Tuesday, November 25, 2014

IPv6 over IPSEC: IKEv1 Between Cisco and StrongSwan

IKEv1 Cisco Strongswan.html

IPv6 over IPSEC

IKEv1 Between Cisco and StrongSwan 4.x

Once I have the monitoring platform I need to add new networks to monitor.
IKEv2 has a lot of features that make it suitable for my system, like tunneling IPv6 over IPSEC and MOBIKE, but unfortunately it isn’t widely employed, so I need to tunnel IPv6 over IPv4 over IKEv1/IPSEC.
This time I had to connect a network behind a Cisco device that only support IKEv1. I always recommend to make first a plot or diagram, if you can draw it means you understood it.

I recommend to use loopback interfaces working with tunnels because they are always up:
Linux loopback
auto lo:0
iface lo:0 inet static
address 10.1.1.1
netmask 255.255.255.255
Cisco Loopback
interface Loopback0
ip address 10.1.1.2 255.255.255.255
I have Strongswan in my hub host, that supports IKEv1 and IKEv2 simultaneous. Strongswan 4.x have one daemon per IKE version, in 5.x the same daemon handle both versions.

I need to enable IKEv1 and nat traversal in the configuration, and then establish a tunnel over the IPSEC connection:
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no
        charonstart=yes        #IKEv2 daemon
        plutostart=yes        #IKEv1 daemon
        nat_traversal=yes    #enable IKEv1 nat traversal
This is my Strongswan IKEv1 configuration:
conn rwv1
        keyexchange=ikev1
        left=5.5.5.5            # Public IP Address
        leftsourceip=10.1.1.1    # Private IP address
        leftid=5.5.5.5            # Cisco by default uses IP as identifiers
        right=%any
        rightsubnetwithin=10.1.1.2/24
        rightid=9.9.9.9
        auto=add
And Cisco IKEv1/IPSEC side:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key SECRETKEY address 5.5.5.5
crypto isakmp nat keepalive 60
!
!
crypto ipsec transform-set IPSEC1 esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC1
set transform-set IPSEC1
!
!
crypto map monitor 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set IPSEC1
set pfs group2
match address 110

interface Dialer1
...
crypto map monitor
...

access-list 110 permit ip host 10.1.1.2 host 10.1.1.1
It’s important to note that the access-list network must match the stongswan configuration parameters to establish the IPSEC tunnel.

The IPSEC tunnel is established when there is traffic matching the acces list. I use this trick to keep the tunnel up:
ip sla 1
 icmp-echo 10.1.1.1 source-ip 10.1.1.2
 frequency 120
ip sla schedule 1 life forever start-time now
You can check the status with the command:
#sh ip sla statistics 1
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
        Latest RTT: 160 milliseconds
Latest operation return code: OK
Number of successes: 14
Number of failures: 0
Operation time to live: Forever
Once we have the IPSEC tunnel established between the loopbacks, now we need to tunnel the IPv6 protocol, I choose a static IPv6 tunnel but there are multiple possibilities.
Cisco conf:
interface Tunnel1
 no ip address
 ipv6 unnumbered Vlan1
 tunnel source Loopback0
 tunnel destination 10.1.1.1
 tunnel mode ipv6ip

interface Vlan1
...
 ipv6 address 2001:2::1/64
... 

ipv6 route 2001::/64 Tunnel1
And linux:
ip tunnel add sit mode sit ttl 255 remote 10.1.1.2 local 10.1.1.1
ip link set dev sit up
ip route add 2001:2::/64 dev sit
You can ping6 now the other network:
root@monitorhost:~# ping6 2001:2::2
PING 2001:2::2(2001:2::2) 56 data bytes
64 bytes from 2001:2::2 icmp_seq=1 ttl=63 time=165 ms
64 bytes from 2001:2::2 icmp_seq=2 ttl=63 time=172 ms
...
It’s time now to configure collectd to graph the Cisco device using the snmp plugin:
<Plugin snmp>
        <Data "std_traffic">
                Type "if_octets"
                Table true
                InstancePrefix "traffic"
                Instance "IF-MIB::ifDescr"
                Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets"
        </Data>
...
        <Host "cisco0001">
                Address "udp6:[2001:2::1]:161"    #This is because it uses Net-SNMP
                Version 2
                Community "public"                # Too common for pentesters ;)
                Collect "std_traffic"
        </Host>
...
</Plugin>
And here we have the pretty grafana graphs: