ilab 2 ipsec with ikev2 and strongswan
play

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus - PowerPoint PPT Presentation

Sep 05, 2022 •862 likes •1.39k views

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

  1. ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit¨ at M¨ unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 1

  2. Motivation Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 2

  3. Motivation Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 2

  4. Motivation Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 2

  5. Situation We have several locations that need to be connected We have some users who need to access our network from outside ⇒ What we need is a VPN = Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 3

  6. Situation We have several locations that need to be connected We have some users who need to access our network from outside ⇒ What we need is a VPN = Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 3

  7. Situation We have several locations that need to be connected We have some users who need to access our network from outside ⇒ What we need is a VPN = Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 3

  8. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  9. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  10. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  11. Outline Motivation 1 Outline 2 IPSec 3 AH ESP IKEv2 Summary 4 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 4

  12. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  13. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  14. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  15. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  16. IPSec - What is it good for? For encrypting data between two parties Consists of a number of different protocols 1 AH 2 ESP 3 ISAKMP 4 IKE(v2) A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996 Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 5

  17. Tunnel and Transport Mode Tunnelmode: Transportmode: Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 6

  18. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  19. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  20. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  21. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  22. AH - Authentication Header - RFC 4302 Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption! Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 7

  23. AH - Header Format Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 8

  24. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  25. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  26. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  27. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  28. ESP - Encapsulating Security Payload RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 9

  29. ESP - Header Format Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 10

  30. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  31. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  32. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  33. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  34. Internet Key Exchange Protocol v2 Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 11

  35. Summary We need a VPN We have IPSec We want to give a road warrior access Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 12

  36. Summary We need a VPN We have IPSec We want to give a road warrior access Lukas Grillmayer and Linus Lotz: ilab 2 - IPSec with IKEv2 and Strongswan 12

Recommend

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

410 views • 19 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli (vijay.devarapalli@azairenet.com) Assumptions in RFC 3775, 3963 There is only one primary care-of address per mobile node The primary care-of

240 views • 7 slides
The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen Institute for Networked Solutions HSR University of Applied Sciences Rapperswil Where the heck is Rapperswil? Brunner/Steffen, 28.03.2018,

226 views • 19 slides
IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly aurelien.wailly@orange.com Maryline Laurent Maryline.Laurent@it-sudparis.eu 2011-10-25 ICSNA 2011 1 Outline IPsec IKEv2 CGA IKEv2 with CGA?

744 views • 36 slides
Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01 What Problem Does This Document Solve Tries to educate implementors that IKEv2 is not complex and difficult to implement. Why Do People

363 views • 5 slides
Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule fr Technik Rapperswil andreas.steffen@strongswan.org Wo um Gottes Willen

608 views • 35 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one Gbit/s environment By Erik Dekker & Patrick Spaans Supervisors: Aristide Bouix and Mohammad Al Najar Introduction Organization host internal

629 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
your exercise iLab 1+2 info event online Tell your friends!

your exercise iLab 1+2 info event online Tell your friends!

The iLab Experience a blended learning hands-on course concept you set the focus Final Lecture Marc-Oliver Pahl, Jul 25, 2017 your exercise iLab 1+2 info event online Tell your friends!

1.81k views • 96 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of course IKE/IPsec can be configured on routers to provide transport security for BGP and other similar control plane protocols. And certainly

480 views • 16 slides

More recommend