neue strongswan vpn features
play

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart - PowerPoint PPT Presentation

Jul 25, 2023 •243 likes •608 views

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule fr Technik Rapperswil andreas.steffen@strongswan.org Wo um Gottes Willen

  1. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule für Technik Rapperswil andreas.steffen@strongswan.org

  2. Wo um Gottes Willen liegt Rapperswil? Schwabenland Steffen, 26.03.2015, GUUG_2015 2

  3. HSR - Hochschule für Technik Rapperswil • Fachhochschule mit ca. 1500 Studierenden • Studiengang Informatik (300-400 Studierende) • Bachelor-Studium (3 Jahre), Master-Studium (+1.5 Jahre) Steffen, 26.03.2015, GUUG_2015 3

  4. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Warum und wozu ein starker Schwan?

  5. The strongSwan Open Source VPN Project FreeS/WAN 1.x 1999 S/WAN = Secure WAN X.509 1.x Patch 2000 FreeS/WAN 2.x  2004 Super FreeS/WAN 2003 X.509 2.x Patch Openswan 1.x 2004 Openswan 2.x strongSwan 2.x 2005 IKEv2 RFC 4306 ITA IKEv2 Project IKEv1 & partial IKEv2 … New architecture, same config. strongSwan 4.x IKEv1 & IKEv2 strongSwan 5.x 2012 Monolithic IKE Daemon Steffen, 26.03.2015, GUUG_2015 5

  6. strongSwan – the OpenSource VPN Solution Windows Active Linux Directory Server FreeRadius Server Corporate High-Availability strongSwan Network VPN Gateway Internet Windows 7/8 strongSwan Agile VPN Client Linux Client Steffen, 26.03.2015, GUUG_2015 6

  7. Supported Operating Systems and Platforms • Supported Operating Systems • Linux 2.6.x, 3.x (optional integration into NetworkManager) • Android 4.x/5.x App (using libipsec userland ESP encryption) • OS X App (using libipsec userland ESP encryption) • OS X (IPsec via PFKEYv2 kernel interface) • FreeBSD (IPsec via PFKEYv2 kernel interface) • Windows 7/8 (native Windows IPsec stack, MinGW-W64 build) • Supported Hardware Platforms (GNU autotools) • Intel i686/x86_64, AMD64 • ARM, MIPS • PowerPC • Supported Network Stacks • IPv4, IPv6 • IPv6-in-IPv4 ESP tunnels • IPv4-in-IPv6 ESP tunnels Steffen, 26.03.2015, GUUG_2015 7

  8. Free Download from Google Play Store March 24, 2015: 12’619 installations Steffen, 26.03.2015, GUUG_2015 8

  9. OS X App http://download.strongswan.org/osx/ Steffen, 26.03.2015, GUUG_2015 9

  10. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Evolution des strongSwan Charon IKE Dämons

  11. strongSwan 4.x pluto & charon Daemons ipsec.conf IKEv1 IKEv2 ipsec ipsec ipsec 2005 whack starter stroke whack socket stroke socket pluto charon Netlink XFRM socket Linux 2.6 LSF kernel UDP/500 native raw socket IPsec socket Steffen, 26.03.2015, GUUG_2015 11

  12. strongSwan 5.x charon Daemon IKEv1/v2 ipsec.conf ipsec ipsec 2012 stroke starter stroke socket charon libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 12

  13. strongSwan 5.2 charon Daemon IKEv1/v2 swanctl.conf ruby 2014 swanctl gem vici socket vici socket charon libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 13

  14. strongSwan 5.2 charon-systemd Daemon IKEv1/v2 swanctl.conf systemd 2014 swanctl utilities vici socket charon-systemd libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 14

  15. strongSwan 5.3 charon Daemon IKEv1/v2 swanctl.conf python 2.7/3.x 2015 swanctl egg vici socket vici socket charon libipsec Netlink XFRM socket TUN device ESPinUDP Linux 2.6 / 3.x Any OS kernel native UDP 500/4500 UDP 4500 IPsec socket socket Steffen, 26.03.2015, GUUG_2015 15

  16. swanctl.conf of VPN Gateway moon connections { pools { rw { rw_pool { local_addrs = 192.168.0.1 addrs = 10.3.0.0/20 pools = rw_pool } } local { auth = pubkey swantcl certs = moonCert.pem id = moon.strongswan.org swanctl.conf } remote { auth = pubkey rsa } children { moonKey.pem net { local_ts = 10.1.0.0/16 x509 start_action = none esp_proposals = aes128gcm128-modp2048 moonCert.pem } } x509ca version = 2 proposals = aes128-sha256-modp2048 } caCert.pem } Steffen, 26.03.2015, GUUG_2015 16

  17. swanctl.conf of VPN Client carol connections { home { local_addrs = 192.168.0.100 remote_addrs = 192.168.0.1 vips = 0.0.0.0 local { swantcl auth = pubkey certs = carolCert.pem swanctl.conf id = carol@strongswan.org } remote { rsa auth = pubkey id = moon.strongswan.org carolKey.pem } children { x509 home { remote_ts = 10.1.0.0/16 carolCert.pem start_action = none esp_proposals = aes128gcm128-modp2048 x509ca } } version = 2 caCert.pem proposals = aes128-sha256-modp2048 } } Steffen, 26.03.2015, GUUG_2015 17

  18. swanctl - The Command Line Tool moon# swanctl --load-creds loaded x509 certificate from '/etc/swanctl/x509/moonCert.pem' loaded x509ca certificate from '/etc/swanctl/x509ca/strongswanCert.pem' loaded rsa key from '/etc/swanctl/rsa/moonKey.pem' moon# swanctl --load-conns loaded connection 'rw' successfully loaded 1 connections, 0 unloaded moon# swanctl --load-pools loaded pool 'rw_pool' successfully loaded 1 pools, 0 unloaded carol# swanctl --initiate --child home [IKE] initiating IKE_SA home[1] to 192.168.0.1 ... [IKE] installing new virtual IP 10.3.0.1 initiate completed successfully carol# swanctl --terminate --ike home ... [IKE] IKE_SA deleted terminate completed successfully Steffen, 26.03.2015, GUUG_2015 18

  19. swanctl - Monitoring Commands moon# swanctl --list-conns rw: IKEv2 local: 192.168.0.1 remote: %any local public key authentication: id: moon.strongswan.org certs: C=CH, O=Linux strongSwan, CN=moon.strongswan.org remote public key authentication: net: TUNNEL local: 10.1.0.0/16 remote: dynamic moon# swanctl --list-sas rw: #1, ESTABLISHED, IKEv2, b8deada3ec240a81:50af58eedcd556c7 local 'moon.strongswan.org' @ 192.168.0.1 remote 'carol@strongswan.org' @ 192.168.0.100 AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 0s ago, rekeying in 1169s, reauth in 3259s net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128 installed 0 ago, rekeying in 575s, expires in 660s in c39fc9ac, 84 bytes, 1 packets, 0s ago out c2c80483, 84 bytes, 1 packets, 0s ago local 10.1.0.0/16 remote 10.3.0.1/32 Steffen, 26.03.2015, GUUG_2015 19

  20. Neue strongSwan VPN Features GUUG Frühjahrsfachgespräch 2015 Stuttgart Der Schwan wird stärker!

  21. The Snowden Documents – Fall 2013 Edward Snowden Bruce Schneier Glenn Greenwald Laura Poitras Steffen, 26.03.2015, GUUG_2015 21

  22. Principle of Comparative Security Strength* Symmetric Key RSA / DH ECDSA / ECDH Hash 80 1024 160 160 112 2048 224 224 128 3072 256 256 192 7680 384 384 256 15360 512 512 • NIST SP 800-57 Recommendation for Key Management: Part 1 General (Revision 3, 2012) *cryptographic strength given in bits Steffen, 26.03.2015, GUUG_2015 22

  23. Getting rid of SHA-1 • SHA-1 has a hash size of 160 bits which was supposed to give a strength of 2 80 against collision attacks. Unfortunately SHA-1 is much weaker with the best known attack having a complexity of 2 61 only. • The NSA might already have found a SHA-1 collision, using it e.g. to generate fake X.509 certificates. • IKEv2 uses SHA-1 as a hardwired algorithm to generate RSA digital signature AUTH payloads. Hash • RFC 7427 "Signature Authentication in IKEv2“ 160 published in January 2015 allows to negotiate 224 SHA-2 hash algorithms and is used per default by strongSwan 5.3.0: 256 384 moon charon: 15[IKE] authentication of 'sun.strongswan.org' 512 with RSA_EMSA_PKCS1_SHA256 successful Steffen, 26.03.2015, GUUG_2015 23

  24. Can the NSA break RSA and DH faster? • According to Lenstra’s updated formula on www.keylength.com a 1024 bit RSA key or DH factor could be cracked in 2006 with an effort of 40’000’000 dollardays. • Due to Moore’s law (factor 2 6 = 64 in 6 x 1.5 = 9 years) the effort in 2015 has fallen to 625’000 dollardays. • Many cryptanalysts expect a major breakthrough in prime number factoring (RSA) and the computation of the discrete logarithm (DH) within RSA / DH the next few years. 1024 • The NSA might already have much more efficient 2048 algorithms. • As a precaution better use 4096 bit RSA moduli 3072 and 4096 bit DH groups. 7680 15360 Steffen, 26.03.2015, GUUG_2015 24

  25. Can we trust the NIST Elliptic Curves? • The NIST Elliptic Curves are based on pseudo-Mersenne primes ike=aes128-sha256-ecp256,aes192-sha384-ecp384! The NIST curve parameter selection process is not documented! • Use the European (BSI) Brainpool Elliptic Curves instead ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp! RFC 6932 Brainpool Elliptic Curves for IKE, 2013. ECDH • Drawback: Brainpool ECDH performance is 5x 160 slower than with NIST curves since the selected primes are random. 224 • Use Dan Bernstein’s popular Curve25519? 256 • ECC NUMS (Nothing Up My Sleeve) Curves, 2014 384 tools.ietf.org/html/draft-black-numscurves 512 Steffen, 26.03.2015, GUUG_2015 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one Gbit/s environment By Erik Dekker & Patrick Spaans Supervisors: Aristide Bouix and Mohammad Al Najar Introduction Organization host internal

629 views • 25 slides
In It Together: Why Less Inequality Benefits All Der neue Verteilungsbericht der OECD Michael

In It Together: Why Less Inequality Benefits All Der neue Verteilungsbericht der OECD Michael

In It Together: Why Less Inequality Benefits All Der neue Verteilungsbericht der OECD Michael Frster Abteilung Beschftigung, Arbeit und Sozialpolitik OECD Berlin, 20.05.2015 In It Together : Hauptergebnisse In vielen Lndern hat

546 views • 17 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen Institute for Networked Solutions HSR University of Applied Sciences Rapperswil Where the heck is Rapperswil? Brunner/Steffen, 28.03.2018,

226 views • 19 slides
DESIGN TRENDS PAST & PRESENT By Angelique James and Amanda Dorsett Typography: Neue Aachen,

DESIGN TRENDS PAST & PRESENT By Angelique James and Amanda Dorsett Typography: Neue Aachen,

DESIGN TRENDS PAST & PRESENT By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes Wilson Invented style synonymous with the peace movement. Invented psychedelic font in around 1966.

457 views • 19 slides
By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes

By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes

By Angelique James and Amanda Dorsett Typography: Neue Aachen, 1969 Influential Designers Wes Wilson Invented style synonymous with the peace movement. Invented psychedelic font in around 1966. Mishka Westell Wes Wilson Rock

255 views • 8 slides
ITUG: By Users for Users Volker Dietz Neue Realitten GmbH ITUG Chairman ITUG board

ITUG: By Users for Users Volker Dietz Neue Realitten GmbH ITUG Chairman ITUG board

ITUG: By Users for Users Volker Dietz Neue Realitten GmbH ITUG Chairman ITUG board congratulates VNUG on its 5th anniversary and wishes all the best for its future HP User Groups Interex US Interex EMEA ITUG Encompass (US) HP

269 views • 22 slides
The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+ cooling unit series the ultimate in efficiency. 2 The new Cooling Unit Generation Blue e+ Enclosure Climate Control Sensitive electronic

319 views • 27 slides
Neue Wege in die Marketing-Wissenschaft Prof. Dr. Bernd Skiera (Goethe University Frankfurt,

Neue Wege in die Marketing-Wissenschaft Prof. Dr. Bernd Skiera (Goethe University Frankfurt,

Neue Wege in die Marketing-Wissenschaft Prof. Dr. Bernd Skiera (Goethe University Frankfurt, Germany) 2015 Marketing Horizonte 7.10.2015 07.10.2015 Comparison of Traditional Way and Ph.D. Approach to Doctoral Degree Traditional way Ph.D.

522 views • 24 slides
Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1 , . . . , Y k a set of training examples where the values for the input features and the target features are given for each example a new

323 views • 18 slides
Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features [Sivic&Zisserman03] Query Set of SIFT centroids image descriptors (visual words) sparse frequency vector Bag-of-features Harris-Hessian-Laplace processing

574 views • 33 slides
New Features of Net-FM v. 3.3 & 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &

New Features of Net-FM v. 3.3 & 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 &

New Features of Net-FM v. 3.3 & 3.3.1 ICC 2016 ICC 2016 New Features of Net-FM v. 3.3 & 3.3.1 presented by Anthony J. Bunker Software QA & Documentation Manager October 20, 2016 Slide 1 Introduction ICC 2016 ICC 2016 At

374 views • 15 slides
Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image

Image Features: Detection, Description, and Matching and their Applications Image Representation: Global Versus Local Features Features/ keypoints/ interset points are interesting locations in the image. Features serve to give a new

235 views • 22 slides
6. Lsungsanstze Prof. Dr. Daniel Sss Referat vom 14. Mrz 2014 am 25. Zrcher

6. Lsungsanstze Prof. Dr. Daniel Sss Referat vom 14. Mrz 2014 am 25. Zrcher

Gliederung Stress und Stressbewltigung durch 1. Medienwandel und gesellschaftlicher Wandel neue Medien 2. Social Networks und Kontaktpflege 3. Facebook-Depression oder Wohlbefinden 4. Leben in parallelen Welten 5. Risiken und Potenziale 6.

375 views • 6 slides
reliable innovation Main features Main features Lower part detachment Concept advantages

reliable innovation Main features Main features Lower part detachment Concept advantages

SIRE-NN Chocolate enrobing reliable innovation Main features Main features Lower part detachment Concept advantages Cantilever design for easy access (cleaning and maintenance) Detail features Detail features Pilot plant Compact

600 views • 13 slides
SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down

SI485i : NLP Set 12 Features and Prediction What is NLP, really? Many of our tasks boil down to finding intelligent features of language. We do lots of machine learning over features NLP researchers also use linguistic insights, deep

326 views • 18 slides
Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos

Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos

Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos D. Keromytis Department of Computer Science Columbia University, USA Clients securing their traffic to a server TLS unavailable at the server

682 views • 18 slides
Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall

Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall

Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall Inria/LIP6/UPMC/Sorbonne University-Regal Modularity 2014 1 Modularity Wikipedia: Modularity is the degree to which a systems components may be

481 views • 30 slides
MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor Rtvri and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA Virtual Networks Using Virtual Switches VM VM VM

962 views • 58 slides
Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer Security Announcements intermission Low-level vulnerabilities and attacks (combined lecture) Classic code injection attacks Stephen McCamant

391 views • 9 slides
Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward

Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward

Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward hypotheses Downside are : verify to hard . " new SUN " To fix this create a : modified hypotheses with I " odds :* . entails

407 views • 13 slides
Persistent Personal Names for Globally Connected Mobile Devices Bryan Ford, Jacob Strauss, Chris

Persistent Personal Names for Globally Connected Mobile Devices Bryan Ford, Jacob Strauss, Chris

Persistent Personal Names for Globally Connected Mobile Devices Bryan Ford, Jacob Strauss, Chris Lesniewski-Laas, Sean Rhea, Frans Kaashoek, Robert Morris Massachusetts Institute of Technology http://pdos.csail.mit.edu/uia Connectivity

824 views • 61 slides
The ICSI Haystack A Platform for Hybrid Mobile Measurements in the Wild Narseo

The ICSI Haystack A Platform for Hybrid Mobile Measurements in the Wild Narseo

AIMS Workshop - CAIDA, February 2016 The ICSI Haystack A Platform for Hybrid Mobile Measurements in the Wild Narseo Vallina-Rodriguez In collaboration with: S. Sundaresan, C. Kreibich, M. Allman, V. Paxson (ICSI/UC Berkeley) A.

616 views • 19 slides
Extending MOSEK with exponential cones ISMP Bordeaux 2018 joachim.dahl@mosek.com www.mosek.com

Extending MOSEK with exponential cones ISMP Bordeaux 2018 joachim.dahl@mosek.com www.mosek.com

Extending MOSEK with exponential cones ISMP Bordeaux 2018 joachim.dahl@mosek.com www.mosek.com Conic optimization Linear cone problem: c T x minimize subject to Ax = b x K , with K = K 1 K 2 K p a product of proper

491 views • 22 slides

More recommend