Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Securing 802.11 with racoon
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Sun Jun 13, 2004 10:48 am    Post subject: Securing 802.11 with racoon Reply with quote

hy,

i am searching for a howto to secure my wlan.

I found this great howto http://klake.org/~jt/tips/80211.html

but it is only for openbsd.


have someone a good howto for linux + racoon + x509?


Last edited by stream on Wed Jun 16, 2004 7:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
jmk
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jul 2003
Posts: 130
Location: Stockholm

PostPosted: Sun Jun 13, 2004 3:48 pm    Post subject: Reply with quote

Is it setting up IPSec you are after then have a look at http://www.ipsec-howto.org/. I have never set up IPSec on linux myself so I can't help you on that matter.

If you arn't to botherd about encrypting the IP traffic you may just want to secure your wlan with WEP and MAC filtering from the AP. It's not secure but it keeps off the casual wardriver. :wink:
_________________
Adopt an unanswered post today.
Join the adopt an unanswered post initiative.
Back to top
View user's profile Send private message
jmk
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jul 2003
Posts: 130
Location: Stockholm

PostPosted: Sun Jun 13, 2004 3:50 pm    Post subject: Reply with quote

Sorry, didn't read you post properly. :oops:

Quote:
have someone a good howto for linux + racoon + x509?
I have to say no to that.
_________________
Adopt an unanswered post today.
Join the adopt an unanswered post initiative.
Back to top
View user's profile Send private message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Sun Jun 13, 2004 3:57 pm    Post subject: Reply with quote

ok

server ip 192.168.1.1
client ip 192.168.1.5

the config for the server

Code:

path certificate "/etc/certs";

remote anonymous {
        exchange_mode main;
        generate_policy on;
        passive on;
        certificate_type x509 "my_certificate.pem" "my_private_key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method rsasig;
                dh_group modp1024;
        }
}


sainfo anonymous {
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}



config for the client
Code:

path certificate "/etc/certs";

remote 192.168.1.1 {
        exchange_mode main;
        certificate_type x509 "my_certificate.pem" "my_private_key.pem";
   verify_cert on
        my_identifier asn1dn;
   peers_identifier asn1dn;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method rsasig;
                dh_group modp1024;
        }
}

sainfo address ???/24 any address ???/24 any {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}


Is a setkey config necessary?
Back to top
View user's profile Send private message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Mon Jun 14, 2004 2:11 pm    Post subject: Reply with quote

Can nobody help me? :cry:
Back to top
View user's profile Send private message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Wed Jun 16, 2004 8:55 am    Post subject: Reply with quote

^^
Back to top
View user's profile Send private message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Thu Jun 17, 2004 7:43 pm    Post subject: Reply with quote

...
Back to top
View user's profile Send private message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Sat Jun 19, 2004 7:33 am    Post subject: Reply with quote

:?:
Back to top
View user's profile Send private message
primero.gentoo
Guru
Guru


Joined: 23 Dec 2003
Posts: 402

PostPosted: Sat Jun 19, 2004 12:11 pm    Post subject: Reply with quote

Ok, :twisted: :roll: :wink: :cry: :arrow: :idea: :idea: :?: :!:

Since you like emoticons it seems .

First of all i really don't think that my conf is "SECURE" , but maybe is something near.

To document myself i've used the links above in the thread and also
lartc

and ipsec-tools mailing list on sourceforge. There is not much more documentation on the net about ipsec-tools and Linux .... Ah, and RFCs abvoiusly , wich are included in your ipsec-tools tar.gz.

Quote:

Is a setkey config necessary?


Sure.

setkey configuration is used to set the Policy of Ipsec. I've seen you used the generate policy option in racoon server configuration, i never used it so i don't know if it can replace the setkey configuration.

I use this solution to get an ipsec on my 802.11 wlan:

setkey ipsec.conf:

Code:

#Sec policies

spdadd 192.168.100.2 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.100.2-192.168.100.1/require;

spdadd 0.0.0.0/0 192.168.100.2 any -P in ipsec esp/tunnel/192.168.100.1-192.168.100.2/require;



ip 192.168.100.2 is the Ip address of my wireless laptop. here we say Everything from 192.168.100.2 to anywhere require ESP encryption through the tunnel beetween (LAPTOPO)192.168.100.2 and (GW INTERFACE TO AP)192.168.100.1. and vice-versa-

The same ipsec.conf on the VPN GW but with "in" and "out" reversed.

then the raccon.conf on the client (laptop)

Code:

path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/racoon/certs" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
        #isakmp ::1 [7000];
        #isakmp 202.249.11.124 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote 192.168.100.1
{
        #exchange_mode main,aggressive;
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        #my_identifier address;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        certificate_type x509 "Zapata.public" "Zapata.private";
        peers_certfile "Shadow.public";
        #nonce_size 16;
        lifetime time 1 hour;   # sec,min,hour
        initial_contact on;
        #support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}


sainfo anonymous
{
        pfs_group 1;
        lifetime time 1 hour;
        encryption_algorithm twofish 256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}



The first one set of configuration is about Phase1 = Authentication of both users. You have so switch the Certificate options to match the local and remote certificate. Obviously you need in your cert path etither your public and private key and also the public key of the other host.

The second one is about the IPSEC phase 2 = Session Key creation.

I'm mot gone to much in depth with ipsec-tools since i reached what i need and had other to do , so my suggest is to document yourself as much as you can... i don't know about "sainfo" section not ANONYMOUS... this way you get an authentication section for each of your client based on x509 certificate and a shared Phase 2 section for all of them.

Hope to have helped you :)

bye
_________________
"Linux, the choice of a GNU generation"
==Micro$oft - just say NO==
(L#USER 353039)
Back to top
View user's profile Send private message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Thu Jun 24, 2004 9:46 am    Post subject: Reply with quote

thanks

can you post your racoon.conf from the server? :wink:
Back to top
View user's profile Send private message
primero.gentoo
Guru
Guru


Joined: 23 Dec 2003
Posts: 402

PostPosted: Thu Jun 24, 2004 9:50 pm    Post subject: Reply with quote

Yep :)

I'm not able to get to the server right now, but on it the conf is almost the same of the client one except for the IP address of "Remote" section and for the Certificates section that need to be inverted putting the Server Certs in "certificate_type" and the client pub certificate in "peers_certfile"

Try it out.

Cheers ;)
_________________
"Linux, the choice of a GNU generation"
==Micro$oft - just say NO==
(L#USER 353039)
Back to top
View user's profile Send private message
stream
Guru
Guru


Joined: 04 Jan 2003
Posts: 401

PostPosted: Thu Jun 24, 2004 10:39 pm    Post subject: Reply with quote

ok...

server and client racoon starts, but I have a problem with the certificate.

I used this howto http://www.ipsec-howto.org/x507.html

But it does not work

client log:
phase1 negotiation failed, failed to get private key

I found this post http://www.kame.net/racoon/racoon-ml/msg00475.html

openssl rsa -in rechts.key -out rechts.decrypted.key

But then the server log:
unable to get local issuer certificate.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum