This paper reviews the process to configure racoon/ipsec-tools to authenticate IPSec communications via x509 certificates.

Our example does not cover howto configure a Certificate Authority (CA). This process will be examined in another paper. Our example also assumes the clients are both NetBSD, however the procedures are nearly the same for Linux, FreeBSD and MacOSX as well.

Our example assumes a host to host IPSec connection, however this has no bearing on the x509 authentication and could just as easily be a gateway to gateway connection.

In our example, the hosts have the IP addresses 10.0.5.5 and 10.0.7.5.

You will need to configure your IPSec rules, these rules are placed in /etc/ipsec.conf. On 10.0.5.5 /etc/ipsec.conf should contain:

  spdadd 10.0.5.5/32 10.0.7.5/32 any -P out ipsec esp/tunnel/10.0.5.5-10.0.7.5/require;
  spdadd 10.0.7.5/32 10.0.5.5/32 any -P in ipsec esp/tunnel/10.0.7.5-10.0.5.5/require;

 
Likewise on 10.0.7.5, /etc/ipsec.conf should contain:

  spdadd 10.0.7.5/32 10.0.5.5/32 any -P out ipsec esp/tunnel/10.0.7.5-10.0.5.5/require;
  spdadd 10.0.5.5/32 10.0.7.5/32 any -P in ipsec esp/tunnel/10.0.5.5-10.0.7.5/require;

 
Now on to the certificates, first you will want to place a copy of your Certificate Authority cert into /etc/racoon/certs. This location is configurable via “path certificate” in racoon.conf, more on this below.

You will also need to create a symbolic link for the hash value of the certificate since that is how openssl queries the appropriate certificate.

  # cp /path/to/cacert.pem /etc/racoon/certs
  # cd /etc/racoon/certs
  # ln -s cacert.pem `openssl x509 -hash -noout -in cacert.pem`.0

 
If a certificate should become compromised, it will be necessary to ensure that the compromised certificate can no longer be used to authenticate. This is done via Certificate Revocation Lists, these will be explained in greater detail in a future paper. However, if you have a crl, it can be implemented as shown below.

Note: You are linking the crl to the cacert hash and not the crl hash, the file extension is also .r0 rather than .0

  # cp /path/to/crl.pem /etc/racoon/certs
  # cd /etc/racoon/certs
  # ln -s crl.pem `openssl x509 -hash -noout -in cacert.pem`.r0

 
You will also want to place your host’s certificate and private key into /etc/racoon/certs as well, in our scenario these files are 10.0.5.5.cert and 10.0.5.5.key respectively. It is necessary that the private key is not encrypted, directions to unencrypt your private key can be found here.

Now, you will need to modify /etc/racoon/racoon.conf to accomodate x509 certificate authentication, see the following highlights from the 10.0.5.5 host:

  path certificate “/etc/racoon/certs” ;

  remote anonymous
  {

        #exchange_mode main,aggressive,base;
        exchange_mode main,base;

        verify_cert on;
        my_identifier asn1dn;
        certificate_type x509 “10.0.5.5.cert” “10.0.5.5.key” ;

        lifetime time 24 hour ; # sec,min,hour

        #initial_contact off ;
        #passive on ;

        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm 3des ;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }

        # the configuration makes racoon (as a responder) to obey the
        # initiator’s lifetime and PFS group proposal.
        # this makes testing so much easier.
        proposal_check obey;
  }
  sainfo anonymous
  {
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
  }

 
Repeat these steps for other clients using their respective host certificate (and key) and you should be up and running in no time.

This was tested on NetBSD 3.99.16, however the instructions should apply to older versions as well. I have attempted to flag steps where you may run into version incompatabilities with “Version Note”.

There are a number of devices that will allow you to read your CF card on a NetBSD machine, the device I chose was the mediaGear Keychain Compact Flash Reader.

A snippet of your dmesg output should appear as follows:

  [...]
  umass0 at uhub1 port 1 configuration 1 interface 0
  umass0: mediaGear Compact Flash Keychain, rev 1.10/1.00, addr 2
  umass0: using SCSI over Bulk-Only
  scsibus0 at umass0: 2 targets, 1 lun per target
  sd0 at scsibus0 target 0 lun 0: <MG, CF-Key, 1.00> disk removable
  sd0: fabricating a geometry
  sd0: 244 MB, 244 cyl, 64 head, 32 sec, 512 bytes/sect x 500400 sectors
  […]

 
Run the following commands:

  # cd /root
  # mkdir cfimage
  # dd if=/dev/zero of=netbsd.img bs=512 count=500400
  # vnconfig vnd0 netbsd.img
  # fdisk -ua0 vnd0
  # disklabel -e -I vnd0
  # newfs /dev/vnd0a
  # mount /dev/vnd0a /root/cfimage
  # cd /root/cfimage && mtree -Udef /etc/mtree/NetBSD.dist
  # tar xzpf i386/binary/sets/base.tgz
  # tar xzpf i386/binary/sets/kern-GENERIC.tgz


  # cp i386/binary/sets/etc.tgz /root/cfimage/root

  # chroot /root/cfimage /bin/sh

 
You are in the chroot environment, continue with
Version Note: Older versions of etcupdate do not accept a tgz file an argument, you will need to extract the contents prior to running it.

  # etcupdate -s /root/etc.tgz
  # rm /root/etc.tgz
  # touch /etc/mail/local-host-names

 
Add a non-root user and his group.

  # groupadd jdoe
  # useradd -g jdoe -G wheel -k /etc/skel -s /bin/csh -m jdoe

 
Note: included in wheel group to allow user to run su.

Other files you will likely need to modify are…

  /etc/fstab
  /etc/ifconfig.sip0
  /etc/localtime
  /etc/mygate
  /etc/mygate6
  /etc/myname
  /etc/rc.conf
  /etc/resolv.conf
  /etc/ttys

 
To exit your chroot environment simply

  # exit

 
Now you will need to make the CF bootable. First we begin by copying the secodary bootstrap, followed be installing the primary.
Note: You can’t install the primary bootstrap on a mounted device, do not forget the umount step
Note #2: The baud rate you pass to installboot should match what you’ve configured in the Soekris bios.
Note #3: If you chose to use a different filesystem for primary bootstrap partition, /usr/mdec/bootxx_ffsv1 sould be changed to reflect that.

  # cp /usr/mdec/boot .
  # cd ~ && umount /root/cfimage
  # installboot -v -o console=com0,speed=19200 /dev/rvnd0a /usr/mdec/bootxx_ffsv1

 
We end by unconfiguring the vnode disk and writing it to CF.

  # vnconfig -u vnd0
  # dd if=netbsd.img of=/dev/sd0d bs=1m

This document will explain howto configure OpenBSD’s IPSec to authenticate via a Certificate Authority and x509 certificates. It is demonstrated with OpenBSD 4.1 and depends upon ipsecctl which first appeared in OpenBSD 3.8.

First you will need to place your CA certificate in /etc/isakmpd/ca.

  # ls -al /etc/isakmpd/ca
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:25 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3460 Jun  1 12:27 cacert.pem

 
Next you will to place your hosts certificate in /etc/isakmpd/certs.

  # ls -al /etc/isakmpd/certs
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:59 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3008 Jun  1 13:59 192.168.25.25.pem

 
This certificate should be processed with a subjectAltName extension field as described in the isakmpd man page.

  # setenv CERTIP 192.168.25.25
  # openssl x509 -req -days 365 -in 192.168.25.25.csr \
          -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
          -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
          -extensions x509v3_IPAddr -out 192.168.25.25.pem

 
When you view the resulting certificate, you should see similar results in the X509v3 extensions.

[...]
  X509v3 extensions:
      X509v3 Subject Alternative Name:
          IP Address:192.168.25.25
[...]

 
Here is an example ipsec.conf used with the above configuration to connect with a peer running ipsec-tools/racoon.

ike esp from 192.168.25.25 to 192.168.25.211 \\
   main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des

 
You should ensure that isakmpd is running with the -K argument.
You can add the following to /etc/rc.conf.local

isakmpd_flags="-K"
ipsec=YES

 
In older versions of OpenBSD the following needs to be added to /etc/rc.local
as the rc.conf variable ipsec does not exist.

ipsecctl -f /etc/ipsec.conf