Documentation: Libreswan Opportunistic IPsec using LetsEncrypt: Difference between revisions
(common error added) |
m (corrections) |
||
Line 388: | Line 388: | ||
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local IKE proposals for private-or-clear#193.110.157.131/32 | 002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local IKE proposals for private-or-clear#193.110.157.131/32 | ||
(IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256; | (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256; | ||
INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256; | INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512, | ||
CURVE25519 (default) | HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 | ||
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;NTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128DH=MODP2048,MODP3072,MODP4096, | |||
MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 (default) | |||
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local ESP/AH proposals for private-or-clear#193.110.157.131/32 | 002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local ESP/AH proposals for private-or-clear#193.110.157.131/32 | ||
(IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128; | (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED | ||
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128; | |||
ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default) | ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default) | ||
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: certificate verified OK: CN=letsencrypt.libreswan.org | 002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: certificate verified OK: CN=letsencrypt.libreswan.org |
Revision as of 18:27, 11 August 2019
Introduction
letsencrypt
invokes several of the utilities involved in controlling the Opportunistic Encryption system, running the specified {command} with the specified [argument] as if it had been invoked directly. More information about the utility is available at Libreswan Opportunistic IPsec using LetsEncrypt .
Prerequisite
The following packages are required to avail full features of the `letsencrypt` program:
1. IPsec - Libreswan
2. certutil
3. wget
4. certbot *
5. openssl *
* Required only for hosts acting as servers. Not required for hosts acting as clients.
Installation
To use the program one needs to have IPsec (Libreswan) installed. Libreswan installation instructions are available here
Available [arguments]
ipsec letsencrypt [arguments]
Available [arguments]
-server, -client, test, generatecertificate hostname, updatecertificate hostname, help, -t, -gc hostname, -uc hostname, -h
Note - To get the list of all acceptable arguments run ipsec letsencrypt -h
OR ipsec letsencrypt help
Configuration Used
There are 2 default configurations, one for the server (oe-letsencrypt-server.conf
) and other for the client (oe-letsencrypt-client.conf
).
1. The server configuration (oe-letsencrypt-server.conf
) is as follows:
conn clear-or-private leftid=%fromcert leftrsasigkey=%cert # nickname of your letsencrypt certificate imported to NSS leftcert=letsencrypt.libreswan.org leftauth=rsasig left=%defaultroute #leftmodecfgclient=yes # rightid=%null rightauth=null right=%opportunisticgroup # negotiationshunt=passthrough failureshunt=passthrough type=tunnel ikev2=insist sendca=issuer auto=add # rightaddresspool=100.64.0.1-100.64.255.254 rightmodecfgclient=yes
2. The client configuration (oe-letsencrypt-client.conf
) is as follows:
conn private-or-clear rightid=%fromcert rightrsasigkey=%cert rightauth=rsasig right=%opportunisticgroup rightmodecfgclient=yes rightcat=yes # Any CA will do because we only load the LetsEncrypt CA rightca=%any # left=%defaultroute leftid=%null leftauth=null leftmodecfgclient=yes leftcat=yes # narrowing=yes type=tunnel ikev2=insist negotiationshunt=drop failureshunt=passthrough keyingtries=1 retransmit-timeout=3s auto=ondemand
Functions of various [arguments]
Note - OE refers to Opportunistic Encryption.
1. ipsec letsencrypt -client
OR ipsec letsencrypt -server
For the initial setup, it is to be run when installing the project for the first time. This [argument] performs the following tasks:
- performs the 1st time server/client Installation.
- checks if the command is run as root.
- Sets and restores the secure umask at appropriate locations.
- Creates temporary directories for downloading the certificates.
- Checks for any existing OE connections.
- Downloads the LetsEncrypt CA and intermediate certificates.
- Checks if NSS database exists.
- Initializes the NSS database and import the LetsEncrypt certificates in it.
- Saves the required client/server configuration in the /etc/ipsec.d directory.
- Restores the security context of the saved configuration using restorecon (if it is available on the system).
- Establishes a secure OE connection by sending pings to the letsencrypt.libreswan.org server.
- Checks for the success of establishing the OE connection.
- Displays OE connection status to user.
Sample Output -
[root@linux]# ipsec letsencrypt -client Installing for Client. Downloading the letsencrypt certificates Importing the downloaded certificates into the database Saving the required configuration cp: cannot stat '@FINALDOCDIR@/examples/oe-letsencrypt-client.conf': No such file or directory Sending ping(IPv4) to letsencrypt.libreswan.org server. OE Connection established successfully. 006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553, inBytes=0, outBytes=252, id='CN=letsencrypt.libreswan.org', lease=100.64.0.1/32
2. ipsec letsencrypt test
OR ipsec letsencrypt -t
For testing the configuration/connections. This [argument] checks for the success of establishing an OE connection, and performs the following tasks:
- Check for any existing OE connections.
- checks if the command is run as root.
- Establish an OE connection.
- Sending pings to the letsencrypt.libreswan.org server.
- Checking the success of establishing OE connection.
- Displaying connection status to the user.
Sample Output -
[root@linux]# ipsec letsencrypt -t Existing OE Connections Found. Please stop the connections using 'ipsec restart' and try again. 006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553, inBytes=0, outBytes=252, id='CN=letsencrypt.libreswan.org', lease=100.64.0.1/32
3. ipsec letsencrypt generatecertificate hostname
OR ipsec letsencrypt -gc hostname
Note - hostname refers to the name of the host. e.g. libreswan.org
.
For generating the certificate. This [argument] is used for Generating the certificate using Certbot, and performing the following tasks:
- Check if certbot is installed.
- checks if the command is run as root.
- Sets and restores the secure umask at appropriate locations.
- Creates temporary directories for downloading the certificates.
- Generating #pkcs12 file and importing it in the nss database.
- Displays the certificates installed in nss database.
- Generates the certbot configuration for reusing the private key.
- Creates a crontab for automatic certificate renewals.
Sample Output -
[root@linux]# ipsec letsencrypt -gc letsencrypt.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): letsencrypt.libreswan.org Cert not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/letsencrypt.libreswan.org.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Renewing an existing certificate IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/letsencrypt.libreswan.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/letsencrypt.libreswan.org/privkey.pem Your cert will expire on 2019-11-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Enter Export Password: Verifying - Enter Export Password: Importing the certificate in database. Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI isrgrootx1 CT,, trustid-x3-root CT,, letsencryptauthorityx3 ,, lets-encrypt-x3-cross-signed ,, letsencrypt.libreswan.org u,u,u To confirm the success try running 'ipsec letsencrypt -t' on the client
4. certbot renew --deploy-hook 'ipsec letsencrypt -ug hostname'
Note - hostname refers to the name of the host. e.g. libreswan.org
.
For updating the generated certificate (keeping the private key same). This [argument] is used to update the certificate keeping the private key same, and performs the following tasks:
- checks if the command is run as root.
- Updating the certificate using Certbot keeping the private key same.
- Sets and restores the secure umask at appropriate locations.
- Creates temporary directories for downloading the certificates.
- Generating #pkcs12 file.
- Importing the certificate in nss database.
- Displaying the certificates installed in nss database.
- Restarting the IPsec to load the latest updated certificate.
Sample Output -
[root@linux]# certbot renew --deploy-hook 'ipsec letsencrypt -ug letsencrypt.org' Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/letsencrypt.libreswan.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/letsencrypt.libreswan.org/fullchain.pem expires on 2019-11-03 (skipped) No renewals were attempted. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Enter Export Password: Verifying - Enter Export Password: Importing the certificate in the database. Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL Displaying the certificates installed in the database. Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI isrgrootx1 CT,, trustid-x3-root CT,, letsencryptauthorityx3 ,, lets-encrypt-x3-cross-signed ,, letsencrypt.libreswan.org u,u,u To confirm the success try running 'ipsec letsencrypt -t' on the client
5. ipsec letsencrypt -h
OR ipsec letsencrypt help
For providing information regarding various {commands} and [arguments].
Sample Output -
[root@linux]# ipsec letsencrypt -h Usage: ipsec letsencrypt [arguments] Available [arguments] -server, -client, test, generatecertificate hostname, updatecertificate hostname, help, -t, -gc hostname, -uc hostname, -h -server, -client : For initial server/client setup. usage: 'ipsec letsencrypt -client' OR 'ipsec letsencrypt -server' test, -t : For testing the configuration/connections. usage: 'ipsec letsencrypt test' OR 'ipsec letsencrypt -t' generatecertificate hostname, -gc hostname : For generating the certificate. usage: 'ipsec letsencrypt generatecertificate hostname' OR 'ipsec letsencrypt -gc hostname' For updating the generated certificate (keeping the private key same) use the following command. usage: certbot renew --deploy-hook 'ipsec letsencrypt -ug hostname'
Testing and Debugging
- To see all the active IPsec OE tunnels (and the amount of traffic encrypted)
sudo ipsec whack --trafficstatus
Sample Output -
006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553, inBytes=0, outBytes=252, id='CN=letsencrypt.libreswan.org', lease=100.64.0.1/32
Note - Inactive tunnels are torn down (once an hour)
- To see all the IP addresses that were tried, but did not offer IPsec OE
sudo ipsec whack --shuntstatus
Sample Output -
000 Bare Shunt list: 000
- To see the inside state of the libreswan pluto daemon
sudo ipsec status
Sample Output -
000 using kernel interface: netkey . . . . 000 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131 esp.affba9fa@193.110.157.131 esp.a390a2a8@192.168.43.235 tun.0@193.110.157.131 tun.0@192.168.43.235 ref=0 refhim=0 Traffic: ESPin=0B ESPout=252B! ESPmax=0B 000 000 Bare Shunt list: 000
- To restart IPsec OE
sudo ipsec restart
Note - It will destroy all your esisting OE connections.
- To verify IPsec (Libreswan) installation and check configuration files
sudo ipsec verify
Sample Output -
Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.29 (netkey) on 5.1.20-300.fc30.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK]
- Manual debug version of OE request
sudo ipsec restart sleep 5 sudo ipsec whack --oppohere YOURIP --oppothere REMOTEIP (ipsec whack --oppohere 169.149.111.125 --oppothere 193.110.157.131)
Sample Output -
002 initiate on demand from 142.93.216.119:0 to 193.110.157.131:0 proto=0 because: whack 133 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #1: initiate 002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local IKE proposals for private-or-clear#193.110.157.131/32 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256; INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512, HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;NTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128DH=MODP2048,MODP3072,MODP4096, MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 (default) 002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local ESP/AH proposals for private-or-clear#193.110.157.131/32 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128; ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default) 002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: certificate verified OK: CN=letsencrypt.libreswan.org 003 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: Authenticated using RSA 002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: negotiated connection [142.93.216.119-142.93.216.119:0-65535 0] -> [193.110.157.131-193.110.157.131:0-65535 0]
Common Errors
- no routed template covers this pair error while running the command
sudo ipsec whack --oppohere 76.10.157.68 --oppothere 1.2.3.4
This is due to the fact that the target IP address (1.2.3.4) is not covered by /etc/ipsec.d/policies/private*