next up previous
Next: KLIPS hassles Up: What do we really Previous: Internet Key Daemon (IKE)

Testing KLIPS

In FreeSWAN, the session layer encryption, security association management and traffic selection is done by a kernel component called KLIPS (Kernel Level IP Security). This component can be built as a loadable kernel module or statically built in.

As the security associations are unidirectional one can effectively seperate the encrypt/encapsulate and decrypt/decapsulate operations for testing purposes.

For ease of thinking, the encryption operations are always done on EAST and the decryption operations are always done on WEST.

Figure 3: How to test KLIPS
\includegraphics[height=3in,width=5in]{klipstest.eps}

As indicated in figure 3, a source of plaintext packets is needed, a way to examine the ciphertext packets is needed, and a way to configure the system is needed. In the physical setup of the previous section, the source of plaintext packets is provided by the machine SUNRISE, and the examination of the packets is provided by SKY.

A typical initialization script for KLIPS is shown below:

#!/bin/sh
TZ=GMT export TZ

ipsec spi --clear
ipsec eroute --clear

enckey=0x4043434545464649494a4a4c4c4f4f515152525454575758
authkey=0x87658765876587658765876587658765

ipsec klipsdebug --set pfkey
ipsec klipsdebug --set verbose

ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto esp --src 192.1.2.23 --esp 3des-md5-96 --enckey $enckey --authkey $authkey

ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4

ipsec spigrp inet 192.1.2.45 0x12345678 tun inet 192.1.2.45 0x12345678 esp 

ipsec eroute --add --eraf inet --src 192.0.2.0/24 --dst 192.0.1.0/24 --said tun0x12345678@192.1.2.45

ipsec tncfg --attach --virtual ipsec0 --physical eth1
ifconfig ipsec0 inet 192.1.2.23 netmask 0xffffff00 broadcast 192.1.2.255 up

# magic route command
route add -host 192.0.1.1 gw 192.1.2.45 dev ipsec0

ipsec look

The term SPI means ``Security Parameters Index''. Each security association is indexed by a SPI. Note that a seperate SPI is setup for the ESP operation and for the tunnel operation. The two are then grouped together.

The eroute (Extended Route) command then selects traffic by source and destination address for processing by the afore mentioned group. [#!RFC2401!#] defines other selectors, including TCP and UDP port numbers, but those selectors are not implemented in KLIPS at this time.

The tncfg command attaches the IPsec pseudo to a physical device. This is necessary in 2.0 and prior kernels to provide a path for the resulting packets to actually leave the system. Otherwise, the route command at the end can cause packets to loop internally. Eliminating this problem - we refer to it as ``stoopid routing tricks'' The ipsec klipsdebug commands turn on various debugging output. This debugging output is important for diagnosing what has really happened when the system fails.

Finally, the ipsec look command produces a short summary of resulting system setup. The output of this looks like:

east Tue Apr  2 04:32:28 GMT 2002
192.0.2.0/24       -> 192.0.1.0/24       => tun0x12345678@192.1.2.45 esp0x12345678@192.1.2.45  (0)
ipsec0->eth1 mtu=16260(1500)->1500
esp0x12345678@192.1.2.45 ESP_3DES_HMAC_MD5: dir=out src=192.1.2.23 iv_bits=64bits iv=0x24a4a14e81ee960e alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(9,0,0)
tun0x12345678@192.1.2.45 IPIP: dir=out src=192.1.2.23 life(c,s,h)=addtime(9,0,0)
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.0.1.1       192.1.2.45      255.255.255.255 UGH      40 0          0 ipsec0
192.1.2.0       0.0.0.0         255.255.255.0   U        40 0          0 eth1
192.1.2.0       0.0.0.0         255.255.255.0   U        40 0          0 ipsec0
192.0.1.0       192.1.2.45      255.255.255.0   UG       40 0          0 eth1
192.0.2.0       0.0.0.0         255.255.255.0   U        40 0          0 eth0
0.0.0.0         192.1.2.254     0.0.0.0         UG       40 0          0 eth1

At this point, the system is ready to have packets sent through it. If the packets match the criteria for the SA, then they will be encrypted with the provided key.



Subsections
next up previous
Next: KLIPS hassles Up: What do we really Previous: Internet Key Daemon (IKE)
Michael Richardson
2002-06-26