"AMB" group - информационная безопасность

| ua | ru | en |

:: IS Audit | IT Developments |

Creating virtual private network (VPN) based on the digital certificates Х.509 and protocol IPSec.

IPSec (VPN)

Internet provides the world with various informational services: starting with usual e-mail and finishing with e-commerce and critical business applications, where the information streams contain huge amount of confidential information. The necessity to protect this information when being transmitted via public and unprotected networks has led the information society to creating Virtual Private Networks (VPN). Security of VPN can be reached by using following mechanisms - tunneling, encryption, authentication, access management, and also by services used for traffic transmission via Internet or any other unprotected network based on TCP/IP protocols. IPSec – is one of the most important technologies for providing security, used in VPN.

Guarantees of data integrity and confidentiality in IPSec protocol are ensured by using authentication and encryption mechanisms. Using these mechanisms is based on preliminary agreement between the parties of information exchange, the so called "security context" – cryptographic algorithms, key information management algorithms, and parameters configuration of these algorithms.

The most reliable and effective method of applying IPSec is encryption with authentication by means of digital certificates X.509. In the picture below there is a scheme of receiving, exchange, and verification of the certificates when organizing a protected IPSec VPN channel.

Certificates issued by the CA «one-cons», can be easily used to build the protected channels (VPN) based on IPSec. Availability of digital certificates in the network equipment of the world leader Cisco Systems, Inc. is already realized by the manufacturer, and for the professionals it doesn’t present many difficulties.

Here is the sequence of the steps and fragments that illustrate receiving the result:

get authorized in CA;

R10(config)#crypto pki authenticate R10-CA
Trustpoint 'R10-CA' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: BD140FEC 7FADC878 CD8D1223 C651551A
Fingerprint SHA1: 3F598C48 C115A677 2BFABD6A C6B3D275 9D2360E3
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.

get the certificate for the router;

R10(config)#cry pki enroll R10-CA
% Start certificate enrollment ..

% The fully-qualified domain name in the certificate will be: R10.one.lan
% The subject name in the certificate will be: R10.one.lan
% The serial number in the certificate will be: B0EC7062
% The IP address in the certificate is 192.168.10.2
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto pki certificate' command will also show the fingerprint.
Aug 2 08:10:27.214: %SYS-5-CONFIG_I: Configured from console by avl on console
Aug 2 08:10:27.498: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 2ACC14E7 2F0575EA E42598CC 176E0D17
Aug 2 08:10:27.498: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: B48E990C 822D0A96 A27DCAC8 698EAB14 3B5A8E5A
Aug 2 08:10:29.869: CRYPTO_PKI: Encryption Certificate Request Fingerprint MD5: E09B44DF 69432935 BB1725E5 8735F562
Aug 2 08:10:29.869: CRYPTO_PKI: Encryption Certificate Request Fingerprint SHA1: 836A51A7 45EB7AAC E84B2B7E 73C3739A F3B086D7
Aug 2 08:10:32.424: %PKI-6-CERTRET: Certificate received from Certificate Authority
Aug 2 08:10:42.713: %PKI-6-CERTRET: Certificate received from Certificate Authority
Aug 2 08:10:42.713: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate

Switch on the encryption mode.

It is possible to view the received certificates with the command “show crypto ca certificates”:

R10#sh cry ca certificates

Certificate

Status: Available

Certificate Serial Number: 19D2391D00000000016A

Certificate Usage: General Purpose

Issuer:

cn=SubCA of one-cons Ltd.

dc=ca

dc=one

dc=liga-net

dc=org

Subject:

Name: R10.one.lan

IP Address: 192.168.10.2

Serial Number: B0EC7062

hostname=R10.one.lan

ipaddress=192.168.10.2

serialNumber=B0EC7062

CRL Distribution Points:

ldap://ca.one.liga-net.org/CN=SubCA%20of%20one-cons%20Ltd.,CN=one-ca,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=ca,DC=one,DC=liga-net, DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint

http://ca.one.liga-net.org/CertEnroll/SubCA%20of%20one-cons%20Ltd..crl

Validity Date:

start date: 12:10:16 UA Aug 2 2006

end date: 12:10:16 UA Aug 1 2008

Associated Trustpoints: R10-CA

CA Certificate

Status: Available

Certificate Serial Number: 617494C9000100000010

Certificate Usage: Signature

Issuer:

cn=Root Ca of one-cons Ltd.

dc=one

dc=liga-net

dc=org

Subject:

cn=SubCA of one-cons Ltd.

dc=ca

dc=one

dc=liga-net

dc=org

CRL Distribution Points:

http://ca.one.liga-net.org/CertEnroll/Root%20Ca%20of%20one-cons%20Ltd.(1).crl

Validity Date:

start date: 11:51:53 UA Nov 13 2004

end date: 12:01:53 UA Nov 13 2014

Associated Trustpoints: R10-CA

As it is seen from the list, the certificates needed for creating VPN based on IPSec (the root certificate and the certificate for the router) have been received.

To make sure that your traffic is encrypted after carrying out settings, it is enough to start the utility tcpdump on one of the gateways.

16:34:53.218250 IP 192.168.10.2.isakmp > 192.168.17.2.isakmp: isakmp: phase 1 I ident
16:34:53.251638 IP 192.168.17.2.isakmp > 192.168.10.2.isakmp: isakmp: phase 1 R ident
16:34:53.256342 IP 192.168.10.2.isakmp > 192.168.17.2.isakmp: isakmp: phase 1 I ident
16:34:53.289838 IP 192.168.17.2.isakmp > 192.168.10.2.isakmp: isakmp: phase 1 R ident
16:34:53.519041 IP 192.168.10.2.isakmp > 192.168.17.2.isakmp: isakmp: phase 1 I ident[E]
16:34:53.519056 IP 192.168.10.2 > 192.168.17.2: udp
16:34:53.691762 IP 192.168.17.2.isakmp > 192.168.10.2.isakmp: isakmp: phase 2/others R inf[E]
16:34:53.860920 IP 192.168.17.2.isakmp > 192.168.10.2.isakmp: isakmp: phase 1 R ident[E]
16:34:53.860926 IP 192.168.17.2 > 192.168.10.2: udp
16:34:53.914613 IP 192.168.10.2.53425 > 192.168.10.1.domain: 1+ A? ca.one.liga-net.org. (37)
16:34:53.915731 IP 192.168.10.2.53431 > 192.168.10.1.domain: 2+ A? ca.one.liga-net.org. (37)
16:34:54.798135 IP 192.168.10.1.domain > 192.168.10.2.53425: 1 2/3/0 CNAME[|domain]
16:34:54.798247 IP 192.168.10.1.domain > 192.168.10.2.53431: 2 2/3/0 CNAME[|domain]
16:34:54.800962 IP 192.168.10.2.21331 > one-ca.ca.one.liga-net.org.ldap: S 4221591914:4221591914(0) win 4128
16:34:54.802286 IP one-ca.ca.one.liga-net.org.ldap > 192.168.10.2.21331: S 1288039318:1288039318(0) ack 4221591915 win 16384
16:34:54.802826 IP 192.168.10.2.21389 > one-ca.ca.one.liga-net.org.http: S 3639528822:3639528822(0) win 4128
16:34:54.803084 IP one-ca.ca.one.liga-net.org.http > 192.168.10.2.21389: S 3375440584:3375440584(0) ack 3639528823 win 16384
16:34:54.803607 IP 192.168.10.2.21331 > one-ca.ca.one.liga-net.org.ldap: . ack 1 win 4128
16:34:54.804120 IP 192.168.10.2.21389 > one-ca.ca.one.liga-net.org.http: . ack 1 win 4128
16:34:54.804820 IP 192.168.10.2.21331 > one-ca.ca.one.liga-net.org.ldap: . 1:15(14) ack 1 win 4128
16:34:54.805827 IP 192.168.10.2.21389 > one-ca.ca.one.liga-net.org.http: . 1:95(94) ack 1 win 4128
16:34:54.878012 IP one-ca.ca.one.liga-net.org.http > 192.168.10.2.21389: . 1:537(536) ack 95 win 65441
16:34:54.878090 IP one-ca.ca.one.liga-net.org.http > 192.168.10.2.21389: . 537:1073(536) ack 95 win 65441
16:34:54.879733 IP 192.168.10.2.21389 > one-ca.ca.one.liga-net.org.http: . ack 1073 win 7464
16:34:54.880045 IP 192.168.10.2.21389 > one-ca.ca.one.liga-net.org.http: . ack 1073 win 8000
16:34:54.880067 IP one-ca.ca.one.liga-net.org.http > 192.168.10.2.21389: FP 1073:1481(408) ack 95 win 65441
16:34:54.881088 IP 192.168.10.2.21389 > one-ca.ca.one.liga-net.org.http: . ack 1482 win 8000
16:34:54.881949 IP 192.168.10.2.21389 > one-ca.ca.one.liga-net.org.http: FP 95:95(0) ack 1482 win 7592
16:34:54.882119 IP one-ca.ca.one.liga-net.org.http > 192.168.10.2.21389: . ack 96 win 65441
16:34:54.965537 IP 192.168.10.2.isakmp > 192.168.17.2.isakmp: isakmp: phase 2/others I oakley-quick[E]
16:34:54.974299 IP 192.168.17.2.isakmp > 192.168.10.2.isakmp: isakmp: phase 2/others R oakley-quick[E]
16:34:54.982984 IP 192.168.10.2.isakmp > 192.168.17.2.isakmp: isakmp: phase 2/others I oakley-quick[E]
16:34:55.009078 IP one-ca.ca.one.liga-net.org.ldap > 192.168.10.2.21331: . ack 15 win 65521

The fragment above shows that the processes of connection, key and certificate exchange, and certificate verification have been fulfilled successfully.

The fact, that your connection is really protected, is illustrated below:

16:34:55.213925 IP 192.168.10.2 > 192.168.17.2: ESP(spi=0x966f9b4a,seq=0x1)
16:34:55.215175 IP 192.168.17.2 > 192.168.10.2: ESP(spi=0xa496a63e,seq=0x1)
16:34:55.216533 IP 192.168.10.2 > 192.168.17.2: ESP(spi=0x966f9b4a,seq=0x2)
16:34:55.217719 IP 192.168.17.2 > 192.168.10.2: ESP(spi=0xa496a63e,seq=0x2)
16:34:55.219056 IP 192.168.10.2 > 192.168.17.2: ESP(spi=0x966f9b4a,seq=0x3)
16:34:55.220265 IP 192.168.17.2 > 192.168.10.2: ESP(spi=0xa496a63e,seq=0x3)
16:34:55.221622 IP 192.168.10.2 > 192.168.17.2: ESP(spi=0x966f9b4a,seq=0x4)
16:34:55.222800 IP 192.168.17.2 > 192.168.10.2: ESP(spi=0xa496a63e,seq=0x4)

Testing was realized on the Cisco Systems, Inc.equipment. The model of the router, that was used for testing is «Cisco 871 Security Bundle with Advanced IP Services».
Equipment for testing was kindly given by the company «MUK» (Merisel Ukraine).

:: IS Audit | IT Developments |