IPsec, Racoon, setkey, Linux, Mikrotik, tunnel, transport and everything

It took me more than 6 months in order to sort all issues, so here are the experiences. Most of the trouble was because I didn’t knew or I didn’t had things clear in my mind.

I wanted to have IPsec communication between a bunch of servers and a home network. I believe that this includes almost all (if not all) the possible scenarios of IPsec so it’s more complicated than it sounds. For obvious reasons I’m presenting a simplified version here omitting all duplicates (i.e. multiple hosts with the same characteristics).

The network

We have the following nodes:

  • A network behind a DSL line (home network) (normal, home DSL line with non-static IP, with NAT)
  • A server (srv1) somewhere on the Internet with a static public IP address without NAT.
  • A server (srv2) in Amazon’s EC2 which has an allocated public IP address but uses local IP addresses and thus has NAT. Also Amazon doesn’t allow ESP and AH protocol to be carried by IP packets inside their network.

We also have the following systems:

  • Home network: A bunch of Linux boxes on a private network plus a mikrotik router
  • srv1 and srv2: Squeeze Debian Linux

The home network uses IP addresses from the network 10.1.0.0/16. A secondary prefix (10.5.0.0/16) is allocated for IPsec addressing only. All home nodes have addresses from the 10.1.0.0/16. Some nodes (including the servers) have addresses from 10.5.0.0/16.

Apart from the above there’s a custom CA setup which publishes certificates for all nodes.

The problem

Setup IPsec so that:

  • srv1 and srv2 can communicate with their public IP addresses with IPsec only
  • boxes on the home network can communicate both with srv1 and srv2 using IPsec

The setup

Since there are more than one boxes on the home network, the home network needs to be connected with tunneled IPsec to srv1 and srv2. srv1 and srv2 need to be connected with transport mode between them in order to encrypt communication that uses their public IP addresses.

We have setup the DSL router to forward everything to the mikrotik box (routerboard). This is usually referred as DMZ. By doing that it’s possible to avoid NAT in IPsec (i.e. UDP encapsulation).

The solution

Mikrotik

In short, Mikrotik’s IPsec works quite well and is easy to setup assuming that everything is correct. It is however harder to debug than Racoon. Here’s the setup:

  • Add an IP address from 10.5.0.0/16
  • Import the box’s certificate to the certificate storage, both certificate and public key are needed
  • Import CA’s and other boxes’ certificates to the certificate storage. Make sure you use sensible names to be able to look them up later.
  • Create a new proposal as follows:
    • Name: short (or pick something else)
    • Lifetime: 00:10:00 – This is essential in older to allow quick recovery when the IP address changes or racoon is restarted.
    • Pick your favorite values for everything else
  • Add two peers, one for each server:
    • srv1 (static public IP, no NAT):
      • Address: The public IP of srv1
      • Port: 500
      • Auth method: rsa signature
      • Certificate: Pick the local certificate (mikrotik’s)
      • Remote certificate: Pick the certificate of srv1
      • Exchange Mode: main
      • Select: Send Initial Contact
      • Nat Traversal: No
      • My ID User FQDN: Leave empty – isn’t needed
      • Proposal check: Claim (remember not to use similar or stricter on remote end)
      • Generate policy: No
      • Lifetime: 08:00:00
      • DPD Interval/Max failures: I use 10/3 but it doesn’t make a difference. See notes bellow
    • srv2 (static IP, public IP, with NAT): Use the same settings as with srv1
      • I didn’t use NAT but it may be worth testing it.
  • You need to add two policies per peer. One for each local source IP address range (10.1.0.0/16 and 10.5.0.0/16). So you will end up with 4 policies:
    • Src Address: 10.1.0.0/16 or 10.5.0.0/16
    • Dst Address: srv1’s or srv2’s public IP address
    • Src/Dst Port: Empty
    • Protocol: all (255)
    • Action: Encrypt
    • Level: Unique – very important
    • IPsec protocols: ESP
    • Tunnel: Yes
    • SA Src address: 0.0.0.0
    • SA Dst address: srv1’s or srv2’s IPsec IP address (i.e. allocated addresses from the 10.5.0.0/16)
    • Proposal: short (or whatever name you picked for the proposal you created)
  • Create a script named “ping-servers” (System -> Scripts) as follows:
    {
     :local servers
     :local locals
    
     :set servers {"10.5.1.11";"10.5.1.12"}
     :set locals {"10.1.1.1";"10.5.1.1"}
    
     foreach loc in=$locals do={
     foreach srv in=$servers do={
     put "ping $srv src-address=$loc count=1"
     ping $srv src-address=$loc count=1
     }
     }
    }

    servers is the list of server’s addresses from the 10.5.0.0/16 network and locals are local addresses to the mikrotik box, one for each of the two networks.

  • Schedule the script to be executed every minute (System -> Scheduler). This will keep the policies active and also reactivate them if they go down.

srv1 (static public IP, no NAT)

  • Put the following in /etc/ipsec-tools.d/srv2.conf:
    spdadd srv1public srv2public[500] udp -P out none;
    spdadd srv2public srv1public[500] udp -P in none;
    spdadd srv1public srv2public[4500] udp -P out none;
    spdadd srv2public srv1public[4500] udp -P in none;
    spdadd srv1public srv2public 50 -P out none;
    spdadd srv2public srv1public 50 -P in none;
    spdadd srv1public srv2public 51 -P out none;
    spdadd srv2public srv1public 51 -P in none;
    
    spdadd srv1public srv2public any -P out ipsec
            esp/transport/srv1public[4500]-srv2public[4500]/require ;
    
    spdadd srv2public srv1public any -P in ipsec
            esp/transport/srv2public[4500]-srv1public[4500]/require ;
  • Put the following in /etc/ipsec-tools.d/srv2-priv.conf. Somehow it is required in order to establish the IPsec connection when it’s triggered by srv2:
    spdadd srv1public srv2private[500] udp -P out none;
    spdadd srv2private srv1public[500] udp -P in none;
    spdadd srv1public srv2private[4500] udp -P out none;
    spdadd srv2private srv1public[4500] udp -P in none;
    spdadd srv1public srv2private 50 -P out none;
    spdadd srv2private srv1public 50 -P in none;
    spdadd srv1public srv2private 51 -P out none;
    spdadd srv2private srv1public 51 -P in none;
    
    spdadd srv1public srv2private any -P out ipsec
            esp/transport/srv1public[4500]-srv2private[4500]/require ;
    
    spdadd srv2private srv1public any -P in ipsec
            esp/transport/srv2private[4500]-srv1public[4500]/require ;
  • In the above, srv1public is the public static IP address of srv1, srv2public is the public static IP address of srv2 and srv2private is the private static IP address of srv2.
  • Setup racoon.conf’s section for srv2 and home as follows. Obviously you need to change to match your parameters:
    remote "srv2" {
     exchange_mode main,base;
     verify_identifier on;
     peers_identifier asn1dn "Common name of srv2's certificate";
     remote_address srv2public;
     verify_cert on;
     certificate_type x509 "srv1.crt" "srv1.key";
     ca_type x509 "cacert.pem";
     my_identifier asn1dn;
     lifetime time 24 hours;
     nat_traversal on;
     proposal {
      authentication_method rsasig;
      encryption_algorithm 3des;
      hash_algorithm md5;
      dh_group modp1024;
     }
     passive off;
     proposal_check obey;
     generate_policy off;
     dpd_delay 10;
     dpd_retry 10;
     dpd_maxfail 6;
     initial_contact on;
     ike_frag on;
    }
  • Setup racoon.conf’s section for the home network as follows:
    remote "home" {
     exchange_mode main,base;
     verify_identifier on;
     peers_identifier asn1dn "Common name of mikrotik's certificate ";
     verify_cert on;
     certificate_type x509 "srv1.crt" "srv1.key";
     ca_type x509 "cacert.pem";
     my_identifier asn1dn;
     nat_traversal off;
     proposal {
      authentication_method rsasig;
      encryption_algorithm 3des;
      hash_algorithm md5;
      dh_group modp1024;      # Group 2
     }
     passive on;
     proposal_check obey;
     generate_policy unique;
     dpd_delay 10;
     dpd_retry 10;
     dpd_maxfail 6;
     initial_contact on;
     ike_frag on;
    }
  • Notice the differences: passive should be on  for the home network since it’s not possible to trigger that without remote address.
  • Notice the generate_policy. It must be “unique” and not “on”. Otherwise only one policy per remote endpoint will be generated and will also cause problems when an SA becomes bad.
  • Setup the additional address to a loopback interface and not to a physical interface.
  • Add static routes for the two networks using the normal gateway and specifying the source IP address. Otherwise you will be using the tunnel with addresses that are not routed via the tunnel and are not protected by IPsec. Obviously this will prevent anything from working on top of IPsec. Surprisingly, this will work occasionally when the traffic is initiated by the remote end just because of the route cache. Your config can be added to the loopback interface as follows:
    auto lo:1
    iface lo:1 inet static
      address     10.5.1.12
      netmask     255.255.255.255
      up          ip route add 10.5.0.0/16 via <gw> src 10.5.1.12 || true
      up          ip route add 10.1.0.0/16 via <gw> src 10.5.1.12 || true
      down        ip route del 10.1.0.0/16 via <gw> src 10.5.1.12 || true
      down        ip route del 10.5.0.0/16 via <gw> src 10.5.1.12 || true

    where 10.5.1.12 is the address from the 10.5.0.0/16 network for srv1 and gw is the normal gateway of the server.

srv2 (static private IP, static public IP, NAT)

  • Setup the /etc/ipsec-tools.d/*.conf files in a similar way to the srv1’s. You will need an entry for both the private and the public address.
  • Setup racoon like srv1’s except from nat. You will have to set nat_traversal to on for srv1 and the home network.

The Hints / Lessons learned

  • Either test DPD (Dead Peer Detection) or don’t use it at all. It didn’t work for me at all.
  • You need to activate the policies from the home network’s side proactively for both the IPsec networks (10.1.0.0/16 and 10.5.0.0/16). Otherwise it will be impossible for the remote ends to connect to local hosts. This is easily done by setting up a ping to run every minute. You need one ping per source IP address using -I.
  • You need to exclude ISAKMP traffic (UDP ports 500 and 4500) from static IPsec policies or otherwise you will have problems since outgoing traffic will be encrypted and incoming traffic will be dropped if not encrypted, which causes huge issues when one end goes down and requires the IPsec SA to expire from both ends (or flushed) before working again.
  • If you have firewall rules make sure that you allow ISAKMP traffic and IPsec traffic (protocols 50 (esp) and 51 (ah))
  • If you get errors that say that a policy is not available then it is not available! I can’t stress this enough. While trying to make IPsec to work your brain will enter a bad state and it will start making mistakes. It’s extremely easy to confuse static IPsec rules. I’ve done all sorts of mistakes including (but not limited to): using the wrong direction (in/out), using the address of another server, using tunnel instead of transport (and vice versa), not including the port numbers for esp-udp (UDP encapsulation) mode, not using the .conf extensions for files under /etc/ipsec-tools.d/, etc. Here’s an example of that:
    Sep 27 15:02:04 srvX racoon: ERROR: no policy found: A.B.C.D/32[0] E.F.G.H/32[0] proto=any dir=in
    Sep 27 15:02:04 srvX racoon: ERROR: failed to get proposal for responder.
    Sep 27 15:02:04 srvX racoon: [I.J.K.L] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
  • When testing a connection from host A that has both the 10.1.1.1 and 10.5.1.1 addresses to host B with address 10.5.1.2 then you may not be able to ping from B to one of the A’s addresses. That’s because only one of the IPsec policies is activated. To activate both of them use -I parameter for ping:
    v13@hostA$ ping -I 10.1.1.1 10.5.1.2
    v13@hostA$ ping -I 10.5.1.1 10.5.1.2
  • Pay attention to routing. You need to use the proper source IP addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *