Using Alpine on Windows domain with IPSEC isolation

From Alpine Linux
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Note: ipsec-tools was dropped starting with Alpine v3.13

Based off Microsoft's document.

Requirements

  1. IPSEC uses certificates to authenticate computers to each other. You'll need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This document outlines the way to do it with a certificate. PSK is just a few changes in the configuration.
  2. Computer to run Alpine on
  3. a couple of NICs - if you plan on making this the gateway talk to the domain

Step by Step

  1. Install the newest version of Alpine.
  2. Configure it: Remember to keep one interface to be masq and the other on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be the domain
  3. #setup-alpine
  4. Install the following packages: ipsec-tools-cvs, openssl, iptables
  5. Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx file.
Extract the CA
* #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem 
Extract the Key part of your cert
* #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
Extract the Pub cert file
* #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
If your admin gives you a p7b file, this most likely contains the CA chain. You have to convert it to pem file format and use it as DOMAIN-ca.pem
* #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
  1. Put these certs in /etc/racoon/
  2. This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy

The command below will do AH for an rdesktop connection(terminal server) 

* #vi /etc/ipsec.conf


 spdflush;
 spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;
 spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;


* #vi /etc/racoon/racoon.conf

 
path certificate "/etc/racoon/";

remote anonymous {
	exchange_mode main;
	certificate_type x509 "MY_cert.pem" "MY_key.pem";
	ca_type x509 "DOMAIN-ca.pem";
        #nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.
	proposal {
		authentication_method rsasig;
		encryption_algorithm 3des;
		hash_algorithm sha1;
		dh_group 14 ;	
		}

	}
sainfo anonymous {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;

}


* rc-service racoon start
* Get the masq working correctly
* #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Using_Alpine_on_Windows_domain_with_IPSEC_isolation&oldid=25729"