FreeS/WAN WAVEsec Clients at IETF-57

Main page

WAVEsec Clients

• FreeSWAN at IETF-57
• KAME/BSD
• OS/X
• Others

Base Station

• Checklist
• Router
• DNS server
• DHCP server
• IPsec server
• Appendix mode

Downloads

• Binaries
• Raw patches

WAVEsec network status

Monday, July 14, 2003
The wavesec network has been functional since 9am.
PEM encoded public key.

Client requirements

WAVEsec is a way to authenticate and encrypt 802.11 traffic using IPsec. This is substantially more secure than WEP. Unlike SSH or PGP, it covers any type of IP traffic.

To set yourself up as a WAVEsec client, you need:

• to be running Linux. Some instructions for other operating systems are given under "Client Types" on the left.
• to install a modified dhclient, and configure it for WAVEsec
• to install and configure Linux FreeS/WAN (we recommend version 2.01 or 2.02-pre0)

Installing the software

Our downloads

We supply these WAVEsec downloads:

• dhcp-3.0.1rc11-wavesec2.tar.gz - patched dhclient source.
• a patch to start dhclient from Red Hat's standard /sbin/ifup
• FreeS/WAN as Red Hat RPMs or source.

dhclient

Your DHCP client must be able insert additional options into the DHCP requests that it sends. ISC DHCP 3.0.1rc11 can do it, but in order to failover when there is no wavesec server, a patch to the source is required.

Quick download of patched dhclient source.

To build and install dhclient:

    tar -xzf dhcp-3.0.1rc11.freeswan.tar.gz
    cd dhcp-3.0.1rc11
    ./configure
    make
    # beware: will also install dhcpd etc.
    su -c "make install"

Linux FreeS/WAN

Your IPsec implementation must be able to do RSA signature mode for ISAKMP/IKE. You must also have a way to extract the raw RSA key in DNS KEY format (base64 format). Linux FreeS/WAN meets both requirements.

The instructions that follow are for version 1.99 on a kernel supplied by Red Hat. Other Linuxes also support FreeS/WAN; to install on these see our Install Guide.

Download FreeS/WAN 1.99 RPMs for Red Hat only. Install two RPMs, one for userland tools and one for modules. These are highly sensitive to kernel modifications, and so will work only on plain Red Hat kernels.

Start FreeS/WAN:

   ipsec setup start

Confirm that FreeS/WAN is running, with:

   ipsec verify

You should see at least:

    Checking your system to see if IPsec got installed and started correctly
    Version check and ipsec on-path                             [OK]
    Checking for KLIPS support in kernel                        [OK]
    Checking for RSA private key (/etc/ipsec.secrets)           [OK]
    Checking that pluto is running                              [OK]

Here's more on ipsec verify.

Client Configurations

dhclient

RSA public key in dhclient.conf

By default the /etc/dhclient.conf configuration file is empty. Create this file and place your RSA public key in it:

    echo -n "#" >> /etc/dhclient.conf
    ipsec showhostkey --dhclient >> /etc/dhclient.conf

The resulting file will look something like this:

    #; RSA 2192 bits   road.example.com   Fri Mar 14 00:27:47 2003
    option oe-key     code 159 = string;
    option oe-gateway code 160 = ip-address;

    send oe-key = "0x4200 4 1 AQOGxn6v9uF2Y26Ddir...AaRvf1AEW+KoIfKi9";

If you have an existing file or a different FreeS/WAN version, you may have to hand edit the file.

(Re)start dhclient

Once the key is in the file, dhclient must be (re)started.

First, kill any existing dhcp client. For example, for dhcpd use:

    killall dhcpcd

Bring dhclient up with:

    dhclient eth0

or:

    dhclient wlan0

The command-line output should indicate that you have been assigned an IP on the WAVEsec network (130.129.192.0/20).

To make dhclient your active dchp client for subsequent network initializations, you may need to modify /sbin/ifup. If you're on Red Hat 7.3, this patch will do the trick. Apply it to /sbin/ifup with:

    patch < sbin-ifup.dhclient.rhl7.3.patch

Test

Test that the key has been uploaded by querying the reverse map for your newly acquired IP. You can do this with ipsec verify:

   ipsec verify

You should see something like:

    Looking for KEY in reverse map: 254.192.129.130.in-addr.arpa[OK]

where 254.131.129.130.in-addr.arpa is replaced by the reverse notation of your new IP on the WAVEsec network (130.129.192.0/20).

Linux FreeS/WAN

Copy this connection to the end of /etc/ipsec.conf:

conn wavesec
      left=%defaultroute
      right=dhs.ietf56.wavesec.net
      rightsubnet=0.0.0.0/0
      leftrsasigkey=%dnsondemand    # facilitates WAVEsec
      rightrsasigkey=%dnsondemand  
      auto=add

Since there is a known issue using WAVEsec with opportunistic encryption, turn off any opportunistic connections you've created.

So that your new connection is recognized, do an:

    ipsec setup restart

Bring up the connection with:

    ipsec auto --up wavesec

Note that after every reboot, you need to bring the connection up with that line.

Check your work

Try pinging someplace on a non-WAVEsec segment of the IETF-56 network, for example:

    ping smtp.ietf56.ietf.org

To check that your traffic is encrypted, do a

    tcpdump -n -i eth0

or:

    tcpdump -n -i wlan0

and look for ESP encrypted packets to the WAVEsec gateway (130.129.192.1):

    17:02:46.360528 130.129.192.12 > 130.129.192.1 : ESP(spi=0x77adbe72,seq=0xe55)
    17:02:46.378446 130.129.192.1 > 130.129.192.12 : ESP(spi=0x656128b8,seq=0x1622)

Contrast these with the unencrypted packets below:

    21:04:11.110810 130.129.192.48.32866 > 130.129.192.24.http: . ack 18155 win 49232 <nop,nop,timestamp 3417168 451149487> (DF)
    21:04:11.131068 130.129.192.24.http > 130.129.192.48.32866: . 18155:19546(1391) ack 449 win 24616 <nop,nop,timestamp 451149487 3417147> (DF)

The encrypted packets show up as "ESP" along with an SPI number.

Now what?

Automating WAVEsec start

On further restarts you may wish to have WAVEsec come up automatically. In this case, change the auto= line in your connection description to read:

    auto=start

If you experience problems, be sure that ipsec's init files (in /etc/rc.d) do not bring ipsec up before networking is ready.

Leaving the IETF-56 WAVEsec Network

When you take your laptop elsewhere, you will still be set up for WAVEsec. You have two choices:

1. Roll back some of your changes:
   • Remove the auto= line from conn wavesec so that the connection does not start on boot.
   • Configure dhclient to work with your regular network settings.
2. Or, set up WAVEsec in your home or office, using our server instructions.

FAQ

Before install

I can't configure my wireless card (without WAVEsec).

Use these settings:

• mode should be "Managed" or "Infrastructural", not "Ad Hoc".
• ssid should be blank or "any". It will pick the id up on its own. If you need to hand configure this, use "ietf56".
• WEP is off.

Change your mode with:

    wvconfig wvlan0 mode="Managed"

To make the change active on next boot, open /etc/sysconfig/network-scripts/ifup-wireless and set:

    MODE="Managed"

The wvconfig method won't work for some people; they lose access to the base station. Instead edit /etc/pcmcia/wireless.opts with:

    MODE="Managed"
    ESSID="any"
    RATE="auto"
    #KEY="s:secu1" # no WEP 

Then reinsert your wireless card.

What does WAVEsec secure, anyway?

It secures all IP traffic headed for the wild internet (excluding DNS and IKE, which are used to set up the connection), on its vulnerable hop between your laptop and the wavelan base station.

After install

"I'm pinging the gateway (130.129.192.1), but my traffic is not encrypted!"

WAVEsec protects only traffic destined for the world beyond the gateway. Pinging the gateway is therefore not a suitable test for WAVEsec. Instead, ping an IP that's not on your local net.

Re-connecting

I've rebooted my laptop, and now traffic is encrypted one way!

Have you started your connection with ipsec auto --up wavesec ? This needs to be done each time you reboot.