In FreeSWAN, the session layer encryption, security association management and traffic selection is done by a kernel component called KLIPS (Kernel Level IP Security). This component can be built as a loadable kernel module or statically built in.
As the security associations are unidirectional one can effectively seperate the encrypt/encapsulate and decrypt/decapsulate operations for testing purposes.
For ease of thinking, the encryption operations are always done on EAST and the decryption operations are always done on WEST.
As indicated in figure 3, a source of plaintext packets is needed, a way to examine the ciphertext packets is needed, and a way to configure the system is needed. In the physical setup of the previous section, the source of plaintext packets is provided by the machine SUNRISE, and the examination of the packets is provided by SKY.
A typical initialization script for KLIPS is shown below:
#!/bin/sh TZ=GMT export TZ ipsec spi --clear ipsec eroute --clear enckey=0x4043434545464649494a4a4c4c4f4f515152525454575758 authkey=0x87658765876587658765876587658765 ipsec klipsdebug --set pfkey ipsec klipsdebug --set verbose ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto esp --src 192.1.2.23 --esp 3des-md5-96 --enckey $enckey --authkey $authkey ipsec spi --af inet --edst 192.1.2.45 --spi 0x12345678 --proto tun --src 192.1.2.23 --dst 192.1.2.45 --ip4 ipsec spigrp inet 192.1.2.45 0x12345678 tun inet 192.1.2.45 0x12345678 esp ipsec eroute --add --eraf inet --src 192.0.2.0/24 --dst 192.0.1.0/24 --said tun0x12345678@192.1.2.45 ipsec tncfg --attach --virtual ipsec0 --physical eth1 ifconfig ipsec0 inet 192.1.2.23 netmask 0xffffff00 broadcast 192.1.2.255 up # magic route command route add -host 192.0.1.1 gw 192.1.2.45 dev ipsec0 ipsec look
The term SPI means ``Security Parameters Index''. Each security association is indexed by a SPI. Note that a seperate SPI is setup for the ESP operation and for the tunnel operation. The two are then grouped together.
The eroute (Extended Route) command then selects traffic by source and destination address for processing by the afore mentioned group. [#!RFC2401!#] defines other selectors, including TCP and UDP port numbers, but those selectors are not implemented in KLIPS at this time.
The tncfg command attaches the IPsec pseudo to a physical device. This
is necessary in 2.0 and prior kernels to provide a path for the resulting
packets to actually leave the system. Otherwise, the route command at
the end can cause packets to loop internally. Eliminating this problem -
we refer to it as ``stoopid routing tricks''
Finally, the ipsec look command produces a short summary of resulting
system setup. The output of this looks like:
At this point, the system is ready to have packets sent through it. If the
packets match the criteria for the SA, then they will be encrypted with the
provided key.
east Tue Apr 2 04:32:28 GMT 2002
192.0.2.0/24 -> 192.0.1.0/24 => tun0x12345678@192.1.2.45 esp0x12345678@192.1.2.45 (0)
ipsec0->eth1 mtu=16260(1500)->1500
esp0x12345678@192.1.2.45 ESP_3DES_HMAC_MD5: dir=out src=192.1.2.23 iv_bits=64bits iv=0x24a4a14e81ee960e alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(9,0,0)
tun0x12345678@192.1.2.45 IPIP: dir=out src=192.1.2.23 life(c,s,h)=addtime(9,0,0)
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.0.1.1 192.1.2.45 255.255.255.255 UGH 40 0 0 ipsec0
192.1.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.1.2.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0
192.0.1.0 192.1.2.45 255.255.255.0 UG 40 0 0 eth1
192.0.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
0.0.0.0 192.1.2.254 0.0.0.0 UG 40 0 0 eth1
Subsections
Next: KLIPS hassles
Up: What do we really
Previous: Internet Key Daemon (IKE)
Michael Richardson
2002-06-26