Pro Yearly is on sale from $80 to $50! »

OpenBSD/OpenIKED でリモートアクセス VPN

OpenBSD/OpenIKED でリモートアクセス VPN

Ff1cf99c7a71928f886c3b6c7c95b1da?s=128

Masakazu Asama

February 29, 2020
Tweet

Transcript

  1. 0QFO#4%0QFO*,&%Ͱ ϦϞʔτΞΫηε71/ ઙؒਖ਼࿨ &#6(!εϊʔϐʔΫ)FBERVBSUFSTΩϟϯϓϑΟʔϧυ 1

  2. ߏ੒ Ұൠతͳϒϩʔυόϯυϧʔλ  Ұൠతͳ0QFO#4%αʔό SBTNZEPNBJO  71/ΫϥΠΞϯτʹ ׂΓ౰ͯΔ*1WΞυϨεଳ  6%1ͱ6%1Λ

    ʹ/"5 Ұൠతͳ*,&Wઃఆ ઀ଓઌ͸%%/4౳Λ૝ఆ 2 Πϥετ $ ͍Β͢ͱ΍
  3. ϒϩʔυόϯυϧʔλͷઃఆ 3

  4. Լ४උ  w *1Wύέοτసૹͷ༗ޮԽ w QGͷઃఆ w JLFEͷىಈઃఆ ras# cp

    /etc/examples/sysctl.conf /etc/ ras# vi /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets ras# vi /etc/rc.conf.local iked_flags="" ras# vi /etc/pf.conf pass in log on smsc0 proto udp from any to 192.168.11.254 port {isakmp, ipsec-nat-t} pass in log on enc0 4
  5. Լ४උ  w ϓϩΩγ"31ͷઃఆ ras# ifconfig smsc0 smsc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu

    1500 lladdr b8:27:eb:b7:4a:f4 index 3 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.11.254 netmask 0xffffff00 broadcast 192.168.11.255 ras# arp -s 192.168.11.240 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.241 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.242 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.243 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.244 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.245 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.246 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.247 b8:27:eb:b7:4a:f4 pub 5
  6. $"ͷઃఆ  ras# ikectl ca vpn create CA passphrase: Retype

    CA passphrase: Generating RSA private key, 2048 bit long modulus .........+++++ ................................................................................................ +++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- ... 6
  7. $"ͷઃఆ  ... ----- Country Name (2 letter code) [JP]:

    State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: Common Name (eg, fully qualified host name) [VPN CA]: Email Address [m-asama@ginzado.co.jp]: Signature ok subject=/C=JP/ST=Niigata/L=Sanjo/O=Ginzado/OU=BT/CN=VPN CA/emailAddress=m-asama@ginzado.co.jp Getting Private key Using configuration from /etc/ssl/vpn/ca-revoke-ssl.cnf ras# ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl 7
  8. αʔό伴ϖΞͷઃఆ  ras# ikectl ca vpn certificate ras.my.domain create Generating

    RSA private key, 2048 bit long modulus ..............................................................................+++++ ..................................+++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: ... 8
  9. αʔό伴ϖΞͷઃఆ  ... Common Name (eg, fully qualified host name)

    [ras.my.domain]: Email Address [m-asama@ginzado.co.jp]: Using configuration from /etc/ssl/vpn/ras.my.domain-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :ASN.1 12:'Niigata' localityName :ASN.1 12:'Sanjo' organizationName :ASN.1 12:'Ginzado' organizationalUnitName:ASN.1 12:'BT' commonName :ASN.1 12:'ras.my.domain' emailAddress :IA5STRING:'m-asama@ginzado.co.jp' Certificate is to be certified until Feb 5 04:51:16 2021 GMT (365 days) Write out database with 1 new entries Data Base Updated ras# ikectl ca vpn certificate ras.my.domain install writing RSA key 9
  10. 0QFO*,&%ͷઃఆ ras# touch /etc/iked.conf ras# chmod 600 /etc/iked.conf ras# vi

    /etc/iked.conf user "m-asama" "password" ikev2 passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local 192.168.11.254 peer any \ srcid ras.my.domain \ eap "mschap-v2" \ config address 192.168.11.240/29 \ config netmask 255.255.255.0 \ config name-server 192.168.11.1 10
  11. ୺຤ଆઃఆ J1BE04ͷྫ  11

  12. ୺຤ଆઃఆ J1BE04ͷྫ  12

  13. ୺຤ଆઃఆ J1BE04ͷྫ  13

  14. ୺຤ଆઃఆ J1BE04ͷྫ  14

  15. ୺຤ଆઃఆ J1BE04ͷྫ  15

  16. ୺຤ଆઃఆ J1BE04ͷྫ  16

  17. ୺຤ଆઃఆ J1BE04ͷྫ  17

  18. ୺຤ଆઃఆ J1BE04ͷྫ  18

  19. ୺຤ଆઃఆ J1BE04ͷྫ  19

  20. ୺຤ଆઃఆ J1BE04ͷྫ  20

  21. ୺຤ଆઃఆ J1BE04ͷྫ  21

  22. ୺຤ଆઃఆ J1BE04ͷྫ  22

  23. ҰମԿ͕ى͖͍ͯΔͷ͔ʁ 23

  24. *1 6%1 )%3 4"J ,&J /J *1 6%1 )%3 4"S

    ,&S /S $&353&2 *OJUJBUPS 3FTQPOEFS *,&@4"@*/*5SFRVFTU *,&@4"@*/*5SFTQPOTF *,&@"65)SFRVFTU *,&@"65)SFTQPOTF *1 6%1 &41 1BZMPBE &41QBDLFU &"1ͷ৔߹*,&@"65)ΛԿԟ෮͔͢Δ *1 6%1 )%3 *%J $1 54J 54S 4"J ҉߸จ ฏจ *,&WʹΑΔ伴ަ׵ ࣮τϥώοΫ *,&@"65)Λ อޢ͢ΔͨΊͷ ΍ΓͱΓ ࣮τϥώοΫΛ อޢ͢ΔͨΊͷ ΍ΓͱΓ 24 Πϥετ $ ͍Β͢ͱ΍ *1 6%1 )%3 *%S "65) &"1 $&35
  25. 4"4FDVSJUZ"TTPDJBUJPO w ཁ͢Δʹl઀ଓzΛදݱ͢ΔϞϊ w ҉߸ԽΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ׬શੑݕূΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ٖࣅཚ਺ੜ੒ΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w

    %J⒏F)FMMNBOάϧʔϓ ˞ޙड़ ͸Կ͔ w ߦ͖ͱؼΓͰͦΕͧΕผͷ4"͕༻ҙ͞ΕΔ w *,&ͷ΍ΓͱΓͷͨΊͷ4" *,&4" ͱ&41ͷ΍ΓͱΓͷͨΊͷ 4" $IJME4" ͕ผʹͳ͍ͬͯΔ w લทͷ4"J͸*OJUJBUPS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͠ 4"S͸3FTQPOEFS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͢ 25
  26. ,&,FZ&YDIBOHF w l*OJUJBUPSͱ3FTQPOEFSͰڞ༗͢Δൿີͷ਺ࣈzΛੜ੒͢ΔͨΊͷ਺ࣈ w %J⒏F)FMMNBO伴ަ׵Ͱ༻͍Δ ˞ޙड़ 26

  27. /J/S/PODF w *OJUJBUPSͱ3FTQPOEFSͰͦΕͧΕੜ੒ͨ͠ϥϯμϜͳ਺ࣈ w ٖࣅཚ਺ੜ੒ͱ͔ೝূͷࡍʹ༻͍Δ 27

  28. %J⒏F)FMMNBO伴ަ׵ *OJUJBUPS 3FTQPOEFS 伴ަ׵ʹ༻͍Δ%J⒏F)FMMNBOάϧʔϓΛܾఆ͢Δ *,&@4"@*/*5ͷ4"J4"SͰܾ·Δ ྫ͑͹(SPVQ CJU.0%1 ͷ৔߹ Q?? ?

    \<?QJ> ^ H 㱡J㱡QͱͳΔ ཚ਺JΛੜ੒ 㱡S㱡QͱͳΔ ཚ਺SΛੜ੒ H?JNPEQΛ,&Jͱͯ͠ૹ৴ H?SNPEQΛ,&Sͱͯ͠ૹ৴ H?SNPEQ ?JNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 H?JNPEQ ?SNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 Q͕େ͖͍ͱQ H H?JNPEQ H?SNPEQͷ৘ใ͔Β H? J S NPEQΛܭࢉ͢Δͷ͸೉͍͠Β͍͠ ཭ࢄର਺໰୊  ଞʹ΋ପԁۂઢ҉߸Λ༻͍ͨ΋ͷͳͲ΋͋Δ 28 Πϥετ $ ͍Β͢ͱ΍
  29. *,&4"ͷ伴ͷੜ੒ ఆٛ QSG , 4 4ͱ,͔Βݻఆ௕ͷٖࣅཚ਺Λੜ੒͢Δؔ਺ QSG  , 4

    QSGΛ࢖ͬͯQSGͰੜ੒͞ΕΔٖࣅཚ਺ΑΓ େ͖͍ٖࣅཚ਺ ٖࣅཚ਺ͷ࿈ଓ Λੜ੒͢Δؔ਺ QSG JTEFpOFEBT QSG  , 4 5c5c5c5c XIFSF 5QSG , 4cY  5QSG , 5c4cY  5QSG , 5c4cY  5QSG , 5c4cY   3'$͔ΒҾ༻ લड़ͷ%J⒏F)FMMNBO伴ަ׵ͰH? J S Λܭࢉ͠4ͱ͠ /Jͱ/SΛ͚ͬͭͨ͘΋ͷΛ,ͱ͢Δ ˞ॳճͷ৔߹  ˣ ,ͱ4͔ΒQSG , 4 Λܭࢉ͠4,&:4&&%ͱ͢Δ ˣ /Jͱ/Sͱ41*Jͱ41*SΛ͚ͬͭͨ͘΋ͷΛ4ͱ͢Δ ˞41*͸)%3ʹॻ͔Εͨ*%ͷΑ͏ͳ΋ͷ  ˣ 4,&:4&&%ͱ4͔ΒQSG  4,&:4&&% 4 Λܭࢉ͠ ٖࣅཚ਺ͷ࿈ଓΛಘΔ ˣ ੜ੒͞Εٖͨࣅཚ਺ͷ࿈ଓΛઌ಄͔Β੾ΓऔΓ 4,@E $IJME4"ੜ੒༻ٖࣅཚ਺ੜ੒伴  4,@BJ 4,@BS *OJUJBUPS3FTQPOEFSͷ׬શੑݕূ伴  4,@FJ 4,@FS *OJUJBUPS3FTQPOEFSͷ҉߸伴  4,@QJ 4,@QS "65)༻ٖࣅཚ਺ੜ੒伴 ͱ͢Δ 29
  30. ೝূ &"1ͷ৔߹ w 3FTQPOEFS͔ΒΈͨ*OJUJBUPSͷೝূ w 111ͳͲͰ࢖ΘΕ͍ͯΔ.4$)"1WΛ༻͍Δ w ಉ͘͡.4$)"1WΛ༻͍Δ1151͸੬ऑੑ͕ݟ͔͍ͭͬͯΔ͕ *,&W͸*,&4"Ͱ௨৴͕อޢ͞Ε͍ͯΔͷͰେৎ෉Β͍͠ w

    3FTQPOEFS͕νϟϨϯδΛૹͬͯ*OJUJBUPS͕ਖ਼͍͠ϨεϙϯεΛฦͤ Ε͹ೝূ੒ޭ w *OJUJBUPS͔ΒΈͨ3FTQPOEFSͷೝূ w 3FTQPOEFS͸*,&@4"@*/*5ͳͲͷ಺༰Λൿີ伴Ͱॺ໊͠*OJUJBUPSʹ ૹΔ w *OJUJBUPS͸$"ͷެ։伴Ͱݕূ͢Δ͜ͱͰ3FTQPOEFSΛೝূ ଟ෼ 30
  31. $IJME4"ͷ伴ͷੜ੒ w *,&4"ͷ伴ͷੜ੒ͱಉ͡Α͏ͳײ͡Ͱ/Jͱ/SΛ͚ͬͭͨ͘΋ͷΛλω ʹ4,@EΛ伴ʹͯ͠QSG Λ࣮ߦٖ͠ࣅཚ਺ͷ࿈ଓΛੜ੒͠಄͔Β҉߸伴 ͱ׬શੑݕূ伴Λ੾ΓऔΔ w $IJME4"ͷ৘ใ͸1'@,&:ιέοτΛ࢖ͬͯΧʔωϧʹྲྀ͠ࠐ·ΕΔ 31

  32. 4"ͷߋ৽ w ΊΜͲ͍ͷͰলུ w $3&"5&@$)*-%@4"ͱ͍͏ϝοηʔδͰ w *,&4"ͷߋ৽ w ͦΜͳʹසൟʹ͸΍Βͳ͍ w

    ͜ͷ৔߹͸طଘͷ$IJME4"Λ৽͍͠*,&4"ʹඥ෇͚Δ w $IJME4"ͷߋ৽ w *,&4"ΑΓ͸සൟʹ΍Δ w Λߦ͏Μ͚ͩͲ͜Ε͕·ͨ௒ઈΊΜͲ͍ ओʹύέοτফࣦ΍ΤϥʔରԠ  w *OJUJBUPS3FTQPOEFSͷͲͪΒ΋$3&"5&@$)*-%@4"Λ։࢝͢Δ͜ͱ ͕Ͱ͖ͯͦΕ͕ಉ࣌ʹى͖ͨ࣌͸Ͳ͏͢Δ͔ͱ͔ߟ͑ͳ͍ͱ͚ͳ͍ 32
  33. 54J54S5SB⒏D4FMFDUPS w $IJME4"Ͱอޢ͢Δ w ΞυϨεൣғ w ϙʔτ൪߸ൣғ w Λࢦఆ͢ΔϞϊ w

    ࠓճͷྫͰ͸3FTQPOEFSͷઃఆ্͸54Jͱ54S͕ڞʹʹઃ ఆ͞Ε͍ͯΔ͕࣮ࡍʹ͸54JΛೝূͨ࣌͠఺Ͱ*OJUJBUPSʹׂΓ౰ͯͨΞ υϨεͷΈʹڱΊ͍ͯΔ 33 ras# ipsecctl -s flow flow esp in from 192.168.11.246 to 0.0.0.0/0 peer 203.0.113.85 \ srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type use flow esp out from 0.0.0.0/0 to 192.168.11.246 peer 203.0.113.85 srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type require flow esp out from ::/0 to ::/0 type deny
  34. $1$POpHVSBUJPO w %)$1ͷΑ͏ʹ૬ख͔ΒΞυϨεΛׂΓ౰ͯͯ΋ΒͬͨΓ%/4αʔόͷ ৘ใͳͲΛڭ͑ͯ΋ΒͬͨΓ͢ΔͨΊͷϞϊ w *,&Wͷࠒʹ͸ͳ͘*,&Wʹͳͬͯ࡞ΒΕͨ w *,&WͰ͸*1TFDͰ҉߸Խ͞Εͨܦ࿏Λ࡞্ͬͨʹ-51WͰτϯωϧ Λு͍ͬͯͨ w

    ΞυϨεׂΓ౰ͯͳͲ͸-51WͷػೳΛར༻͍ͯͨ͠ 34
  35. /"5τϥόʔαϧ w ࠓճ͸*,&΋&41΋6%1Λ࢖ͬͯ௨৴͞ΕΔ͜ͱΛલఏͱͨ͠આ໌͠ ͔͠ͳ͔͚ͬͨͲେੲ͸&41͸*1ͷϓϩτίϧͷͻͱͭͱͯ͠ఆٛ͞Ε ͍ͯͨͨΊؒʹ/"5૷ஔ͕͍Δͱ࢖͑ͳ͔ͬͨ w *,&WͰ͸్தͰ/"5τϥόʔαϧͱ͍͏ػೳ͕ผ3'$Ͱఆٛ͞Ε *,&WͰ͸*,&Wͷ࢓༷ʹ͜ͷػೳ͕࠷ॳ͔Β੝Γࠐ·Ε͍ͯΔ w ૹ৴ݩ͕Ѽઌͱૹ৴ݩʹઃఆͨ͠*1ΞυϨεͷ৘ใΛ*,&ͷ৘ใʹຒΊ

    ࠐΈ૬ख͕ड͚औͬͨࡍʹ࣮ࡍʹઃఆ͞ΕͨѼઌͱૹ৴ݩͷ*1ΞυϨε ͱൺֱ͢Δ͜ͱͰؒʹ/"5૷ஔ͕͍Δ͜ͱΛݕ஌͢Δ͜ͱ͕Ͱ͖Δ w 6%1ͷ/"5͸௨৴͕ͳ͍ͱηογϣϯ৘ใ͕ফ͞ΕΔͷͰఆظతʹ σ ϑΥϧτඵ /"5ΩʔϓΞϥΠϒΛૹΔ 35
  36. &41Ҏ֎ w ࠓճ͸&41Λલఏͱͨ͠આ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞʹ") ΍*1$PNQͱ͍͏Ϟϊ΋͋Δ w ")͸҉߸Խͤͣ׬શੑ ్தͰվ᜵͞Ε͍ͯͳ͍͜ͱ Λอূ͢Δ͚ͩ ͷϞϊ w

    େੲ͸&41͸҉߸Խ͢Δ͚ͩͰ׬શੑ͸อূͤͣ׬શੑΛ୲อͨ͠ ͍࣌͸")ͱ૊Έ߹ΘͤΔͱ͍͏Ϟϊ͚ͩͬͨͲ&41Ͱ׬શੑ΋อ ূͰ͖ΔΑ͏ʹͳͬͯ")͸શ͘ͱݴ͍͍ͬͯ΄Ͳ࢖ΘΕͳ͔ͬͨ w ηΩϡϦςΟతʹ΋׬શੑΛνΣοΫ͠ͳ͍҉߸Խ͸ྑ͘ͳ͍Β͍͠ w *1$PNQ͸ϖΠϩʔυΛѹॖ͢ΔͨΊͷϞϊ 36
  37. τϯωϧϞʔυҎ֎ w ࠓճ͸τϯωϧϞʔυΛલఏͱ͢Δઆ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞ ʹτϥϯεϙʔτϞʔυͱ͍͏Ϟϊ΋͋Δ w τϯωϧϞʔυ͸ΦϦδφϧͷ*1ύέοτΛ*1TFD૷ஔ͕ΧϓηϧԽ ͯ͠શମΛอޢ͢Δ͕τϥϯεϙʔτϞʔυ͸*1TFD૷ஔؒͷ௨৴ͷத ਎ͷΈΛอޢ͢Δ ΦϦδφϧͷ*1ϔομͷ಺ଆͷΈΛอޢ 

    w 3'$ʹ͸lτϥϯεϙʔτϞʔυ͸Ϋη͕ڧ͍zΈ͍ͨͳ͜ͱ͕ ॻ͔Ε͍ͯͯݸਓతʹ͸͋·ΓؔΘΓͨ͘ͳ͍ 5IJTTDFOBSJPFOBCMFTUIFFOEUPFOETFDVSJUZUIBUIBTCFFOBHVJEJOHQSJODJQMFGPSUIF *OUFSOFUTJODF<"3$)13*/$> <53"/41"3&/$:> BOEBNFUIPEPGMJNJUJOHUIFJOIFSFOU QSPCMFNTXJUIDPNQMFYJUZJOOFUXPSLTOPUFECZ<"3$)(6*%&1)*-> 3'$&OEQPJOUUP&OEQPJOU5SBOTQPSU.PEF 37
  38. ཧ૝ओٛWTݱ࣮ओٛ w ϦϞʔτΞΫηεʹ͸-51W͕͋ΔΜ͔ͩΒ*1TFDʹ͸ෆཁ ˠ ΍ͬͺΞυϨεׂΓ౰ͯػೳ͋ͬͨํ͕͍͍ΑͶ w /"5͸ѱ")ͱ&41͸*1ͷϓϩτίϧͰ ˠ ෆศ͗͢6%1Ͱ/"5ӽ͑Ͱ͖ΔΑ͏ʹ͠Α w

    ׬શੑΛ୲อ͍͚ͨ͠Ͳػີੑ͸ඞཁͳ͍࣌΋͋Ε͹ػີੑΛ୲อ͍ͨ͠ ͚Ͳ׬શੑ͕ඞཁͳ͍࣌΋͋Δ͸ͣͳͷͰඞཁʹԠͯ͡")ͱ&41Λ૊ Έ߹Θͤͯ࢖͏΂͖ ˠ ࣮ࡍʹ͸&41͔͠࢖ΘΕͣޙ͔Β׬શੑ΋୲อ͞ΕΔ w Πϯλʔωοτ͸ΤϯυπʔΤϯυ͡Όͳ͍ͱ ˠ τϥϯεϙʔτϞʔυ୭΋࢖ͬͯͳ͍ 38 ˞ݸਓͷภݟͰ͢