LinuxTag2010-strongSwan

11.06.2010,LinuxTag2010-strongSwan.odp1LinuxTag2010BerlinstrongSwanNewsProf.Dr.AndreasSteffenandreas.steffen@strongswan.orgMartinWillimartin@strongswan.org11.06.2010,LinuxTag2010-strongSwan.odp2Agenda•WhatisstrongSwan?•News•HighAvailabilitysolutionusingClusterIP•VirtualIPpoolsandconfigattributesforIKEv1andIKEv2•KDE4NMPlasmaAppletandAndroidPort•Outlook•Sharingdaemonfunctionalitywithlibhydra:plutoinheritskernelnetlinkinterfaceanddynamicrouting•EAP-TLSsupportandprobablyEAP-PEAP,EAP-TTLS,EAP-FAST•NetworkEndpointAssessment(NEA,RFC5209)usingIKEv2EAPasatransportprotocol•Questionsanddiscussion11.06.2010,LinuxTag2010-strongSwan.odp3LinuxTag2010BerlinWhatisstrongSwan?11.06.2010,LinuxTag2010-strongSwan.odp4VPNUsageScenariosInternetHeadQuartersSubsidiary„RoadWarrior“VPNTunnelVPNTunnelVPNGateway11.22.33.44VPNGateway55.66.77.88VPNClient10.1.0.0/1610.2.0.0/1610.3.0.210.1.0.510.2.0.355.66.x.x●strongSwanisanInternetKeyExchangedaemonneededtoautomaticallysetupIPsec-basedVPNconnections.11.06.2010,LinuxTag2010-strongSwan.odp5TheFreeS/WANGenealogySuperFreeS/WAN2003X.5092.xPatchFreeS/WAN2.x1999FreeS/WAN1.xX.5091.xPatch2000Openswan1.x20042004strongSwan2.xOpenswan2.x2005ITAIKEv2Project2006strongSwan4.x2007IKEv1&IKEv2Openswan2.6.xIKEv1&partialIKEv211.06.2010,LinuxTag2010-strongSwan.odp6ThestrongSwanIKEDaemons●IKEv1-6messagesforIKESAPhase1MainMode-3messagesforIPsecSAPhase2QuickMode●IKEv2-4messagesforIKESAandfirstIPsecSAIKE_SA_INIT/IKE_AUTH-2messagesforeachadditionalIPsecSACREATE_CHILD_SArawsocketIKEv1IKEv2ipsecstarteripsecwhackipsecstrokecharonplutoLSFUDP/500socketnativeIPsecNetlinkXFRMsocketLinux2.6kernelipsec.confstrokesocketwhacksocket11.06.2010,LinuxTag2010-strongSwan.odp7LinuxTag2010BerlinSwansinaClusterstrongSwanHighAvailabilityImagebymozzercork@flickr|cc-by11.06.2010,LinuxTag2010-strongSwan.odp8●Failuredetection-Onpowerloss,hardwarefailures,kerneloopsordaemoncrashes,removenode●Statesynchronization-AlwayshaveIKE/IPsecstateofeverynodesyncedtoanother●Takeover-Detectnodefailurewithin1-3seconds●Transparentmigration-TCPorapplicationsessionsnotinterrupted●Loadsharing-Shareloadbetweenallnodes,noidlebackupnode●Reintegration-Integraterepairednodeintorunningcluster,takeoverload●Legacyclients-Noprotocolextension,anyclientbenefitsfromHAfunctionalityifconnectedtoaclusterRequirementsforaHASolution11.06.2010,LinuxTag2010-strongSwan.odp9corporatenetworkESP(spi,seq)ESP(spi,seq)statestatestatestateIKE(spis,seq)statestateclientserverIPsecandIKEState11.06.2010,LinuxTag2010-strongSwan.odp10corporatenetworkclientclusterNodeXNodeYAddingFailoverNode11.06.2010,LinuxTag2010-strongSwan.odp11corporatenetworkclientclusterNodeXNodeYFailover11.06.2010,LinuxTag2010-strongSwan.odp12corporatenetworkclientclusterSynchronizingState-IKE11.06.2010,LinuxTag2010-strongSwan.odp13corporatenetworkclientclusterswitchSynchronizingState–ESPOutgoing11.06.2010,LinuxTag2010-strongSwan.odp14corporatenetworkclientclusterSynchronizingState–ESPIncoming11.06.2010,LinuxTag2010-strongSwan.odp15corporatenetworkclusteralicebobGoingActive/Active–MultipleClients11.06.2010,LinuxTag2010-strongSwan.odp16corporatenetworkclientclusterswitchGoingActive/Active–SingleSA11.06.2010,LinuxTag2010-strongSwan.odp17NodeYNodeXswitchswitchvirtualexternalIPvirtualinternalIPinnerIPXinnerIPYSYNC/HBplaincrypt●2Nodes●4Segmentss(n=4)●Xserves1+2●Yserves3+4●Anti-reordermask:d=16●Segmentcalculationoutgoing:●s=hash(spi,ip)%n●Segmentcalculationincoming:●s=hash(spi,ip,seq/d)%n●SegmentcalculationIKE:●s=hash(ip)%n●SYNC:exchangeIKEstateusingUDPmessages,IPsecprotected●HB:Heartbeat,announcesservedsegmentsoutgoingincomingSetupwithSegmentation11.06.2010,LinuxTag2010-strongSwan.odp18EncryptDecryptAllESPINPUTDropXFRM_INESPinresp.XFRM_OUTPREROUTINGtagasunicastcryptplainseq++ESPoutresp.Drop●IntroducingtwonewNetfilterhooks●XFRM_IN:BeforeXFRMdecryption●XFRM_OUT:Afterpolicylookup,beforeencryption●FunctionalityimplementedinClusterIPIKEresp.KernelImplementation11.06.2010,LinuxTag2010-strongSwan.odp19LinuxTag2010BerlinVirtualIPAddressPools11.06.2010,LinuxTag2010-strongSwan.odp20VolatileRAM-basedIPAddressPoolsconnrw...right=%anyrightsourceip=10.3.0.0/24auto=add●Configurationinipsec.confipsecleasesLeasesinpool'rw',usage:2/255,2online10.3.0.2online'dave@strongswan.org'10.3.0.1online'carol@strongswan.org'●Statisticsconnrw1...right=%anyrightsourceip=%rwauto=add●Referencingandsharingavolatilepool11.06.2010,LinuxTag2010-strongSwan.odp21PersistantSQL-basedIPAddressPoolsI●SQLitedatabasetabledefinitions#/etc/strongswan.conf-strongSwanconfigurationfilelibhydra{plugins{attr-sql{database=sqlite:///etc/ipsec.d/ipsec.db}}}●ConnectingtotheSQLitedatabase●CreationofSQLitedatabasecat/etc/ipsec.d/table.sql|sqlite3/etc/ipsec.d/ipsec.db11.06.2010,LinuxTag2010-strongSwan.odp22PersistantSQL-basedIPAddressPoolsIIconnrw...right=%anyrightsourceip=%bigpoolauto=add●Configurationinipsec.confipsecpool–-statusnamestartendtimeoutsizeonlineusagebigpool10.3.0.110.3.