Using Alpine on Windows domain with IPSEC isolation

From Alpine Linux
Revision as of 22:42, 15 October 2008 by Ms13sp (talk | contribs) (New page: Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document]. == Why Alpine? == You may have several computers; OSX, WIN98, Linux... that need to ...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Based off Micro$ofts document.

Why Alpine?

You may have several computers; OSX, WIN98, Linux... that need to talk on a Windows Domain that does IPSEC isolation. Maybe it is a mail server that needs to talk to Windows boxes only for port 25. Whatever it may be you don't want to have to configure each client to do the IPSEC stuff. Overhead on clients or clients that can't do it. This brief how to with Alpine as a router. This just goes into an implementation that uses AH but full blown encryption on the network should also work with a few changes. OS X clients could also be configured similarly.


Things needed

IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.

Step by Step

  1. Install alpine with the latest version.
  2. Install the following packages: ipsec-tools-cvs, openssl
  3. Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:
Extract the CA
* openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem 
Extract the Key part of your cert
* openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
Extract the Pub cert file
* openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem
* openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
  1. Put these certs in /etc/racoon/
  2. This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is

policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy BR Below will do AH for just rdesktop connection(terminal server)

* vi /etc/ipsec.conf

 spdflush;
 spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;
 spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;

* vi /etc/racoon/racoon.conf
 
path certificate "/etc/racoon/";

remote anonymous {
	exchange_mode main;
	certificate_type x509 "MY_cert.pem" "MY_key.pem";
	ca_type x509 "DOMAIN-ca.pem";
        #nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.
	proposal {
		authentication_method rsasig;
		encryption_algorithm 3des;
		hash_algorithm sha1;
		dh_group 14 ;	
		}

	}
sainfo anonymous {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;

}

* /etc/init.d/racoon start