Learning VPP: IPsec IKEv2

logo_fdio-300x184

Overview

Internet Key Exchange or IKE is the protocol used to set up IPsec connection using certificates.

Setup

Two Ubuntu 18.04 VMs with VPP 20.05.

VPP IKEv2

Prerequisites

First we need generate private keys and certificates and place them accordingly. To do that we need to install the strongswan and strongswan-pki packages. After that we run the following commands.

ipsec pki --gen  > server-key.der
ipsec pki --self --in server-key.der --dn "CN=vpp.home" > server-cert.der
openssl x509 -inform DER -in server-cert.der -out server-cert.pem
openssl rsa -inform DER -in server-key.der -out server-key.pem

ipsec pki --gen  > client-key.der
ipsec pki --self --in client-key.der --dn "CN=roadwarrior.vpn.example.com" > client-cert.der
openssl x509 -inform DER -in client-cert.der -out client-cert.pem
openssl rsa -inform DER -in client-key.der -out client-key.pem

VPP configuration

We need to configure responder first.

Responder

ikev2 profile add pr1
ikev2 profile set pr1 auth rsa-sig cert-file client-cert.pem
set ikev2 local key server-key.pem
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0

Now we are ready to configure initiator and start a connection.

Initiator

ikev2 profile add pr1
ikev2 profile set pr1 auth rsa-sig cert-file server-cert.pem
set ikev2 local key server1/client-key.pem
ikev2 profile set pr1 id local fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 id remote fqdn vpp.home
ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0

ikev2 profile set pr1 responder GigabitEthernet0/3/0 192.168.0.123
ikev2 profile set pr1 ike-crypto-alg aes-cbc 256  ike-integ-alg sha1-96  ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 256  esp-integ-alg sha1-96  esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0

ikev2 initiate sa-init pr1

Results

Encap trace

DBGvpp# show ikev2 sa
iip 192.168.0.122 ispi 4c28e1c804fd1947 rip 192.168.0.123 rspi 399dc6c103195aaf
encr:aes-cbc-256 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
 nonce i:3d3efa1c7e22b2d8a71cee9a25dc9865b7f9390cc5779951c853f54d3c43f8a4        r:a5d1349d0c3361f4b83928a4ed7d830c0bb30ce1c24eec0fad8f1246d5aa3d13
 SK_d    6801b1efb1b2b1af7716aa59110232e11f6ab14d21a5bbed78a5e3df780accfd
 SK_a  i:ef80c745b9b00687b790c8733ef1259051792d5a
        r:88197e468c0bb1547da1ba83a615fda8bddafe70
 SK_e  i:e03c29186cb043aab949345b4b082d52be0a55a917f0871055e8201b4a82bbe6
        r:47ce9e6ca78758d0ca55b49c95db412f41f4d82473f183276b09a4aeca4acabf
 SK_p  i:5e97db586a7e3f2f0532c8ecbd360cb9a8b9894bc1f7bcccb253878b299a3689
        r:a9346e5827ccf6927acaa5fff0d9cc4461649154f4e01ceed410cdbb1985a596
 identifier (i) fqdn roadwarrior.vpn.example.com
 identifier (r) fqdn vpp.home
 child sa 0:
   encr:aes-cbc-256 integ:sha1-96 esn:yes 
    spi(i) df7eeb0c spi(r) 244bc72d
   SK_e  i:d5cdc8129b666eb0ef40111d9a78c4d8b053e28b2d28846d421c47f27f00d9fd
         r:3ee2ab1bbfce8b0714d735e2e13a18d44d274c9a214b88ff9a7d47170f364f94
   SK_a  i:ba24a4dabc09eb1da586437e2d28841c67043d33
         r:1f289f029b601b371f7946e93c14df252dd9fcc4
   traffic selectors (i):
     0 type 7 protocol_id 0 addr 0.0.0.0 - 255.255.255.255 port 0 - 65535
   traffic selectors (r):
     0 type 7 protocol_id 0 addr 0.0.0.0 - 255.255.255.255 port 0 - 65535
 iip 192.168.0.122 ispi 4c28e1c804fd1947 rip 192.168.0.123 rspi 399dc6c103195aaf

Renew certificates

If we want to renew certificates on both sides we need to do the following.

Responder

ikev2 profile set pr1 auth rsa-sig cert-file client-cert.pem
set ikev2 local key server-key.pem

Initiator

ikev2 initiate del-child-sa df7eeb0c
ikev2 profile set pr1 auth rsa-sig cert-file server-cert.pem
set ikev2 local key client-key.pem
ikev2 initiate sa-init pr1

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s