:3d:a3:46
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=IE, ST=Leinster, O=Konundrum, OU=CA, CN=dynamic_dns.fromdydyns.com/emailAddress=name@domainname.tld
        Validity
            Not Before: Nov 25 22:47:06 2008 GMT
            Not After : Nov 23 22:47:06 2018 GMT
        Subject: C=IE, ST=Leinster, O=Konundrum, OU=Road Warrior, CN=entity.domainname.tld/emailAddress=name@domainname.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:93:9c:7b:7c:d7:e7:e7:5c:0d:a9:f0:e4:f7:ad:
                    b5:73:44:98:51:a7:e4:77:39:33:c4:12:77:61:a3:
                    69:eb:f9:5c:5d:e0:52:b6:d5:a9:7d:49:63:cd:2b:
                    a1:29:f1:44:6e:c3:61:57:76:89:2f:11:5c:58:ea:
                    29:9f:33:26:99:f1:f6:67:50:e0:c7:5e:0a:4f:d2:
                    d7:66:d4:93:b4:79:79:00:52:50:55:cd:d2:f0:5f:
                    85:54:cb:52:d5:ac:73:c2:94:f0:01:5f:d6:98:fc:
                    dd:ab:8d:db:7f:86:82:46:89:51:04:cc:8b:74:8a:
                    6a:62:a1:e2:ac:c5:41:62:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:entity.domainname.tld

$ openssl x509 -noout -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt -subject
subject= /C=IE/ST=Leinster/O=Konundrum/OU=Road Warrior/CN=entity.domainname.tld/emailAddress=christian_name@domainname.tld

$ openssl asn1parse -in /usr/local/etc/racoon/certs/entity.domainname.tld.crt
<<<OUTPUT TRUNCATED>>>

  518:d=4  hl=2 l=  31 cons: SEQUENCE          
  520:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
  525:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168214656E746974792E6B6F6E756E6472756D2E6F7267
  551:d=1  hl=2 l=  13 cons: SEQUENCE          
  553:d=2  hl=2 l=   9 prim: OBJECT            :md5WithRSAEncryption
  564:d=2  hl=2 l=   0 prim: NULL              
  566:d=1  hl=3 l= 129 prim: BIT STRING
All the data is there but I can't sem to get the config right. I can provide all the configs and cert if anyone can help....

s2scott thank you for your replies. They were most appreciated.
__________________
It was a new day yesterday, but it's an old day now.

Last edited by schrodinger; 10th October 2009 at 04:35 PM.
Reply With Quote
  #8   (View Single Post)  
Old 13th January 2009
cpbone cpbone is offline
New User
 
Join Date: Jan 2009
Posts: 1
Default identifier (user_)fqdn

Try:
my_identifier fqdn "enter_fqdn_here";

or for ufqdn:
my_identifier user_fqdn "enter_ufqdn_here";

First one is running fine here, ufqdn strangely not, but i don't see any point in using it anyways, as the cert-fqdn don't gets verified by dns and imho there's no difference in using "username.domain.com" or "username@domain.com". Also the emailadress is included in its own field, or is this ment to always hold the email of the parent CA? ( think this would not make sense, thats why i'm using it for user-emailadresses and upto now it works fine).

Somebody can shed some light whats the 'real' reason for using ufqdn?

greets, cp
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD 4.6 i386 boot hangs with old gateway system - resolved comet--berkeley OpenBSD Installation and Upgrading 6 22nd July 2011 08:15 AM
mobile client to ipsec gateway milo974 OpenBSD Security 8 22nd July 2009 05:19 AM
Securing wifi networks with ipsec/ssh and openbsd Oko OpenBSD Security 4 16th April 2009 07:32 AM
Ipsec freebsd openbsd failure kasse OpenBSD General 3 31st December 2008 01:42 AM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM


All times are GMT. The time now is 10:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick