Using Alpine on Windows domain with IPSEC isolation: Difference between revisions

Revision as of 22:54, 15 October 2008

Things needed

IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.
Computer to run Alpine
a couple of nics - if you plan on making this the gateway to talk to the domain

Step by Step

Install alpine with the latest version.
Configure it: Remember to keep one interface to be masq and another on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be domain
#setup-alpine
Install the following packages: ipsec-tools-cvs, openssl, iptables
Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:

Extract the CA
* #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem 
Extract the Key part of your cert
* #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
Extract the Pub cert file
* #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem
* #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem

Put these certs in /etc/racoon/
This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is

policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy BR Below will do AH for just rdesktop connection(terminal server)

* #vi /etc/ipsec.conf


 spdflush;
 spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;
 spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;

* #vi /etc/racoon/racoon.conf

 
path certificate "/etc/racoon/";

remote anonymous {
	exchange_mode main;
	certificate_type x509 "MY_cert.pem" "MY_key.pem";
	ca_type x509 "DOMAIN-ca.pem";
        #nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.
	proposal {
		authentication_method rsasig;
		encryption_algorithm 3des;
		hash_algorithm sha1;
		dh_group 14 ;	
		}

	}
sainfo anonymous {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;

}

* /etc/init.d/racoon start
* Get the masq working correctly

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

@@ Line 1: / Line 1: @@
 Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document].
-== Why Alpine? ==
-You may have several computers; OSX, WIN98, Linux... that need to talk on a Windows Domain that does IPSEC isolation. Maybe it is a mail server that needs to talk to Windows boxes only for port 25. Whatever it may be you don't want to have to configure each client to do the IPSEC stuff. Overhead on clients or clients that can't do it. This brief how to with Alpine as a router. This just goes into an implementation that uses AH but full blown encryption on the network should also work with a few changes. OS X clients could also be configured similarly.
 === Things needed ===
-IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.
+# IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.
+# Computer to run Alpine
+# a couple of nics - if you plan on making this the gateway to talk to the domain
 == Step by Step ==
 # Install alpine with the latest version.
-# Install the following packages: ipsec-tools-cvs, openssl
+# Configure it: Remember to keep one interface to be masq and another on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be domain
+# #setup-alpine
+# Install the following packages: ipsec-tools-cvs, openssl, iptables
 # Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:
   Extract the CA
-  * openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem
+  * #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem
   Extract the Key part of your cert
-  * openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
+  * #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
   Extract the Pub cert file
-  * openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
+  * #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
   Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem
-  * openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
+  * #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
 # Put these certs in /etc/racoon/
 # This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is
@@ Line 26: / Line 26: @@
 [[BR]] Below will do AH for just rdesktop connection(terminal server)
-  * vi /etc/ipsec.conf
+  * #vi /etc/ipsec.conf
 <pre>
@@ Line 36: / Line 36: @@
 </pre>
-  * vi /etc/racoon/racoon.conf
+  * #vi /etc/racoon/racoon.conf
 <pre>
@@ Line 64: / Line 64: @@
   * /etc/init.d/racoon start
+ * Get the masq working correctly
+#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE