Difference between revisions of "IPSec / IPTables"

From ArmadeusWiki
Jump to: navigation, search
m (Linux)
Line 245: Line 245:
{{anchor|Full NAT router}}
{{Note| If you want to use your target as a full NAT router and do masquerading, there are some advanced features you must add to Linux Kernel:
{{Note| If you want to use your target as a full NAT router and do masquerading, there are some advanced features you must add to Linux Kernel:
<pre class="config">
<pre class="config">

Revision as of 16:26, 23 December 2010

IPSec and IPTables are network tools that can be used together to create a VPN between two computers. IPSec securizes the connection as IPTables do the packets routing. The APF27 PPS board is optimized to use these tools.


IPSec is a protocol that securizes IP communications by authenticating and crypting packets from IP address to another, over all computer ports.


Host PC (Ubuntu)

  • You need to install the ipsec-tools package on your host:
 $ sudo apt-get install ipsec-tools
  • Give the file /etc/ipsec-tools.conf the access rights 700:
 $ sudo chmod 700 /etc/ipsec-tools.conf
  • Then edit this file and define the IPSec keys like that:

#!/usr/sbin/setkey -f 

# NOTE: Do not use this file if you use racoon with racoon-tool 
# utility. racoon-tool will setup SAs and SPDs automatically using 
# /etc/racoon/racoon-tool.conf configuration. 

## Flush the SAD and SPD 

# Attention: Use this keys only for testing purposes! 
# Generate your own keys! 

# AH SAs using 128 bit long keys 
add	ah 0x200 -A hmac-md5 

add ah 0x300 -A hmac-md5 

# ESP SAs using 192 bit long keys (168 + 24 parity) 

add	esp 0x201 -E 3des-cbc 
add	esp 0x301 -E 3des-cbc 

# Security policies 
spdadd any -P in ipsec 

spdadd any -P out ipsec 

spdadd any -P in ipsec
Note Note: In this example the host is and the APF27 target is but you must adapt the file to your configuration and create your own keys.

Note Note: To generate a 192 bit key you can use the following command:
dd if=/dev/random count=24 bs=1| xxd -ps

Target (APF27)


There are some drivers you need to install in Linux Kernel to make IPSec work.

  • To configure Linux, go into the BSP directory and run the command:
 $ make linux26-menuconfig
  • Select the following drivers to install in Linux configuration menu:
[*] Networking support ---> 
    Networking options ---> 
        <*> Transformation user configuration interface

	<*> PF_KEY sockets

	<*>   IP: AH transformation                                                                                                     	
        <*>   IP: ESP transformation                                                                       
        <*>   IP: IPComp transformation                                                                    
        <*>   IP: IPsec transport mode                                                                     
        <*>   IP: IPsec tunnel mode                                                                          	
        <*>   IP: IPsec BEET mode 

[*] Cryptographic API --->
    <*>   Null algorithms

      *** Authenticated Encryption with Associated Data ***
    <*>   CCM support                          
    <*>   GCM/GMAC support 

    {*}   AES cipher algorithms     
  • Then you can rebuild Linux like that:
 $ make linux26-clean
 $ make linux26
 $ make

You must install flex and networking packages like OpenSSH, OpenSSL and IPSec-tools.

  • First run this command to open the Buildroot configuration menu:
 $ make menuconfig
  • Select the following packages in the menu:
Package Selection for the target  ---> 
    [*] flex      

    [*] Networking 
	[*]   ipsec-tools                                                                    
	[*]   Enable racoonctl(8).                                       
	[ ]   Enable NAT-Traversal            
	[*]   Enable IKE fragmentation.
	[*]   Enable statistics logging function.           
	[ ]   Enable IPv6 support                                   
	[ ]   Enable readline input support if available.      
	[*]   Install IPSec libraries under staging_dir/lib

        [*]   openssh
	-*-   openssl       
Note Note: If you want to use IPSec in a NAT router/firewall, you must enable the NAT-Traversal option:
Package Selection for the target  ---> 
    [*] Networking 
	[*]   ipsec-tools 
	[*]   Enable NAT-Traversal            

  • Then rebuild Buildroot:
 $ make

Securize the connection

Once IPSec is installed and configured on both the system and the host, you have to launch it and activate the keys.

  • First on your Host (Ubuntu), you have to reboot the computer or to run the command:
 $ sudo /etc/init.d/setkey start
 * Flushing IPsec SA/SP database:                                                                    [ OK ]

If you want to see the generated keys:

 $ sudo setkey -D
  • On the target (APF27), you can run the command:
 # setkey -f /etc/ipsec-tools.conf

And you can check the keys with:

 # setkey -D

Test IPSec

  • To check that datas are correctly encrypted through the securized connection, launch Wireshark on your host PC and put a capture filter on your host address:
 $ sudo wireshark
  • Then you can try to establish a connection between the system and your host with Telnet.

Run the following command on the target:

 # telnet -l $USERNAME $HOST_IP

For instance if you want to connect to computer with the user toto:

 # telnet -l toto

Entering character mode
Escape character is '^]'.

Last login: Thu Dec 23 14:35:40 CET 2010 from localhost on pts/5
Linux laptop-jeremie-ubuntu 2.6.31-20-generic-pae #58-Ubuntu SMP Fri Mar 12 06:25:51 UTC 2010 i686

To access official Ubuntu documentation, please visit:

You can also connect without the username. When you are asked to fill the username, it will also be encrypted.

  • When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the ESP protocol and crypted datas.
Note Note: If you use an APF27 PPS configured board, you can use the script test_ipsec.sh to test the OpenSSH tunnel.


IPTables is a command-line interface to configure Netfilter. It can allow you to set up the chains and rules of routing in the firewall of a computer. It can also be used to access a public domain from a private network by masquerading the private IP address.


If you want to use IPTables on your system, you have to configure both Buildroot and Linux.


  • In the BSP directory, run this command to launch the Linux configuration menu:
 $ make linux26-menuconfig
  • In the menu, select the following drivers or modules:
[*] Networking support --->
    Networking options --->
        [*] TCP/IP networking
        [*]   IP: multicasting
        [*]   IP: advanced router
                Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure) (FIB_HASH) --->
        [ ]   IP: policy routing
        [ ]   IP: equal cost multipath
        [ ]   IP: verbose route monitoring

        [*] Network packet filtering framework (Netfilter) --->
            [*] Advanced netfilter configuration
            [*]   Bridged IP/ARP packets filtering
                Core Netfilter Configuration --->
                    {*} Netfilter Xtables support (required for ip_tables)

                IP: Netfilter Configuration --->
                    <M> IP tables support (required for filtering/masq/NAT)
                    <M>   Packet filtering

                    <M> ARP tables support
                    <M>   ARP packet filtering
                    < >   ARP payload mangling


Note Note: If you want to use your target as a full NAT router and do masquerading, there are some advanced features you must add to Linux Kernel:
[*] Networking support --->
    Networking options --->
        [*] Network packet filtering framework (Netfilter) --->
                Core Netfilter Configuration --->
                    <M> Netfilter connection tracking support
                    <M>   "state" match support
                IP: Netfilter Configuration --->
                    <M> IPv4 connection tracking support (required for NAT)
                    [*]   proc/sysctl compatibility with old connectiion tracking

                    <M>   Full NAT
                    <M>     MASQUERADE target support
                    <M>     NETMAP target support
                    <M>     REDIRECT target support
                    < >     Basic SNMP-ALG support

Note Note: You can also add other IP tables like nat and mangle or new firewall rule options like LOG or REJECT in Netfilter page of the Linux configuration menu.

  • Now you can rebuild Linux:
 $ make linux26-clean
 $ make linux26
 $ make


  • In the BSP directory, launch the Buildroot configuration menu:
 $ make menuconfig
  • Select the following packages for IPTables to be installed on target:
Package selection for the target --->
    [*] Networking --->
        [*] iptables
  • Then rebuild Buildroot to generate the rootfs:
 $ make

IPTables usage

Test IPTables on APF27 PPS

To test IPTables on the target, we will implement a NAT router in the system and use it as a gateway through two computers.

  • First you have to enable full NAT and masquerading functionalities in Linux Kernel for your target. Please refer to the Note for full NAT installation to set up these options and then rebuild Linux:
 $ make linux26-clean
 $ make linux26
 $ make
  • Flash the new kernel and rootfs binaries on the target.
  • Connect an Ethernet cable from your host Linux to the Ethernet port of the target.

And connect the USB A-MiniA cable from your host Linux to your target USB OTG port.

  • Then you have to activate the target network interface for Ethernet and USB Gadget:
 # ifconfig eth0

 # modprobe -r smsc95xx
 # modprobe -r g_ether
 # modprobe g_ether
 # ifconfig usb0
 Freescale High-Speed USB SOC Device Controller driver (Apr 20, 2007)
 ULPI OTG Vendor ID 0x4cc    Product ID 0x1504
 g_ether gadget: using random self ethernet address
 g_ether gadget: using random host ethernet address
 usb0: MAC f6:cf:00:56:1b:64
 usb0: HOST MAC be:60:d1:56:89:fc
 g_ether gadget: Ethernet Gadget, version: Memorial Day 2008
 g_ether gadget: g_ether ready
 fsl-usb2-udc: bind to driver g_ether
 g_ether gadget: high speed config #1: CDC Ethernet (ECM)
  • As the USB gadget interface is connected, you must see the network Auto USB in your host's Network Connections.
    • If you want to make your APF27 PPS a gateway, you have to use two differents sub-networks for your private network (your computer and the USB gadget interface) and for the remote network (the remote computer and the Ethernet interface).
    • Edit then the Auto USB network to configure it:
      • The IP address must be in the same sub-network as the USB Gadget interface : for instance
      • The Netmask :
      • The Gateway is your target's USB Gadget interface : here
      • A DNS server: if you want to browse on Internet through the target. For instance
      • Search domains: For instance armadeus-office.
    • Then disconnect your host PC and reconnect to the Auto USB network.
  • Add the default route to be able to go on the Internet:
 # route add default gw eth0
  • Configure the IP Advanced router to be able to forward the packets through the target:
 # echo "1" > /proc/sys/net/ipv4/ip_forward
  • Then you have to create the rules for the NAT router/firewall with iptables:
 # iptables -P INPUT ACCEPT
 # iptables -F INPUT 
 # iptables -P OUTPUT ACCEPT
 # iptables -F OUTPUT 
 # iptables -P FORWARD DROP
 # iptables -F FORWARD 
 # iptables -t nat -F
 nf_conntrack version 0.5.0 (1024 buckets, 4096 max)

 # iptables -A FORWARD -i eth0 -o usb0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 # iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
 # iptables -A FORWARD -j LOG

 # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • To test the gateway is correctly working, you can ping on the different interface and on the remote computer from your host:
 $ ping
 PING ( 56(84) bytes of data.
 64 bytes from icmp_seq=1 ttl=64 time=0.736 ms

 $ ping
 PING ( 56(84) bytes of data.
 64 bytes from icmp_seq=1 ttl=64 time=0.719 ms

 $ ping
 PING ( 56(84) bytes of data.
 64 bytes from icmp_seq=1 ttl=63 time=1.60 ms

  • If you have configured your network with a DNS server, you can even ping or browse an URL address on the Internet:
 $ ping www.yahoo.fr
 PING any-rc.a01.yahoodns.net ( 56(84) bytes of data.
 64 bytes from w2.rc.vip.ch1.yahoo.com ( icmp_seq=1 ttl=49 time=90.3 ms
Note Note: If you have the IPSec activated on the remote computer and on your target, you can also securize the connection to the remote computer.

On the remote computer, put the file /etc/ipsec-tools.conf and run the command:

 $ sudo /etc/init.d/setkey start
 * Flushing IPsec SA/SP database:                                                                    [ OK ]

On your target, run:

 # setkey -f /etc/ipsec-tools.conf

Then you can check with Wireshark that all datas going through the securized connection are well encrypted.