5
Feb

to IPComp or not to IPComp and…which Vendor

   Posted by: cristina_crow   in Uncategorized

It occurred to me today…how ’bout trying an IPcomp scenario? Of course, looking at RFC 3173, I was very excited about running a test and actually viewing Next Header / Protocol = 108, as the IETF guys say.

Basically, the “Compression” part of this IPsec traffic is negotiated just as  any other protocol: AH, ESP, EAP…via IKE, or manually configured on a device. Now…as I’ve got to devices….good question: _what_ device could I use if I want IPsec IPCompression?

Look at this: http://www.vpnc.org/vpnc-ipsec-features-chart.html. Scroll down to “Features (HTML table). The vendors that actually implement this, as per VPN Consortium (and for some of them I could tell you from direct experience), are CheckPoint, Cisco, McAfee, SafeNet, StoneSF and TeamF1. A bit disappointed that I didn’t have the opportunity of working on all of these devices, I am redirecting my attention to what I do have: a big, shiny and fluffy Debian, with Strongswan installed and xfrm module also on.

So, lets get down to business. I have taken the simplest scenario I could think of at the moment, a transport mode scenario, having as Initiator 192.168.0.10 and as Responder 192.168.0.1. These two hosts negotiate 3des-md5-dh2 algorithms, doing PSK authentication. No PFS, no other kinky stuff. Just basic IKEv2 negotiation. The Strongswan config is as simple as possible.

*Note 1 : on strongswan.org people say that IKEv2 does not support compression – I have run a test with IKEv2 and compression and it works very well :) But, in order to humor the strongswan guys, I have used IKEv1 in the following scenario

*Note 2 : in order to actually _see_ the encapsulated packets, I have used ESP-NULL Encryption for data encapsulation. Yes, I could have used a NetCocoon analyzer, but that – in the next episode :P

So: IKEv1, Transport mode, Main Mode, Null Encryption, ESP only, IP Comp:

config setup
plutostart=yes
charonstart=no
plutodebug=all
crlcheckinterval=180
strictcrlpolicy=no
# Add connections here.
conn %default
keyingtries=1
keyexchange=ikev1
authby=secret
mobike=no
pfs=no
type=transport
compress=yes
auto=start
ike=3des-md5-modp1024
esp=null-md5
leftfirewall=yes
rekey=yes
conn network1
left=192.168.0.1
right=192.168.0.10

# ipsec status
000 “network1″: 192.168.0.1[192.168.0.1]…192.168.0.10[192.168.0.10]; erouted; eroute owner: #3
000 “network1″:   newest ISAKMP SA: #2; newest IPsec SA: #3;
000
000 #3: “network1″ STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2488s; newest IPSEC; eroute owner
000 #3: “network1″ esp.525b0b48@192.168.0.10 (0 bytes) esp.5511d8c2@192.168.0.1 (0 bytes) comp.1169@192.168.0.10 comp.527e@192.168.0.1; transport
000 #2: “network1″ STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2488s; newest ISAKMP
000

Yes, it worked.

Now…I am not sure what exact compression algorithms this Strongswan daemon has, but I can tell you for sure it uses at least DEFLATE (  RFC 2394 ). Cisco on the other hand, uses only LZS (RFC 2395 ) – as far as I have seen – to be updated if anybody else tested it versus DEFLATE.
The process of actually obtaining this cute ESP packets is the following:
a. get the Data from the upper layers of the TCP stack – doh, we need data
b. compress the Data above using the chosen algorithm – you will notice the CPI – Compression Parameter Index – which has well know identifiers for the well known compression algorithms
c. set the Next Header value of the IPComp header to the layer 4 protocol (in this case, TCP)
d. encapsulate everything in ESP, put on the corresponding SPI, set the Next Header value of the ESP header to 108 (0x6c)
e. wrap it up in IP and… we are all set

— You can admire the ESP of IKEv1 in the screenshot attached


Now, what happens differently with IKEv2? I was telling you before the on Strongswan, IKEv2 and AH is a no-no for the moment, ESP with null encryption does a weird thinggie that vmp was so kind to point it out for me (while I was feeling actually quite happy about myself being able to do an IPComp test via IKEv1).
The thing is that, unlike the (correct) way of doing IPComp in IKEv1 (see the aboe a. to e. steps), IKEv2 implementation of Strongswan does a weird thing:
a. get the Data ..blah-blah
b. compress the Data with whatever compression algorithm and put on the IPComp header with CPI value and all
* c. put on another IP header (the internal one, in case of a tunnel mode scenario)
d. put on the ESP header
e. wrap everything up

— Unfortunately, you CANNOT admire the ESP of IKEV2 in a screenshot, because my current wireshark has no idea on how to do decompression of this type of packet. Once it does, I will update :)

Tags: , , , , , , , , , , , , ,

4 Comments
26
Jan

IPsec and ALMOST CheckPoint

   Posted by: cristina_crow   in Uncategorized

Recently I’ve had the opportunity of playing a bit with a CheckPoint UTM NGX R65 – ze mighty solution from the CheckPoint guys. Ignoring the obvious impediments (Romanian posts) I had when configuring the device from GUI, it left me a nice impression.

These guys are not quite the interop gurus ever, but they’ve strived to implement the crankiest drafts that ever appeared from IETF. Running this on the company I work for, interop even with this device worked well (so buy Ixia products if  you want IPsec testing :P ), but trying to make it work with Strongswan I’ve got into big trouble.

Why? Well, let’s take a look at the most common IPsec – IKEv1 implementations. They usually pick one/more of the following standards:

- RFC 2407

- RFC 2408

- RFC 2409

- RFC 3706 – should you like DPD – Dead Peer Detection

- RFC 3947 and RFC 3948 for NAT-T

- mode-cfg-02 draft – for the most common Mode-Configuration operations (perfectly inter-operable by Cisco, Juniper’s ScreenOS, Strongswan, Sonicwall, Stoke and Clavister) – as you may have guessed, NO, NOT with CheckPoint

- draft-beaulieu-ike-xauth-02 – for xAuth authentication of clients – inter-operable on Cisco, NetScreen, Stoke and Sonicwall (not sure about Clavister – haven’t tried it yet) – and, yes, not on CheckPoint

As a nice old guy would say: “Security through obscurity” , not quite my favorite idea of _security_. Still, a good to follow idea for CheckPoint. Why? Because, even though they implement the RFC 2407, 2408 and 2409, they have decided not to implement the most common xAuth draft (presented above), feeling that symmetrical authentication is just too lame, so they have implemented draft-zegman-ike-hybrid-auth-01, which defines how to do uni-directional independent authentication on the remote-access scenarios – procedure enforced by the CheckPoint VPN Client (only, if you ask me, though I haven’t tried too many others).

Once you bypass this authentication procedure, configuring the UTM to authenticate the clients using X.509 certificates, you end up in yet another dead-end: the so-called Office-Mode, which is the CheckPoint way of saying “Mode-Configuration”, with a significant difference: the actual packet exchange is not standard. We have tried, me and my programmer fellows (by the way: thanks for enduring this by my side), to “reverse-engineer” this mighty exchange, but even with the CheckPoint debug and hacking into our friend pluto, we didn’t manage to get it right.

I have talked to a tech-support guy from CKP, a very nice person, still incapable of saying anything about their solution without first asking for permission from his PM/Management/whatever. So, up until today, I haven’t been able to pull this through. This is why the things I’m going to describe below are only ALMOST CheckPoint IPsec…

Read the rest of this entry »

Tags: , , , , , , , , , , , , , , , , , , ,

4 Comments
6
Jan

manual …keying

   Posted by: cristina_crow   in Uncategorized

Everybody loves IPsec. It does a lot of cool stuff protecting our traffic from one side to another, it is fairly easy to understand the general concept, but quite difficult to actually implement in real-life, mostly because a lot of vendors have their own idea of usability and each one has its own idea of actually implementing those numerous standards. Some of them decide to implement drafts (see Cisco, see CheckPoint) and some of them implement their own “drafts” – which makes things even more interesting.

Some other vendors decide to overcome the entire negotiation fuss and use predefined keys for the IPsec traffic, bypassing all the IKE negotiation and using manual keying. Here we have Cisco, Juniper, Sonicwall or our lovely Linux solutions.

In order to manually configure IPsec, the admin alters the SAD (Security Association Database) and SPD(Security Policy Database) databases of the device/kernel. The SAD contains specific traffic transformations, like the encryption/authentication algorithms, while the SPD indicates the traffic selectors/proxy-ids for the traffic that is to be transformed by the stuff described in SAD and indexed by an SPI.

An SAD entry would include:

  • Dest IP address
  • Ipsec proto (SA or ESP)
  • SPI (cookie)
  • Sequnce counter
  • Seq O/F flag
  • anti-replay window info
  • AH type and info
  • ESP type and info
  • Lifetime info
  • tunnel/transport mode flags
  • PATH MTU info

An SPD entry would contain:

  • pointer to active SAs
  • Selector fields

***Let’s take a simple site-to-site tunnel mode case, where the security gateways are 2001::1 (local gateway) and 2001::2 (remote gateway) and the subnet behind the local gateway is 2002::/112 and the one behind the remote gateway is 2003::/112. As you can imagine, I want to encrypt traffic between 2002::/112 and 2003::/112 with aes-cbc, let’s say and authenticate it with hmac-md5.

In order to configure manual keying on linux, we need to have:

- xfrm modules in ze kernel:

xfrm4_mode_transport     1792  0

xfrm6_mode_transport     1792  0
xfrm6_mode_tunnel       2208  0
xfrm4_mode_tunnel       2304  0
xfrm_user              17856  0
xfrm4_tunnel            2304  0
tunnel4                 3016  1 xfrm4_tunnel
ipv6                  235396  33 ah6,esp6,xfrm6_mode_tunnel

- and a small script that instructs the kernel on how to populate those two databases:

ip xfrm state add src 2001:0::2 dst 2001:0::1 proto esp spi 0×1000 enc “cbc(aes)”  0x12345678abcdef12f4f71dbccd2c1b07bce4e63b4c315414  auth “hmac(md5)” 0x012345abd9abcdeff1e0d3c2b5a4909a

ip xfrm state add src 2001:0::1 dst 2001:0::2 proto esp spi 0×2000 enc “cbc(aes)” 0xf4f71123452c1b07bce4e63b4c31541d12345678abcdef12  auth “hmac(md5)” 0x912345abd9abcdeff1e0d3c2b5a49080

ip xfrm policy add dir in src 2003::/112 dst 2002::/112 tmpl src 2001:0::2 dst 2001:0::1 proto esp mode tunnel

ip xfrm policy add dir out src 2002::/112 dst 2003::/112 tmpl src 2001:0::1 dst 2001:0::2 proto esp mode tunnel

ip xfrm policy add dir fwd src 2003::/112 dst 2002::/112 tmpl src 2001:0::2 dst 2001:0::1 proto esp mode tunnel

—– Now we should be able to see that:
# ip xfrm state
src 2001::2 dst 2001::1
proto esp spi 0×00001000 reqid 0 mode transport
replay-window 0
auth hmac(md5) 0x012345abd9abcdeff1e0d3c2b5a4909a
enc cbc(aes) 0x12345678abcdef12f4f71dbccd2c1b07bce4e63b4c315414
sel src ::/0 dst ::/0
src 2001::1 dst 2001::2
proto esp spi 0×00002000 reqid 0 mode transport
replay-window 0
auth hmac(md5) 0x912345abd9abcdeff1e0d3c2b5a49080
enc cbc(aes) 0xf4f71123452c1b07bce4e63b4c31541d12345678abcdef12
sel src ::/0 dst ::/0
—–and
# ip xfrm policy
src 2003::/112 dst 2002::/112
dir in priority 0
tmpl src 2001::2 dst 2001::1
proto esp reqid 0 mode tunnel
src 2002::/112 dst 2003::/112
dir out priority 0
tmpl src 2001::1 dst 2001::2
proto esp reqid 0 mode tunnel
src 2003::/112 dst 2002::/112
dir fwd priority 0
tmpl src 2001::2 dst 2001::1
proto esp reqid 0 mode tunnel
—–to delete the rules simply run:
ip xfrm state flush
ip xfrm policy flush

When trying to do interop with…NetScreen, let’s say, bare in mind that this device only permits one key per connection, not as linux xfrm, which lets you select a key per direction. A NetScreen config would look something like this…
I have defined a tunnel.1 interface in the Untrust zone of the device and configured the ‘vpn’ objects like it follows (as you can see, no need for any ‘ike’ objects, as there is no IKE going on in there):
set vpn “IPv6_manual” id 0x1c1e manual 2000 2000 gateway 2001::10 outgoing-interface “ethernet2/2″  local-address “2001::1″  ah md5 key 0101010101010101,0101010101010101
—this populates the SAD of the NetScreen device, while this:

set policy id 7155 name “IPv6_TU_man” from “Trust” to “Untrust”  ”IPv6_Man2″ “IPv6_Man1″ “ANY” tunnel vpn “IPv6_manual”
set policy id 7155
exit
set policy id 15155 name “IPv6_UT_man” from “Untrust” to “Trust”  ”IPv6_Man1″ “IPv6_Man2″ “ANY” tunnel vpn “IPv6_manual”
set policy id 15155
exit
—populates the SPD of the device; of course, the IPv6_Man1 and IPv6_Man2 are names of the IPv6 interfaces (public and private, respectively)
And, as the keys are already into the device’s kernel, I can simply list them with a fairly nice command:
-> get sa active
00001c1e<        2001::10  500  ah:null/md5  00002000   n/a   n/a M/- 15155 0
00001c1e>        2001::10  500  ah:null/md5  00002000   n/a   n/a M/-  7155 0
Voila!

Tags: , , , , , ,

2 Comments
7
Dec

Slayer – Cult

   Posted by: cristina_crow   in Uncategorized

Cred ca de la CheckPoint mi se trage…si de la al lui “smart”dashboard:

YouTube Preview Image

Tot raul spre bine, am re-inceput sa ascult Slayer!

Oppression is the holy law
In God I distrust
In time His monuments will fall
Like ashes to dust
Is war and greed the masters plan?
The bible’s where it all began
Its propaganda sells despair
And spreads the virus everywhere

Religion is hate
Religion is fear
Religion is war
Religion is rape
Religion’s obscure
Religion’s a whore

Tags:

2 Comments
4
Dec

coerenta si uzabilitate

   Posted by: cristina_crow   in Uncategorized

Este vorba despre CheckPoint, care se “lauda” ca suporta Aggressive Mode. Eh, cand dau in el cu aggressive mode, face cale intoarsa si anunta glorios ca aggressive mode nu e compatibil cu IKE – adica, una din modalitatile de a face IKEv1 (proasta, cu probleme mari de securitate, dar, totusi, prezentata de RFC2408) se pare ca nu suporta IKE =))

Come on, people!!! Si ma gandesc ca oamenii _chiar_ cumpara crap-urile astea.

1_

2_

Tags: , ,

6 Comments
3
Dec

even CISCO is better!

   Posted by: cristina_crow   in Uncategorized

better than CheckPoint – I mean

Cel putin Cisco NU ARE ZECE MII de BUTOANE! Cum are CheckPoint-ul – 10000 de butoane, care pe unde, ca sa obtii un cacat de remote-access, trebuie sa setezi stuff prin cel putin 3 locuri, nu neaparat cele mai legate intre ele, ca sa nu mai zic de intuitive.

Pui interfete, faci politici, creezi grupuri de useri si….tadaaaam – poate ai fi vrut, in marea ta prostie de user inocent si docil sa creezi si USERI!!!! AAARRRSSSHHHHH Vrei Useri, adminule? Du-te si da acatiste! Nu avem useri! Desi meniul contextul de creat useri este disponibil, daca dai click pe el, nothing happens. Of course, nici mesaje de eroare nu sunt.

De ce dracu ar vrea un adminitrator sa creeze utilizatori dupa ce a creat un grup pentru utilizatori????? Se pare ca cei de la CheckPoint considera aceasta dorinta drept exagerata. Si nu, nici manualul celor de la Syngress nu e facut la modul “Hai sa-l ajutam pe  boul de admin sa priceapa de ce are available un meniu pe care daca da click nu se intampla nimic”

Saga continua. Pe zi ce trece incep sa cred ca monsieur e un erou din benzile desenate, de s-a putut juca cu aceasta jiganie certata cu intuitivitatea si adanc infratita cu un nepot al lui Bill Gates, care are schizofrenie si crede ca ideea de butoane din Geam este prea simplista si angelica si a pus in loc un miliard de butoane si butonashe si butonele taman bune de exasperat o fiinta angelica obisnuita sa editeze rapid un fisier ASCII si sa dea restart la un demon!!!

Tags: ,

3 Comments
30
Nov

inevitabilul

   Posted by: cristina_crow   in Uncategorized

Astazi s-a produs inevitabilul: a trebuit sa invat sa configurez IPsec pe CheckPoint.

Concluzia: it SUCKS!

Un GUI incalcit cu foaaaarte multe optiuni puse neintuitiv (dupa parerea mea de om care a mai configurat si NetScreen, Cisco, Sonicwall, Clavister si Stoke) – si foarte multe chestii proprietare.

Interesant e ca suporta niste feature-uri pe care le vad rar de tot, cum ar fi autentificare asimetrica sau hybrid XAuth sau lipsa unui model clar (afaik at the moment) de configurare al Identification type-ului, ceea ce mi-a placut la nebunie, dar mi-a pus probleme de interop cu alte device-uri. – probleme pe care inca nu le-am rezolvat in totalitate.

Una peste alta, daca nu era monsieur sa ma salveze, ma manca CheckPoint-ul mare si rau.

Tags: , , ,

No Comments
Back to top