neue strongswan vpn features
play

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart - PowerPoint PPT Presentation

Jul 25, 2023 •243 likes •608 views

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule fr Technik Rapperswil andreas.steffen@strongswan.org Wo um Gottes Willen

  1. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule für Technik Rapperswil andreas.steffen@strongswan.org

  2. Wo um Gottes Willen liegt Rapperswil? Schwabenland Steffen, 26.03.2015, GUUG_2015 2

  3. HSR - Hochschule für Technik Rapperswil • Fachhochschule mit ca. 1500 Studierenden • Studiengang Informatik (300-400 Studierende) • Bachelor-Studium (3 Jahre), Master-Studium (+1.5 Jahre) Steffen, 26.03.2015, GUUG_2015 3

  4. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Warum und wozu ein starker Schwan?

  5. The strongSwan Open Source VPN Project FreeS/WAN 1.x 1999 S/WAN = Secure WAN X.509 1.x Patch 2000 FreeS/WAN 2.x  2004 Super FreeS/WAN 2003 X.509 2.x Patch Openswan 1.x 2004 Openswan 2.x strongSwan 2.x 2005 IKEv2 RFC 4306 ITA IKEv2 Project IKEv1 & partial IKEv2 … New architecture, same config. strongSwan 4.x IKEv1 & IKEv2 strongSwan 5.x 2012 Monolithic IKE Daemon Steffen, 26.03.2015, GUUG_2015 5

  6. strongSwan – the OpenSource VPN Solution Windows Active Linux Directory Server FreeRadius Server Corporate High-Availability strongSwan Network VPN Gateway Internet Windows 7/8 strongSwan Agile VPN Client Linux Client Steffen, 26.03.2015, GUUG_2015 6

  7. Supported Operating Systems and Platforms • Supported Operating Systems • Linux 2.6.x, 3.x (optional integration into NetworkManager) • Android 4.x/5.x App (using libipsec userland ESP encryption) • OS X App (using libipsec userland ESP encryption) • OS X (IPsec via PFKEYv2 kernel interface) • FreeBSD (IPsec via PFKEYv2 kernel interface) • Windows 7/8 (native Windows IPsec stack, MinGW-W64 build) • Supported Hardware Platforms (GNU autotools) • Intel i686/x86_64, AMD64 • ARM, MIPS • PowerPC • Supported Network Stacks • IPv4, IPv6 • IPv6-in-IPv4 ESP tunnels • IPv4-in-IPv6 ESP tunnels Steffen, 26.03.2015, GUUG_2015 7

  8. Free Download from Google Play Store March 24, 2015: 12’619 installations Steffen, 26.03.2015, GUUG_2015 8

  9. OS X App http://download.strongswan.org/osx/ Steffen, 26.03.2015, GUUG_2015 9

  10. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Evolution des strongSwan Charon IKE Dämons

  11. strongSwan 4.x pluto & charon Daemons ipsec.conf IKEv1 IKEv2 ipsec ipsec ipsec 2005 whack starter stroke whack socket stroke socket pluto charon Netlink XFRM socket Linux 2.6 LSF kernel UDP/500 native raw socket IPsec socket Steffen, 26.03.2015, GUUG_2015 11

  12. strongSwan 5.x charon Daemon IKEv1/v2 ipsec.conf ipsec ipsec 2012 stroke starter stroke socket charon libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 12

  13. strongSwan 5.2 charon Daemon IKEv1/v2 swanctl.conf ruby 2014 swanctl gem vici socket vici socket charon libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 13

  14. strongSwan 5.2 charon-systemd Daemon IKEv1/v2 swanctl.conf systemd 2014 swanctl utilities vici socket charon-systemd libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 14

  15. strongSwan 5.3 charon Daemon IKEv1/v2 swanctl.conf python 2.7/3.x 2015 swanctl egg vici socket vici socket charon libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 15

  16. swanctl.conf of VPN Gateway moon connections { pools { rw { rw_pool { local_addrs = 192.168.0.1 addrs = 10.3.0.0/20 pools = rw_pool } } local { auth = pubkey swantcl certs = moonCert.pem id = moon.strongswan.org swanctl.conf } remote { auth = pubkey rsa } children { moonKey.pem net { local_ts = 10.1.0.0/16 x509 start_action = none esp_proposals = aes128gcm128-modp2048 moonCert.pem } } x509ca version = 2 proposals = aes128-sha256-modp2048 } caCert.pem } Steffen, 26.03.2015, GUUG_2015 16

  17. swanctl.conf of VPN Client carol connections { home { local_addrs = 192.168.0.100 remote_addrs = 192.168.0.1 vips = 0.0.0.0 local { swantcl auth = pubkey certs = carolCert.pem swanctl.conf id = carol@strongswan.org } remote { rsa auth = pubkey id = moon.strongswan.org carolKey.pem } children { x509 home { remote_ts = 10.1.0.0/16 carolCert.pem start_action = none esp_proposals = aes128gcm128-modp2048 x509ca } } version = 2 caCert.pem proposals = aes128-sha256-modp2048 } } Steffen, 26.03.2015, GUUG_2015 17

  18. swanctl - The Command Line Tool moon# swanctl --load-creds loaded x509 certificate from '/etc/swanctl/x509/moonCert.pem' loaded x509ca certificate from '/etc/swanctl/x509ca/strongswanCert.pem' loaded rsa key from '/etc/swanctl/rsa/moonKey.pem' moon# swanctl --load-conns loaded connection 'rw' successfully loaded 1 connections, 0 unloaded moon# swanctl --load-pools loaded pool 'rw_pool' successfully loaded 1 pools, 0 unloaded carol# swanctl --initiate --child home [IKE] initiating IKE_SA home[1] to 192.168.0.1 ... [IKE] installing new virtual IP 10.3.0.1 initiate completed successfully carol# swanctl --terminate --ike home ... [IKE] IKE_SA deleted terminate completed successfully Steffen, 26.03.2015, GUUG_2015 18

  19. swanctl - Monitoring Commands moon# swanctl --list-conns rw: IKEv2 local: 192.168.0.1 remote: %any local public key authentication: id: moon.strongswan.org certs: C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote public key authentication: net: TUNNEL local: 10.1.0.0/16 remote: dynamic moon# swanctl --list-sas rw: #1, ESTABLISHED, IKEv2, b8deada3ec240a81:50af58eedcd556c7 local 'moon.strongswan.org' @ 192.168.0.1 remote 'carol@strongswan.org' @ 192.168.0.100 AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 0s ago, rekeying in 1169s, reauth in 3259s net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128 installed 0 ago, rekeying in 575s, expires in 660s in c39fc9ac, 84 bytes, 1 packets, 0s ago out c2c80483, 84 bytes, 1 packets, 0s ago local 10.1.0.0/16 remote 10.3.0.1/32 Steffen, 26.03.2015, GUUG_2015 19

  20. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Der Schwan wird stärker!

  21. The Snowden Documents – Fall 2013 Edward Snowden Bruce Schneier Glenn Greenwald Laura Poitras Steffen, 26.03.2015, GUUG_2015 21

  22. Principle of Comparative Security Strength* Symmetric Key RSA / DH ECDSA / ECDH Hash 80 1024 160 160 112 2048 224 224 128 3072 256 256 192 7680 384 384 256 15360 512 512 • NIST SP 800-57 Recommendation for Key Management: Part 1 General (Revision 3, 2012) *cryptographic strength given in bits Steffen, 26.03.2015, GUUG_2015 22

  23. Getting rid of SHA-1 • SHA-1 has a hash size of 160 bits which was supposed to give a strength of 2 80 against collision attacks. Unfortunately SHA-1 is much weaker with the best known attack having a complexity of 2 61 only. • The NSA might already have found a SHA-1 collision, using it e.g. to generate fake X.509 certificates. • IKEv2 uses SHA-1 as a hardwired algorithm to generate RSA digital signature AUTH payloads. Hash • RFC 7427 "Signature Authentication in IKEv2“ 160 published in January 2015 allows to negotiate 224 SHA-2 hash algorithms and is used per default by strongSwan 5.3.0: 256 384 moon charon: 15[IKE] authentication of 'sun.strongswan.org' 512 with RSA_EMSA_PKCS1_SHA256 successful Steffen, 26.03.2015, GUUG_2015 23

  24. Can the NSA break RSA and DH faster? • According to Lenstra’s updated formula on www.keylength.com a 1024 bit RSA key or DH factor could be cracked in 2006 with an effort of 40’000’000 dollardays. • Due to Moore’s law (factor 2 6 = 64 in 6 x 1.5 = 9 years) the effort in 2015 has fallen to 625’000 dollardays. • Many cryptanalysts expect a major breakthrough in prime number factoring (RSA) and the computation of the discrete logarithm (DH) within RSA / DH the next few years. 1024 • The NSA might already have much more efficient 2048 algorithms. • As a precaution better use 4096 bit RSA moduli 3072 and 4096 bit DH groups. 7680 15360 Steffen, 26.03.2015, GUUG_2015 24

  25. Can we trust the NIST Elliptic Curves? • The NIST Elliptic Curves are based on pseudo-Mersenne primes ike=aes128-sha256-ecp256,aes192-sha384-ecp384! The NIST curve parameter selection process is not documented! • Use the European (BSI) Brainpool Elliptic Curves instead ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp! RFC 6932 Brainpool Elliptic Curves for IKE, 2013. ECDH • Drawback: Brainpool ECDH performance is 5x 160 slower than with NIST curves since the selected primes are random. 224 • Use Dan Bernstein’s popular Curve25519? 256 • ECC NUMS (Nothing Up My Sleeve) Curves, 2014 384 tools.ietf.org/html/draft-black-numscurves 512 Steffen, 26.03.2015, GUUG_2015 25

Recommend

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one Gbit/s environment By Erik Dekker & Patrick Spaans Supervisors: Aristide Bouix and Mohammad Al Najar Introduction Organization host internal

629 views • 25 slides
In It Together: Why Less Inequality Benefits All Der neue Verteilungsbericht der OECD Michael

In It Together: Why Less Inequality Benefits All Der neue Verteilungsbericht der OECD Michael

In It Together: Why Less Inequality Benefits All Der neue Verteilungsbericht der OECD Michael Frster Abteilung Beschftigung, Arbeit und Sozialpolitik OECD Berlin, 20.05.2015 In It Together : Hauptergebnisse In vielen Lndern hat

546 views • 17 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen Institute for Networked Solutions HSR University of Applied Sciences Rapperswil Where the heck is Rapperswil? Brunner/Steffen, 28.03.2018,

226 views • 19 slides
DESIGN TRENDS PAST & PRESENT By Angelique James and Amanda Dorsett Typography: Neue Aachen,

DESIGN TRENDS PAST & PRESENT By Angelique James and Amanda Dorsett Typography: Neue Aachen,

DESIGN TRENDS PAST & PRESENT By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes Wilson Invented style synonymous with the peace movement. Invented psychedelic font in around 1966.

457 views • 19 slides
By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes

By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes

By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes Wilson Invented style synonymous with the peace movement. Invented psychedelic font in around 1966. Mishka Westell Wes Wilson Rock

255 views • 8 slides
ITUG: By Users for Users Volker Dietz Neue Realitten GmbH ITUG Chairman ITUG board

ITUG: By Users for Users Volker Dietz Neue Realitten GmbH ITUG Chairman ITUG board

ITUG: By Users for Users Volker Dietz Neue Realitten GmbH ITUG Chairman ITUG board congratulates VNUG on its 5th anniversary and wishes all the best for its future HP User Groups Interex US Interex EMEA ITUG Encompass (US) HP

269 views • 22 slides
The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+ cooling unit series the ultimate in efficiency. 2 The new Cooling Unit Generation Blue e+ Enclosure Climate Control Sensitive electronic

319 views • 27 slides
Neue Wege in die Marketing-Wissenschaft Prof. Dr. Bernd Skiera (Goethe University Frankfurt,

Neue Wege in die Marketing-Wissenschaft Prof. Dr. Bernd Skiera (Goethe University Frankfurt,

Neue Wege in die Marketing-Wissenschaft Prof. Dr. Bernd Skiera (Goethe University Frankfurt, Germany) 2015 Marketing Horizonte 7.10.2015 07.10.2015 Comparison of Traditional Way and Ph.D. Approach to Doctoral Degree Traditional way Ph.D.

522 views • 24 slides
Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1 , . . . , Y k a set of training examples where the values for the input features and the target features are given for each example a new

324 views • 18 slides
Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features [Sivic&Zisserman03] Query Set of SIFT centroids image descriptors (visual words) sparse frequency vector Bag-of-features Harris-Hessian-Laplace processing

574 views • 33 slides
New Features of Net-FM v. 3.3 & 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &

New Features of Net-FM v. 3.3 & 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &

New Features of Net-FM v. 3.3 & 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 & 3.3.1 presented by Anthony J. Bunker Software QA & Documentation Manager October 20, 2016 Slide 1 Introduction ICC 2016 ICC 2016 At

377 views • 15 slides
Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image Representation: Global Versus Local Features Features/ keypoints/ interset points are interesting locations in the image. Features serve to give a new

235 views • 22 slides
6. Lsungsanstze Prof. Dr. Daniel Sss Referat vom 14. Mrz 2014 am 25. Zrcher

6. Lsungsanstze Prof. Dr. Daniel Sss Referat vom 14. Mrz 2014 am 25. Zrcher

Gliederung Stress und Stressbewltigung durch 1. Medienwandel und gesellschaftlicher Wandel neue Medien 2. Social Networks und Kontaktpflege 3. Facebook-Depression oder Wohlbefinden 4. Leben in parallelen Welten 5. Risiken und Potenziale 6.

375 views • 6 slides
reliable innovation Main features Main features Lower part detachment Concept advantages

reliable innovation Main features Main features Lower part detachment Concept advantages

SIRE-NN Chocolate enrobing reliable innovation Main features Main features Lower part detachment Concept advantages Cantilever design for easy access (cleaning and maintenance) Detail features Detail features Pilot plant Compact

600 views • 13 slides
SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down to finding intelligent features of language. We do lots of machine learning over features NLP researchers also use linguistic insights, deep

326 views • 18 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 64 Image Features Image features are useful descriptions of local or global image properties designed to accomplish a certain task You may want to choose different features

1.09k views • 71 slides
Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of

Mark Pagel pags@cray.com New features in XT MPT 3.1 and MPT 3.2 Features as a result of scaling to 150K MPI ranks MPI-IO Improvements(MPT 3.1 and MPT 3.2) SMP aware collective improvements(MPT 3.2) Misc Features (MPT 3.1)

694 views • 33 slides
Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model

Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model

Considered ELA Features Sunday, July 15, 2018 9 / 20 Considered ELA Features Meta-Model Features: fits linear and quadratic models (with and without pairwise interaction e ff ects) to the data extracts information from these models, such as

436 views • 7 slides
The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority

The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority

The e-Application Form Main features Main features ENI CBC Med Programme - Managing Authority Regione Autonoma della Sardegna 1 Intro Focus on the online Application Form (eAF) main features namely: Result based management applied to the ENI

563 views • 23 slides
http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j

http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j

CS246: Mining Massive Datasets Jure Leskovec, Stanford University http://cs246.stanford.edu Input features: N features: X 1 , X 2 , X N A Each X j has domain D j X 1 <v 1 Categorical: C Y= 0.42 D j = {red, blue} X 2

508 views • 40 slides
Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features

Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features

Part I Georgia Milestones: Unique Features ***Some disabilities ***All schools MUST Features include: test some can be tested pencil- paper. students online. inclusion of constructed-response items in ELA and mathematics, in

784 views • 24 slides
Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image

Image Features Sanja Fidler CSC420: Intro to Image Understanding 1 / 1 Image Features Image features are useful descriptions of local or global image properties designed (or learned!) to accomplish a certain task You may want to choose di ff

941 views • 70 slides
FACULTY MODULE This power point will guide you through the features and their usage Features:

FACULTY MODULE This power point will guide you through the features and their usage Features:

Student Accessibility and Accommodation FACULTY MODULE This power point will guide you through the features and their usage Features: 1. Electronically sign decision letters 2. You will be able to see students who have approved

744 views • 17 slides

More recommend