Using Alpine on Windows domain with IPSEC isolation: Difference between revisions
(New page: Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document]. == Why Alpine? == You may have several computers; OSX, WIN98, Linux... that need to ...) |
No edit summary |
||
Line 1: | Line 1: | ||
Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document]. | Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document]. | ||
=== Things needed === | === Things needed === | ||
IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration. | # IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration. | ||
# Computer to run Alpine | |||
# a couple of nics - if you plan on making this the gateway to talk to the domain | |||
== Step by Step == | == Step by Step == | ||
# Install alpine with the latest version. | # Install alpine with the latest version. | ||
# Install the following packages: ipsec-tools-cvs, openssl | # Configure it: Remember to keep one interface to be masq and another on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be domain | ||
# #setup-alpine | |||
# Install the following packages: ipsec-tools-cvs, openssl, iptables | |||
# Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work: | # Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work: | ||
Extract the CA | Extract the CA | ||
* openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem | * #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem | ||
Extract the Key part of your cert | Extract the Key part of your cert | ||
* openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem | * #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem | ||
Extract the Pub cert file | Extract the Pub cert file | ||
* openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem | * #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem | ||
Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem | Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem | ||
* openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem | * #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem | ||
# Put these certs in /etc/racoon/ | # Put these certs in /etc/racoon/ | ||
# This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is | # This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is | ||
Line 26: | Line 26: | ||
[[BR]] Below will do AH for just rdesktop connection(terminal server) | [[BR]] Below will do AH for just rdesktop connection(terminal server) | ||
* vi /etc/ipsec.conf | * #vi /etc/ipsec.conf | ||
<pre> | <pre> | ||
Line 36: | Line 36: | ||
</pre> | </pre> | ||
* vi /etc/racoon/racoon.conf | * #vi /etc/racoon/racoon.conf | ||
<pre> | <pre> | ||
Line 64: | Line 64: | ||
* /etc/init.d/racoon start | * /etc/init.d/racoon start | ||
* Get the masq working correctly | |||
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE |
Revision as of 22:54, 15 October 2008
Based off Micro$ofts document.
Things needed
- IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.
- Computer to run Alpine
- a couple of nics - if you plan on making this the gateway to talk to the domain
Step by Step
- Install alpine with the latest version.
- Configure it: Remember to keep one interface to be masq and another on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be domain
- #setup-alpine
- Install the following packages: ipsec-tools-cvs, openssl, iptables
- Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:
Extract the CA * #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem Extract the Key part of your cert * #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem Extract the Pub cert file * #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem * #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
- Put these certs in /etc/racoon/
- This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy BR Below will do AH for just rdesktop connection(terminal server)
* #vi /etc/ipsec.conf
spdflush; spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use; spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;
* #vi /etc/racoon/racoon.conf
path certificate "/etc/racoon/"; remote anonymous { exchange_mode main; certificate_type x509 "MY_cert.pem" "MY_key.pem"; ca_type x509 "DOMAIN-ca.pem"; #nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this. proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm sha1; dh_group 14 ; } } sainfo anonymous { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
* /etc/init.d/racoon start * Get the masq working correctly
- iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE