Archives pour l'étiquette Ipsec

Ipsec : Racoon vs Checkpoint

Expérience vpn ipsec

Suite à un expérience de lien vpn ipsec entre une linux box avec racoon et un firewall appliance avec un logiciel Chekpoint j’ai tiré la conclusion que :

Le Checkpoint initialisant une communication ipsec vérifie que son interlocuteur dispose des SA (régles d’association de sécurité) pour les deux sens. Même si un seul est utilisé. Une linux box avec Racoon n’a pas besoin de cela quant elle initialise une communication, seul le SA du sens de connexion est utile.

Ainsi dans la cas d’un vpn de télémaintenance pure. Vous initialisé une communication en direction de votre client. Votre linux box ouvre le tunnel vpn en dialoguant avec son interlocuteur Checkpoint. Dans ce cas Raconn n’a besoin que de la règle de SA correspondant au sens du flux (unidirectionnel). Dans le cas inverse, depuis le Checkpoint vers la linux box, le checkpoint a besoin des deux régles de SA correspondant au deux sens du flux (comme en bidirectionnel), même si l’ouverture du tunnel ne nécessite logiquement qu’un (flux unidirectionnel).

Les paramètres racoon qui fonctionnent.

Avec clé partagé /etc/racoon/psk.conf

  • Phase 1 Hash : sha1
  • Phase 1 Chiffrement : 3des
  • Phase 1 groupe : 2
  • Phase 1 Lifetime : 3600
  • Phase 2 Hash : sha1
  • Phase 2 Chiffrement : 3des
  • Phase 2 PFS : non
  • Phase 2 Lifetime : 3600

Exemple de configuration Racoon

/etc/ipsec-tools.conf

Client (avec Checkpoint) <-> Linux Box (avec raccon)

spdadd <span style="color: #000000;">192.168</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">24</span> <span style="color: #000000;">10.100</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">24</span> any -P <span style="color: #000000; font-weight: bold;">in</span> ipsec esp<span style="color: #000000; font-weight: bold;">/</span>tunnel<span style="color: #000000; font-weight: bold;">/</span>ipcheckpoint-iplinuxbox<span style="color: #000000; font-weight: bold;">/</span>require; &nbsp; spdadd <span style="color: #000000;">10.100</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">24</span> <span style="color: #000000;">192.168</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">24</span> any -P out ipsec esp<span style="color: #000000; font-weight: bold;">/</span>tunnel<span style="color: #000000; font-weight: bold;">/</span>iplinuxbox-ipcheckpoint<span style="color: #000000; font-weight: bold;">/</span>require;

/etc/racoon/racoon.conf

Pour une télémaintenance unidirectionnel depuis la linux box racoon

<span style="color: #808080; font-style: italic;">#!/usr/sbin/setkey -f</span> &nbsp; <span style="color: #808080; font-style: italic;"># NOTE: Do not use this file if you use racoon with racoon-tool</span> <span style="color: #808080; font-style: italic;"># utility. racoon-tool will setup SAs and SPDs automatically using</span> <span style="color: #808080; font-style: italic;"># /etc/racoon/racoon-tool.conf configuration.</span> <span style="color: #808080; font-style: italic;"># </span> &nbsp; <span style="color: #808080; font-style: italic;">## Flush the SAD and SPD</span> <span style="color: #808080; font-style: italic;">#</span> flush; spdflush; remote ipcheckpoint <span style="color: #7a0874; font-weight: bold;">&#123;</span> exchange_mode main; passive off; proposal <span style="color: #7a0874; font-weight: bold;">&#123;</span> encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group <span style="color: #000000;">2</span>; <span style="color: #7a0874; font-weight: bold;">&#125;</span> <span style="color: #7a0874; font-weight: bold;">&#125;</span> sainfo address <span style="color: #000000;">10.100</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">24</span> any address <span style="color: #000000;">192.168</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">25</span> any <span style="color: #7a0874; font-weight: bold;">&#123;</span> pfs_group <span style="color: #000000;">2</span>; lifetime <span style="color: #000000; font-weight: bold;">time</span> <span style="color: #000000;">3600</span> secs; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; <span style="color: #7a0874; font-weight: bold;">&#125;</span>

/etc/racoon/racoon.conf

Pour une télémaintenance unidirectionnel depuis checkpoint

<span style="color: #808080; font-style: italic;">#!/usr/sbin/setkey -f</span> &nbsp; <span style="color: #808080; font-style: italic;"># NOTE: Do not use this file if you use racoon with racoon-tool</span> <span style="color: #808080; font-style: italic;"># utility. racoon-tool will setup SAs and SPDs automatically using</span> <span style="color: #808080; font-style: italic;"># /etc/racoon/racoon-tool.conf configuration.</span> <span style="color: #808080; font-style: italic;"># </span> &nbsp; <span style="color: #808080; font-style: italic;">## Flush the SAD and SPD</span> <span style="color: #808080; font-style: italic;">#</span> flush; spdflush; remote ipcheckpoint <span style="color: #7a0874; font-weight: bold;">&#123;</span> exchange_mode main; passive off; proposal <span style="color: #7a0874; font-weight: bold;">&#123;</span> encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group <span style="color: #000000;">2</span>; <span style="color: #7a0874; font-weight: bold;">&#125;</span> <span style="color: #7a0874; font-weight: bold;">&#125;</span> sainfo address <span style="color: #000000;">10.100</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">24</span> any address <span style="color: #000000;">192.168</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">25</span> any <span style="color: #7a0874; font-weight: bold;">&#123;</span> pfs_group <span style="color: #000000;">2</span>; lifetime <span style="color: #000000; font-weight: bold;">time</span> <span style="color: #000000;">3600</span> secs; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; <span style="color: #7a0874; font-weight: bold;">&#125;</span> sainfo address <span style="color: #000000;">192.168</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">25</span> any <span style="color: #000000;">10.100</span><span style="color: #000000;">.1</span><span style="color: #000000;">.0</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #000000;">24</span> address any <span style="color: #7a0874; font-weight: bold;">&#123;</span> pfs_group <span style="color: #000000;">2</span>; lifetime <span style="color: #000000; font-weight: bold;">time</span> <span style="color: #000000;">3600</span> secs; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; <span style="color: #7a0874; font-weight: bold;">&#125;</span>

A lire sur racoon