Applies to: KNA, KVPNA, KWA, KBA
Kernun supports IPsec in the transport and tunnel modes, using the ESP protocol. In the transport mode, Kernun requires a tunnel (GIF or GRE) interface and uses IPsec to encrypt the encapsulated traffic passed via this interface. In the tunnel mode, IPsec encrypts traffic between the specified networks. IPsec in Kernun consists of several parts, represented by components in GKAT. IPsec packets are handled by the operating system kernel according to the SPD (Security Policy Database) and SAD (Security Association Database). The SPD entries for individual IPsec tunnels are controlled by the ipsec Kernun components. Security associations are created by ISAMKP daemon Racoon, presented also as a separate component.
A GKAT window with IPsec-related components is depicted
in Figure 6.87, “IPsec components in a GKAT window”. There is a GIF tunnel network interface
called GIF-IPSEC, which is used by the IPsec tunnel represented by
the TRANSPORT component. Another IPsec tunnel, the
TUNNEL component, uses IPsec in the tunnel mode (without
a related tunnel interface). The RACOON component is the ISAKMP
daemon.
The examples of IPsec configuration described here are available in the sample
configuration file
/usr/local/kernun/conf/samples/cml/ipsec.cml.
A wizard that guides the administrator
through the configuration of IPsec can be started using the option in GCML.
We will use it to create a simple IPsec configuration in the tunnel mode to
securely connect our local network [10.8.20.0/24] and the
remote network [10.8.21.0/24], and to tunnel the most frequently
used protocols (tcp, udp, and
icmp). In the tunnel mode, the
entire IP packet is encrypted and authenticated, and
then encapsulated into a new IP packet with a new IP header. The same wizard
can be also used to configure IPsec in the transport mode, which will
be illustrated later in this section.
On the first page, shown in Figure 6.88, “IPsec: General page”,
we choose the name of the IPsec section in the
configuration. Then we decide whether we want to use the IPsec
in the transport or tunnel mode; we select the latter in this case. Furthermore,
we add the three protocols we want to tunnel and choose network
security association, because we want a single security
association for each pair of communicating networks. (The other
variant, unique, would create a security association for each
pair of communicating hosts from the networks connected by IPsec.)
On the next page, shown in Figure 6.89, “IPsec: Tunnel network settings”, we
define the tunnel network settings. The default ISAKMP port 500 is used on
both ends of the IPsec tunnel. We define the lists of local and remote
networks that will use the tunnel. In our example, there is a single local
network [192.168.20.0/24] and a single remote network
[192.168.21.0/24]. We must also define the physical
tunnel addresses, local ^system.EXT.ipv4.host and remote
192.168.1.1. These addresses are used in the
encapsulating header of IPsec packets and for communication of the ISAKMP
daemon.
On the next three pages we can modify the settings of the ISAKMP
negotiation phases and choose the authentication method (using either
a pre-shared secret key, or X.509 certificates; for simplicity reasons, we
use the former with the secret key in the example). In the first
phase of negotiation, a security association is established between the ISAKMP
daemons. Later, in the second phase of negotiations, it is used for creating
security associations for pairs of networks or hosts. The options of the
second phase are used for encryption and authentication of the tunneled
packets. Both communicating gateways must specify the same options of
the algorithm (otherwise, they would not be able to establish any security
association). We leave the default choices in both phases. The pages are
shown in figures Figure 6.90, “IPsec: Phase 1 negotiation settings”, Figure 6.91, “IPsec: Authentication settings”, and Figure 6.92, “IPsec: Phase 2 negotiation settings”.
Finally, on the recapitulation page we can check the options and commit
the wizard to the configuration, or return back and modify the
settings.
The same wizard can be used to configure IPsec in the transport mode. In this mode, IPsec secures traffic passed via a tunnel (GIF or GRE) network interface. On the first wizard page (Figure 6.88, “IPsec: General page”), we select Transport mode. We must set parameters of the tunnel interface here: name, type, number, and local and remote addresses. The physical addresses of the tunnel endpoints, along with optional ISAKMP port numbers and a list of additional remote networks routed via the tunnel are specified on the next wizard page displayed in Figure 6.93, “IPsec: Transport physical network settings”.
The resulting IPSec configuration in both modes is shown in Figure 6.94, “IPsec configuration”. When applied, IPsec-related components
GIF-IPSEC, RACOON,
TRANSPORT, and TUNNEL will be created
and become visible in GKAT (see Figure 6.87, “IPsec components in a GKAT window”). For
IPsec in the transport mode, the configuration contains the tunnel interface
GIF-IPSEC. Its configuration section defines the
interface device name, local and remote logical IP addresses, and the
tunnel addresses (the physical IP addresses used for the encapsulation of
tunneled packets). Section ipsec-global can contain
global parameters of the ISAKMP daemon. There is a section for each IPsec
tunnel. Section ipsec TRANSPORT configures IPsec in
the transport mode for encryption of packets travelling via interface
GIF-IPSEC. The authentication utilizes X.509 certificates.
Other ISAKMP phase 1 and phase 2 parameters have the default
values. Section ipsec TUNNEL sets up IPsec in the
tunnel mode. It is not related to any network interface, hence the
networking parameters — local, remote, and tunnel (physical)
addresses, set of protocols handled by IPsec, and security association
mode — are defined inside the ipsec section.
A pre-shared secret key for authentication is specified. Again, the remaining
ISAKMP parameters have the default values.