Using Alpine on Windows domain with IPSEC isolation: Difference between revisions

From Alpine Linux
(New page: Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document]. == Why Alpine? == You may have several computers; OSX, WIN98, Linux... that need to ...)
 
(replace /etc/init.d with rc-service)
 
(7 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document].
{{Note|ipsec-tools was dropped starting with Alpine v3.13}}


== Why Alpine? ==
[[Category:Networking]]
You may have several computers; OSX, WIN98, Linux... that need to talk on a Windows Domain that does IPSEC isolation. Maybe it is a mail server that needs to talk to Windows boxes only for port 25. Whatever it may be you don't want to have to configure each client to do the IPSEC stuff. Overhead on clients or clients that can't do it. This brief how to with Alpine as a router. This just goes into an implementation that uses AH but full blown encryption on the network should also work with a few changes. OS X clients could also be configured similarly.


Based off [https://web.archive.org/web/20090701095155/http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Microsoft's document].


=== Things needed ===
=== Requirements ===
IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.
# IPSEC uses certificates to authenticate computers to each other. You'll need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This document outlines the way to do it with a certificate. PSK is just a few changes in the configuration.
# Computer to run Alpine on
# a couple of NICs - if you plan on making this the gateway talk to the domain


== Step by Step ==
== Step by Step ==


# Install alpine with the latest version.  
# Install the newest version of Alpine.  
# Install the following packages: ipsec-tools-cvs, openssl
# Configure it: Remember to keep one interface to be masq and the other on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be the domain
# Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:
# #setup-alpine
# Install the following packages: ipsec-tools-cvs, openssl, iptables
# Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx file.
  Extract the CA
  Extract the CA
  * openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem  
  * #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem  
  Extract the Key part of your cert
  Extract the Key part of your cert
  * openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
  * #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
  Extract the Pub cert file
  Extract the Pub cert file
  * openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
  * #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
  Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem
  If your admin gives you a p7b file, this most likely contains the CA chain. You have to convert it to pem file format and use it as DOMAIN-ca.pem
  * openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
  * #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
# Put these certs in /etc/racoon/
# Put these certs in /etc/racoon/
# This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is  
# This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is  
policy   src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy
[[BR]] Below will do AH for just rdesktop connection(terminal server)


  * vi /etc/ipsec.conf
The command below will do AH for an rdesktop connection(terminal server)
 
  * #vi /etc/ipsec.conf


<pre>
<pre>
Line 36: Line 41:
</pre>
</pre>


  * vi /etc/racoon/racoon.conf
  * #vi /etc/racoon/racoon.conf


<pre>  
<pre>  
Line 63: Line 68:
</pre>
</pre>


  * /etc/init.d/racoon start
  * rc-service racoon start
* Get the masq working correctly
* #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

Latest revision as of 10:32, 17 November 2023

Note: ipsec-tools was dropped starting with Alpine v3.13

Based off Microsoft's document.

Requirements

  1. IPSEC uses certificates to authenticate computers to each other. You'll need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This document outlines the way to do it with a certificate. PSK is just a few changes in the configuration.
  2. Computer to run Alpine on
  3. a couple of NICs - if you plan on making this the gateway talk to the domain

Step by Step

  1. Install the newest version of Alpine.
  2. Configure it: Remember to keep one interface to be masq and the other on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be the domain
  3. #setup-alpine
  4. Install the following packages: ipsec-tools-cvs, openssl, iptables
  5. Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx file.
Extract the CA
* #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem 
Extract the Key part of your cert
* #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
Extract the Pub cert file
* #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
If your admin gives you a p7b file, this most likely contains the CA chain. You have to convert it to pem file format and use it as DOMAIN-ca.pem
* #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
  1. Put these certs in /etc/racoon/
  2. This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy

The command below will do AH for an rdesktop connection(terminal server) 

* #vi /etc/ipsec.conf


 spdflush;
 spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;
 spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;


* #vi /etc/racoon/racoon.conf

 
path certificate "/etc/racoon/";

remote anonymous {
	exchange_mode main;
	certificate_type x509 "MY_cert.pem" "MY_key.pem";
	ca_type x509 "DOMAIN-ca.pem";
        #nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.
	proposal {
		authentication_method rsasig;
		encryption_algorithm 3des;
		hash_algorithm sha1;
		dh_group 14 ;	
		}

	}
sainfo anonymous {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;

}


* rc-service racoon start
* Get the masq working correctly
* #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Using_Alpine_on_Windows_domain_with_IPSEC_isolation&oldid=25729"