[thirdparty/strongswan.git] / README

                 ----------------------------
                  strongSwan - Configuration
                 ----------------------------


Contents
--------

   1. Overview
   2. Quickstart
	2.1 Site-to-Site case
	2.2 Host-to-Host case
	2.3 Four Tunnel case
	2.4 Four Tunnel case the elegant way with source routing
	2.5 Roadwarrior case
	2.6 Roadwarrior case with virtual IP
   3. Generating X.509 certificates and CRLs with OpenSSL
	3.1 Generating a CA certificate
	3.2 Generating a host or user certificate
	3.3 Generating a CRL
	3.4 Revoking a certificate
   4. Configuring the connections - ipsec.conf
	4.1 Configuring my side
	4.2 Multiple certificates
	4.3 Configuring the peer side using CA certificates
	4.4 Handling Virtual IPs and wildcard subnets
	4.5 Protocol and port selectors
	4.6 IPsec policies based on wildcards
	4.7 IPsec policies based on CA certificates
	4.8 Sending certificate requests
	4.9 IPsec policies based on group attributes
   5. Configuring certificates and CRLs
	5.1 Installing CA certificates
	5.2 Installing optional Certificate Revocation Lists (CRLs)
	5.3 Dynamic update of certificates and CRLs
	5.4 Local caching of CRLs
	5.5 Online Certificate Status Protocol (OCSP)
	5.6 CRL policy
	5.7 Configuring the peer side using locally stored certificates
   6. Configuring the private keys - ipsec.secrets
	6.1 Loading private key files in PKCS#1 format
	6.2 Entering passphrases interactively
	6.3 Multiple private keys
   7. Configuring CA properties - ipsec.conf
   8. Smartcard support
	8.1 Configuring a smartcard-based connection
	8.2 Entering the PIN code
	8.3 PIN-pad equipped smartcard readers
	8.4 Configuring a smartcard using pkcs15-init
        8.5 PKCS#1 proxy functions
   9. Configuring the clients
	9.1 strongSwan
	9.2 PGPnet
	9.3 Safenet/Soft-Remote
	9.4 SSH Sentinel
	9.5 Windows 2000/XP
  10. Monitoring functions
  11. Firewall support functions
       11.1 Environment variables in the updown script
       11.2 Automatic insertion and deletion of iptables firewall rules  (NEW)
       11.3 Sample Linux 2.6 _updown_espmark script for iptables < 1.3.5
  12. Authentication with raw RSA public keys
  13. Authentication with OpenPGP certificates
       13.1 OpenPGP certificates
       13.2 OpenPGP private keys
       13.3 Monitoring functions
       13.4 Suppression of certificate request messages
  14. Additional features
       14.1 Authentication and encryption algorithms
       14.2 NAT traversal
       14.3 Dead peer detection
       14.4 IKE Mode Config
  15. Copyright statement and acknowledgements


1. Overview
   --------

strongSwan is an OpenSource IPsec solution for the Linux operating system
and currently supports the following features:

  * runs both on Linux 2.4 (KLIPS) and Linux 2.6 (native IPsec) kernels.

  * strong 3DES, AES, Serpent, Twofish, or Blowfish encryption.

  * Authentication based on X.509 certificates or preshared secrets.

  * IPsec policies based on wildcards or intermediate CAs.

  * Powerful and flexible IPsec policies based on group attributes.

  * Retrieval of Certificate Revocation Lists (CRLs) via HTTP or LDAP.

  * Local caching of fetched CRLs

  * Full support of the Online Certificate Status Protocol (OCSP, RFC 2560).

  * CA management functions including OCSP and CRL URIs and default LDAP server.

  * Optional storage of RSA private keys on smartcards or USB crypto tokens

  * Standardized PKCS#11 interface with optional proxy functions serving 
    external applications (disc encryption, etc.).
 
  * NAT-Traversal (RFC 3947)

  * Support of Virtual IPs via static configuratin and IKE Mode Config

  * Support of Delete SA and informational Notification messages.

  * Dead Peer Detection (DPD, RFC 3706)

Compatibility has successfully been tested with peers running the following
IPsec clients:

  FreeS/WAN, Openswan, SafeNet/SoftRemote, NCP Secure Entry Client,
  SonicWALL Global VPN Client, The GreenBow, Microsoft Windows 2000/XP, etc.

Furthermore, interoperability with the following VPN gateways
has been demonstrated during the IPsec 2001 Conference in Paris:

  Cisco IOS Routers, Cisco PIX firewall, Cisco VPN3000,
  Nortel Contivity VPN Switch, NetScreen (FreeS/WAN as responder only),
  OpenBSD with isakmpd, Netasq, Netcelo, and 6WIND.

Potentially any IPsec implementation with X.509 certificate support can
be made to cooperate with strongSwan. The latest addition has been the successful
interoperability with the Check Point VPN-1 NG gateway.


2. Quickstart
   ----------
   
In the following examples we assume for reasons of clarity that left designates
the local host and that right is the remote host. Certificates for users, hosts
and gateways are issued by a ficticious strongSwan CA. How to generate private keys
and certificates using OpenSSL will be explained in section 3. The CA certificate
"strongswanCert.pem" must be present on all VPN end points in order to be able to
authenticate the peers.


2.1 Site-to-site case
    -----------------

In this scenario two security gateways moon and sun will connect the
two subnets moon-net and sun-net with each other through a VPN tunnel
set up between the two gateways:

    10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
      moon-net          moon                 sun           sun-net

Configuration on gateway moon:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/moonCert.pem

   /etc/ipsec.secrets:

     : RSA moonKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn net-net
	  left=%defaultroute
	  leftsubnet=10.1.0.0/16
	  leftcert=moonCert.pem
	  right=192.168.0.2
	  rightsubnet=10.2.0.0/16
	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
	  auto=start

Configuration on gateway sun:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/sunCert.pem

   /etc/ipsec.secrets:

     : RSA sunKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn net-net
	  left=%defaultroute
	  leftsubnet=10.2.0.0/16
	  leftcert=sunCert.pem
	  right=192.168.0.1
	  rightsubnet=10.1.0.0/16
	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
	  auto=start


2.2 Host-to-host case
    -----------------

This is a setup between two single hosts which don't have a subnet behind
them. Although IPsec transport mode would be sufficient for host-to-host
connections we will use the default IPsec tunnel mode.

    | 192.168.0.1 | === | 192.168.0.2 |
         moon                sun

Configuration on host moon:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/moonCert.pem

   /etc/ipsec.secrets:

     : RSA moonKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn host-host
	  left=%defaultroute
	  leftcert=moonCert.pem
	  right=192.168.0.2
	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
	  auto=start

Configuration on host sun:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/sunCert.pem

   /etc/ipsec.secrets:

     : RSA sunKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn host-host
	  left=%defaultroute
	  leftcert=sunCert.pem
	  right=192.168.0.1
	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
	  auto=start


2.3 Four Tunnel case
    ----------------

In a site-to-site setup a system administrator logged into the local gateway
often would like to access the peer gateway or a server in the subnet behind
the peer gateway over a secure IPsec tunnel.Since IP packets leaving a gateway
via the outer network interface carry the IP address of this NIC, four IPsec
Security Associations (SAs) must be set up to achieve full connectivity. The
example below shows how this can be done without much additional typing work ,
using the "also" macro which includes connection definitions defined farther
down in the ipsec.conf file.

   10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
    moon-net           moon                 sun           sun-net

Configuration on gateway moon:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/moonCert.pem

   /etc/ipsec.secrets:

     : RSA moonKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn net-net
	  leftsubnet=10.1.0.0/16
	  rightsubnet=10.2.0.0/16
	  also host-host

     conn net-host
	  leftsubnet=10.1.0.0/16
	  also host-host

     conn host-net
	  rightsubnet=10.2.0.0/16
	  also host-host

     conn host-host
	  left=%defaultroute
	  leftcert=moonCert.pem
	  right=192.168.0.2
	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
	  auto=start

Configuration on gateway sun:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/sunCert.pem

   /etc/ipsec.secrets:

     : RSA sunKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn net-net
	  leftsubnet=10.2.0.0/16
	  rightsubnet=10.1.0.0/16
	  also=host-host

     conn net-host
	  leftsubnet=10.2.0.0/16
	  also=host-host

     conn host-net
	  rightsubnet=10.1.0.0/16
	  also=host-host

     conn host-host
	  left=%defaultroute
	  leftcert=sunCert.pem
	  right=192.168.0.1
	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
	  auto=start


2.4 The four tunnel case the elegant way with source routing
    --------------------------------------------------------

As you certainly agree, the full four tunnel case described in the previous
section becomes quite complex. If we could force the source address of the
IP packets leaving the gateway through the outer interface to take on the
IP address of the inner interface then we could use the single subnet-to-subnet
tunnel from section 2.1. Such a setup becomes possible if we use the
source routing capabilites of the ip route command that is already used
by strongSwan's updown scripts.

    10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
      moon-net          moon                sun            sun-net

If we assume that the inner IP address of gateway moon is 10.1.0.1
and the inner IP address of gateway sun is 10.2.0.1 then the
insertion of the parameter

    leftsourceip=10.1.0.1
   
in the connection definition of moon and

      leftsourceip=10.2.0.1
  
on sun, respectively, will install source routing on both gateways.
As a result the command

      ping 10.2.0.1
  
executed on moon will leave the gateway with a source address of
10.1.0.1 and will therefore take the net-net IPsec tunnel.

Configuration on gateway moon:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/moonCert.pem

   /etc/ipsec.secrets:

     : RSA moonKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn net-net
	  left=%defaultroute
	  leftsourceip=10.1.0.1
	  leftsubnet=10.1.0.0/16
	  leftcert=moonCert.pem
	  right=192.168.0.2
	  rightsubnet=10.2.0.0/16
	  rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
	  auto=start

Configuration on gateway sun:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/sunCert.pem

   /etc/ipsec.secrets:

     : RSA sunKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn net-net
	  left=%defaultroute
	  leftsubnet=10.2.0.0/16
	  leftsourceip=10.2.0.1
	  leftcert=sunCert.pem
	  right=192.168.0.1
	  rightsubnet=10.1.0.0/16
	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
	  auto=start


2.5 Roadwarrior case
    ----------------

This is a very common case where a strongSwan gateway serves an arbitrary number
of remote VPN clients usually having dynamic IP addresses.

    10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
      moon-net          moon              carol

Configuration on gateway moon:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/moonCert.pem

   /etc/ipsec.secrets:

     : RSA moonKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn rw
	  left=%defaultroute
	  leftsubnet=10.1.0.0/16
	  leftcert=moonCert.pem
          right=%any
	  auto=add

Configuration on roadwarrior carol:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/carolCert.pem

   /etc/ipsec.secrets:

     : RSA carolKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn home
	  left=%defaultroute
	  leftcert=carolCert.pem
	  right=192.168.0.1
	  rightsubnet=10.1.0.0/16
	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
	  auto=start


2.6 Roadwarrior case with virtual IP
    --------------------------------

Roadwarriors usually have dynamic IP addresses assigned by the ISP they are
currently attached to. In order to simplify the routing from moon-net back
to the remote access client carol it would be desirable if the roadwarrior had
an inner IP address chosen from a pre-assigned pool.
 
    10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x | -- 10.3.0.1
      moon-net          moon              carol       virtual IP

This virtual IP address can be assigned to a strongSwan roadwarrior by adding 
the parameter

    leftsourceip=10.3.0.1
    
to the roadwarrior's ipsec.conf. Of course the virtual IP of each roadwarrior
must be distinct. In our example it is chosen from the address pool

    rightsubnetwithin=10.3.0.0/16
    
which can be added to the gateway's ipsec.conf so that a single connection
definition can handle multiple roadwarriors.

Configuration on gateway moon:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/moonCert.pem

   /etc/ipsec.secrets:

     : RSA moonKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn rw
	  left=%defaultroute
	  leftsubnet=10.1.0.0/16
	  leftcert=moonCert.pem
	  right=%any
	  rightsubnetwithin=10.3.0.0/16
	  auto=add

Configuration on roadwarrior carol:

   /etc/ipsec.d/cacerts/strongswanCert.pem

   /etc/ipsec.d/certs/carolCert.pem

   /etc/ipsec.secrets:

     : RSA carolKey.pem "<optional passphrase>"

   /etc/ipsec.conf:

     conn home
	  left=%defaultroute
	  leftsourceip=10.3.0.1
	  leftcert=carolCert.pem
	  right=192.168.0.1
	  rightsubnet=10.1.0.0/16
	  rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
	  auto=start


3. Generating certificates and CRLs with OpenSSL
   ---------------------------------------------

This section is not a full-blown tutorial on how to use OpenSSL. It just lists
a few points that are relevant if you want to generate your own certificates
and CRLs for use with strongSwan.


3.1 Generating a CA certificate
    ---------------------------

The OpenSSL statement

     openssl req -x509 -days 1460 -newkey rsa:2048 \
                 -keyout strongswanKey.pem -out strongswanCert.pem

creates a 2048 bit RSA private key strongswanKey.pem and a self-signed CA
certificate strongswanCert.pem with a validity of 4 years (1460 days).

     openssl x509 -in cert.pem -noout -text

lists the properties of  a X.509 certificate cert.pem. It allows you to verify
whether the configuration defaults in openssl.cnf have been inserted correctly.

If you prefer the CA certificate to be in binary DER format then the following
command achieves this transformation:

     openssl x509 -in strongswanCert.pem -outform DER -out strongswanCert.der

The directory /etc/ipsec.d/cacerts contains all required CA certificates either
in binary DER or in base64 PEM format. Irrespective of the file suffix, Pluto
"automagically" determines the correct format.


3.2 Generating a host or user certificate
    -------------------------------------

The OpenSSL statement

     openssl req -newkey rsa:1024 -keyout hostKey.pem \
                 -out hostReq.pem

generates a 1024 bit RSA private key hostKey.pem and a certificate request
hostReq.pem which has to be signed by the CA.

If you want to add a subjectAltName field to the host certificate you must edit
the OpenSSL configuration file openssl.cnf and add the following line in the
[ usr_cert ] section:

     subjectAltName=DNS:moon.strongswan.org

if you want to identify the host by its Fully Qualified Domain Name (FQDN ), or

     subjectAltName=IP:192.168.0.1

if you want the ID to be of type IPV4_ADDR. Of course you could include both
ID types with

     subjectAltName=DNS:moon.strongswan.org,IP:192.168.0.1

but the use of an IP address for the identification of a host should be
discouraged anyway.

For user certificates the appropriate ID type is USER_FQDN which can be
specified as

     subjectAltName=email:carol@strongswan.org

or if the user's e-mail address is part of the subject's distinguished name

     subjectAltName=email:copy

Now the certificate request can be signed by the CA with the command

     openssl ca -in hostReq.pem -days 730 -out hostCert.pem -notext

If you omit the -days option then the default_days value (365 days) specified
in openssl.cnf is used. The -notext option avoids that a human readable
listing of the certificate is prepended to the base64 encoded certificate
body.

If you want to use the dynamic CRL fetching feature described in section 4.7
then you may include one or several crlDistributionPoints in your end
certificates. This can be done in the [ usr_cert ] section of the openssl.cnf
configuration file:

    crlDistributionPoints= @crl_dp

    [ crl_dp ]

    URI.1="http://crl.strongswan.org/strongswan.crl"
    URI.2="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan
      , c=CH?certificateRevocationList"

If you have only a single http distribution point then the short form

    crlDistributionPoints="URI:http://crl.strongswan.org/strongswan.crl"

also works. Due to a known bug in OpenSSL this notation fails with ldap URIs.

Usually a Windows-based VPN client needs its private key, its host or
user certificate, and the CA certificate. The most convenient way to load
this information is to put everything into a  PKCS#12 file:

     openssl pkcs12 -export -inkey carolKey.pem \
                    -in carolCert.pem -name "carol" \
                    -certfile strongswanCert.pem -caname "strongSwan Root CA" \
                    -out carolCert.p12


3.3 Generating a CRL
    ----------------

An empty CRL that is signed by the CA can be generated with the command

     openssl ca -gencrl -crldays 15 -out crl.pem

If you omit the -crldays option then the default_crl_days value (30 days)
specified in openssl.cnf is used.

If you prefer the CRL to be in binary DER format then this conversion
can be achieved with

     openssl crl -in crl.pem -outform DER -out cert.crl

The directory /etc/ipsec.d/crls contains all CRLs either in binary DER
or in base64 PEM format. Irrespective of the file suffix, Pluto
"automagically" determines the correct format.


3.4 Revoking a certificate
    ----------------------

A specific host certificate stored in the file host.pem is revoked with the
command

     openssl ca -revoke host.pem

Next the CRL file must be updated

     openssl ca -gencrl -crldays 60 -out crl.pem

The content of the CRL file can be listed with the command

     openssl crl -in crl.pem -noout -text

in the case of a base64 CRL, or alternatively for a CRL in DER format

     openssl crl -inform DER -in cert.crl -noout -text


4. Configuring the connections - ipsec.conf
   ----------------------------------------

4.1 Configuring my side
    -------------------

Usually the local side is the same for all connections. Therefore it makes
sense to put the definitions characterizing the strongSwan security gateway into
the conn %default section of the configuration file /etc/ipsec.conf. If we
assume throughout this document that the strongSwan security gateway is left and
the peer is right then we can write

conn %default
     # my side is left - the freeswan security gateway
     left=%defaultroute
     leftcert=moonCert.pem
     # load connection definitions automatically
     auto=add

The X.509 certificate by which the strongSwan security gateway will authenticate
itself by sending it in binary form to its peers as part of the Internet Key
Exchange (IKE) is specified in the line

     leftcert=moonCert.pem

The certificate can either be stored in base64 PEM-format or in the binary
DER-format. Irrespective of the file suffix, Pluto "automagically" determines
the correct format. Therefore

     leftcert=moonCert.der

or

     leftcert=moonCert.cer

would also be valid alternatives.

When using relative pathnames as in the examples above, the certificate files
must be stored in in the directory /etc/ipsec.d/certs. In order to distinguish
strongSwan's own certificates from locally stored trusted peer certificates
(see section 5.5 for details), they could also be stored in a subdirectory
below /etc/ipsec.d/certs as e.g. in

    leftcert=mycerts/moonCert.pem

Absolute pathnames are also possible as in

    leftcert=/usr/ssl/certs/moonCert.pem

As an ID for the VPN gateway we recommend the use of a Fully Qualified Domain
Name (FQDN) of the form

conn rw
     right=%any
     leftid=@moon.strongswan.org

Important: When an FQDN identifier is used it must be explicitly included as a
so called subjectAltName of type dnsName (DNS:) in the certificate indicated
by leftcert. For details on how to generate certificates with subjectAltNames,
please refer to section 7.2.

If you don't want to mess with subjectAltNames, you can use the certificate's
Distinguished Name (DN) instead, which is an identifier of type DER_ASN1_DN
and which can be written e.g. in the LDAP-type format

conn rw
     right=%any
     leftid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Since the subject's DN is part of the certificate, the leftid does not have to
be declared explicitly. Thus the entry

conn rw
     right=%any

automatically assumes the subject DN of leftcert to be the host ID.


4.2 Multiple certificates
    ---------------------

strongSwan supports multiple local host certificates and corresponding
RSA private keys:

conn rw1
     right=%any
     rightid=@peer1.domain1
     leftcert=myCert1.pem
     # leftid is DN of myCert1

conn rw2
     right=%any
     rightid=@peer2.domain2
     leftcert=myCert2.pem
     # leftid is DN of myCert2

When peer1 initiates a connection then strongSwan will send myCert1 and will
sign with myKey1 defined in /etc/ipsec.secrets (see section 6.2) whereas
myCert2 and myKey2 will be used in a connection setup started from peer2.


4.3 Configuring the peer side using CA certificates
    -----------------------------------------------

Now we can proceed to define our connections. In many applications we might
have dozens of mostly Windows-based road warriors connecting to a central
strongSwan security gateway. The following most simple statement:

conn rw
     right=%any

defines the general roadwarrior case. The line right=%any literally means that
any IPSec peer is accepted, regardless of its current IP source address and its
ID, as long as the peer presents a valid X.509 certificate signed by a CA the
strongSwan security gateway puts explicit trust in. Additionally the signature
during IKE main mode gives proof that the peer is in possession of the private
RSA key matching the public key contained in the transmitted certificate.

The ID by which a peer is identifying itself during IKE main mode can by any of
the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of the first
three ID types is used, then the accompanying X.509 certificate of the peer
must contain a matching subjectAltName field of the type ipAddress (IP:),
dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type
DER_ASN1_DN the identifier must completely match the subject field of the
peer's certificate. One of the two possible representations of a
Distinguished Name (DN) is the LDAP-type format

     rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"

Additional whitespace can be added everywhere as desired since it will be
automatically eliminated by the X.509 parser. An exception is the single
whitespace between individual words , like e.g. in Linux strongSwan, which is
preserved by the parser.

The Relative Distinguished Names (RDNs) can alternatively be separated by a
slash '/' instead of a comma ','

     rightid="/C=CH/O=Linux strongSwan/CN=sun.strongswan.org"

This is the representation extracted from the certificate by the OpenSSL
command line option

     openssl x509 -in sunCert.pem -noout -subject

The following RDNs are supported by strongSwan

+---------------------------------------------------+
| DC               Domain Component                 |
|---------------------------------------------------|
| C                Country                          |
|---------------------------------------------------|
| ST               State or province                |
|---------------------------------------------------|
| L                Locality or town                 |
|---------------------------------------------------|
| O                Organisation                     |
|---------------------------------------------------|
| OU               Organisational Unit              |
|---------------------------------------------------|
| CN               Common Name                      |
|---------------------------------------------------|
| ND               NameDistinguisher, used with CN  |
|---------------------------------------------------|
| N                Name                             |
|---------------------------------------------------|
| G                Given name                       |
|---------------------------------------------------|
| S                Surname                          |
|---------------------------------------------------|
| I                Initials                         |
|---------------------------------------------------|
| T                Personal title                   |
|---------------------------------------------------|
| E                E-mail                           |
|---------------------------------------------------|
| Email            E-mail                           |
|---------------------------------------------------|
| emailAddress     E-mail                           |
|---------------------------------------------------|
| SN               Serial number                    |
|---------------------------------------------------|
| serialNumber     Serial number                    |
|---------------------------------------------------|
| D                Description                      |
|---------------------------------------------------|
| ID               X.500 Unique Identifier          |
|---------------------------------------------------|
| UID              User ID                          |
|---------------------------------------------------|
| TCGID            [Siemens] Trust Center Global ID |
|---------------------------------------------------|
| unstructuredName Unstructured Name                |
|---------------------------------------------------|
| UN               Unstructured Name                |
|---------------------------------------------------|
| employeeNumber   Employee Number                  |
|---------------------------------------------------|
| EN               Employee Number                  |
+---------------------------------------------------+

With the roadwarrior connection definition listed above, an IPsec SA for
the strongSwan security gateway moon.strongswan.org itself can be established.
If any roadwarrior should be able to reach e.g. the two subnets 10.1.0.0/24
and 10.1.3.0/24 behind the security gateway then the following connection
definitions will make this possible

conn rw1
     right=%any
     leftsubnet=10.1.0.0/24

conn rw3
     right=%any
     leftsubnet=10.1.3.0/24

If not all peers in possession of a X.509 certificate signed by a specific
certificate authority shall be given access to the Linux security gateway,
then either a subset of them can be barred by listing the serial numbers of
their certificates in a certificate revocation list (CRL) as specified in
section 5.2 or as an alternative, access can be controlled by explicitly
putting a roadwarrior entry for each eligible peer into ipsec.conf:

conn sun
     right=%any
     rightid=@sun.strongswan.org

conn carol
     right=%any
     rightid=carol@strongswan.org

conn dave
     right=%any
     rightid="C=CH, O=Linux strongSwan, CN=dave@strongswan.org"

When the IP address of a peer is known to be stable, it can be specified as
well. This entry is mandatory when the strongSwan host wants to act as the
initiator of an IPSec connection.

conn sun
     right=192.168.0.2
     rightid=@sun.strongswan.org

conn carol
     right=192.168.0.100
     rightid=carol@strongswan.org

conn dave
     right=192.168.0.200
     rightid="C=CH, O=Linux strongSwan, CN=dave@strongswan.org"

conn venus
     right=192.168.0.50

In the last example the ID types FQDN, USER_FQDN, DER_ASN1_DN and IPV4_ADDR,
respectively, were used. Of course all connection definitions presented so far
have included the lines in the conn %defaults section, comprising among other
a left and leftcert entry.


4.4 Handling Virtual IPs and wildcard subnets
    -----------------------------------------

Often roadwarriors are behind NAT-boxes with IPsec passthrough, which causes
the inner IP source address of an IPsec tunnel to be different from the
outer IP source address usually assigned dynamically by the ISP.
Whereas the varying outer IP address can be handled by the right=%any
construct, the inner IP address or subnet must always be declared in a
connection definition. Therefore for the three roadwarriors rw1 to rw3
connecting to a strongSwan security gateway the following entries are
required in /etc/ipsec.conf:

conn rw1
     right=%any
     righsubnet=10.4.0.5/32

conn rw2
     right=%any
     rightsubnet=10.4.0.47/32

conn rw3
     right=%any
     rightsubnet=10.4.0.128/28

With the wildcard parameter rightsubnetwithin these three entries can be
reduced to the single connection definition

conn rw
     right=%any
     rightsubnetwithin=10.4.0.0/24

Any host will be accepted (of course after successful authentication based on
the peer's X.509 certificate only) if it declares a client subnet lying totally
within the brackets defined by the wildcard subnet definition (in our example
10.4.0.0/24). For each roadwarrior a connection instance tailored to the
subnet of the particular client will be created,based on the generic
rightsubnetwithin template.

This strongSwan feature can also be helpful with VPN clients getting a
dynamically assigned inner IP from a DHCP server located on the NAT router box.


4.5 Protocol and Port Selectors
    ---------------------------

strongSwan offer the possibility to restrict the protocol and optionally the
ports in an IPsec SA using the rightprotoport and leftprotoport parameters.

Some examples:

conn icmp
     right=%any
     rightprotoport=icmp
     left=%defaultroute
     leftid=@moon.strongswan.org
     leftprotoport=icmp

conn http
     right=%any
     rightprotoport=6
     left=%defaultroute
     leftid=@moon.strongswan.org
     leftprotoport=6/80

conn l2tp       # with port wildcard for Mac OS X Panther interoperability
     right=%any
     rightprotoport=17/%any
     left=%defaultroute
     leftid=@moon.strongswan.org
     leftprotoport=17/1701

conn dhcp
     right=%any
     rightprotoport=udp/bootpc
     left=%defaultroute
     leftid=@moon.strongswan.org
     leftsubnet=0.0.0.0/0  #allows DHCP discovery broadcast
     leftprotoport=udp/bootps
     rekey=no
     keylife=20s
     rekeymargin=10s
     auto=add

Protocols and ports can be designated either by their numerical values
or by their acronyms defined in /etc/services.

    ipsec status

shows the following connection definitions:

"icmp": 192.168.0.1[@moon.strongswan.org]:1/0...%any:1/0
"http": 192.168.0.1[@moon.strongswan.org]:6/80...%any:6/0
"l2tp": 192.168.0.1[@moon.strongswan.org]:17/1701...%any:17/%any
"dhcp": 0.0.0.0/0===192.168.0.1[@moon.strongswan.org]:17/67...%any:17/68

Based on the protocol and port selectors appropriate eroutes will be set
up, so that only the specified payload types will pass through the IPsec
tunnel.


4.6 IPsec policies based on wildcards
    ---------------------------------

In large VPN-based remote access networks there is often a requirement that
access to the various parts of an internal network must be granted selectively,
e.g. depending on the group membership of the remote access user. strongSwan
makes this possible by applying wildcard filtering on the VPN user's 
distinguished name (ID_DER_ASN1_DN).

Let's make a practical example:
 
An organization has a sales department (OU=Sales) and a research group
(OU=Research). In the company intranet there are separate subnets for Sales
(10.0.0.0/24) and Research (10.0.1.0/24) but both groups share a common web
server (10.0.2.100). The VPN clients use Virtual IP addresses that are either
assigned statically or via DHCP-over-IPsec. The sales and research departments
use IP addresses from separate DHCP address pools (10.1.0.0/24) and (10.1.1.0/24),
respectively. An X.509 certificate is issued to each employee, containing in its
subject distinguished name the country (C=CH), the company (O=ACME),
the group membership(OU=Sales or OU=Research) and the common name (e.g.
CN=Bart Simpson).

The IPsec policy defined above can now be enforced with the following three
IPsec security associations:

conn sales
     right=%any
     rightid="C=CH, O=ACME, OU=Sales, CN=*"
     rightsubnetwithin=10.1.0.0/24  # Sales DHCP range
     leftsubnet=10.0.0.0/24         # Sales subnet

conn research
     right=%any
     rightid="C=CH, O=ACME, OU=Research, CN=*"
     rightsubnetwithin=10.1.1.0/24   # Research DHCP range
     leftsubnet=10.0.1.0/24          # Research subnet

conn web
     right=%any
     rightid="C=CH, O=ACME, OU=*, CN=*"
     rightsubnetwithin=10.1.0.0/23   # Remote access DHCP range
     leftsubnet=10.0.2.100/32        # Web server
     rightprotoport=tcp              # TCP protocol only
     leftprotoport=tcp/http          # TCP port 80 only

Of course group specific tunneling could be implemented on the
basis of the Virtual IP range specified by the rightsubnetwithin
parameter alone, but the wildcard matching mechanism guarantees that
only authorized user can access the corresponding subnets.

The '*' character is used as a wildcard in relative distinguished names (RDNs).
In order to match a wildcard template, the ID_DER_ASN1_DN of a peer must contain
the same number of RDNs (selected from the list in section 4.3) appearing in the
exact order defined by the template.

    "C=CH, O=ACME, OU=Research, OU=Special Effects, CN=Bart Simpson"

matches the templates

    "C=CH, O=ACME, OU=Research, OU=*, CN=*"

    "C=CH, O=ACME, OU=*, OU=Special Effects, CN=*"

    "C=CH, O=ACME, OU=*, OU=*, CN=*"

but not the template

    "C=CH, O=ACME, OU=*, CN=*"

which doesn't have the same number of RDNs.


4.7 IPsec policies based on CA certificates
    ---------------------------------------

As an alternative to the wildcard based IPsec policies described in section 4.6,
access to specific client host and subnets can abe controlled on the basis of
the CA that issued the peer certificate


conn sales
     right=%any
     rightca="C=CH, O=ACME, OU=Sales, CN=Sales CA"
     rightsubnetwithin=10.1.0.0/24  # Sales DHCP range
     leftsubnet=10.0.0.0/24         # Sales subnet

conn research
     right=%any
     rightca="C=CH, O=ACME, OU=Research, CN=Research CA"
     rightsubnetwithin=10.1.1.0/24   # Research DHCP range
     leftsubnet=10.0.1.0/24          # Research subnet

conn web
     right=%any
     rightca="C=CH, O=ACME, CN=ACME Root CA"
     rightsubnetwithin=10.1.0.0/23   # Remote access DHCP range
     leftsubnet=10.0.2.100/32        # Web server
     rightprotoport=tcp              # TCP protocol only
     leftprotoport=tcp/http          # TCP port 80 only

In the example above, the connection "sales" can be used by peers
presenting certificates issued by the Sales CA, only. In the same way,
the use of the connection "research" is restricted to owners of certificates
issued by the Research CA. The connection "web" is open to both "Sales" and
"Research" peers because the required "ACME Root CA" is the issuer of the
Research and Sales intermediate CAs. If no rightca parameter is present
then any valid certificate issued by one of the trusted CAs in
/etc/ipsec.d/cacerts can be used by the peer.

The leftca parameter usually doesn't have to be set explicitly because
by default it is set to the issuer field of the certificate loaded via
leftcert. The statement

     rightca=%same

sets the CA requested from the peer to the CA used by the left side itself
as e.g. in

conn sales
     right=%any
     rightca=%same
     leftcert=mySalesCert.pem


4.8 Sending certificate requests
    ----------------------------

The presence of a rightca parameter also causes the CA to be sent as
part of the certificate request message when strongSwan is the initiator.
A special case occurs when strongSwan responds to a roadwarrior. If several
roadwarrior connections based on different CAs are defined then all eligible