Using Alpine on Windows domain with IPSEC isolation

From Alpine Linux
Note: ipsec-tools was dropped starting with Alpine v3.13

Based off Microsoft's document.

Requirements

  1. IPSEC uses certificates to authenticate computers to each other. You'll need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This document outlines the way to do it with a certificate. PSK is just a few changes in the configuration.
  2. Computer to run Alpine on
  3. a couple of NICs - if you plan on making this the gateway talk to the domain

Step by Step

  1. Install the newest version of Alpine.
  2. Configure it: Remember to keep one interface to be masq and the other on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be the domain
  3. #setup-alpine
  4. Install the following packages: ipsec-tools-cvs, openssl, iptables
  5. Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx file.
Extract the CA
* #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem 
Extract the Key part of your cert
* #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem
Extract the Pub cert file
* #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem
If your admin gives you a p7b file, this most likely contains the CA chain. You have to convert it to pem file format and use it as DOMAIN-ca.pem
* #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem
  1. Put these certs in /etc/racoon/
  2. This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy

The command below will do AH for an rdesktop connection(terminal server)

* #vi /etc/ipsec.conf

 spdflush;
 spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;
 spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;

* #vi /etc/racoon/racoon.conf
 
path certificate "/etc/racoon/";

remote anonymous {
	exchange_mode main;
	certificate_type x509 "MY_cert.pem" "MY_key.pem";
	ca_type x509 "DOMAIN-ca.pem";
        #nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.
	proposal {
		authentication_method rsasig;
		encryption_algorithm 3des;
		hash_algorithm sha1;
		dh_group 14 ;	
		}

	}
sainfo anonymous {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;

}

* rc-service racoon start
* Get the masq working correctly
* #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE