Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OpenBSD/OpenIKED でリモートアクセス VPN

OpenBSD/OpenIKED でリモートアクセス VPN

Masakazu Asama

February 29, 2020
Tweet

More Decks by Masakazu Asama

Other Decks in Technology

Transcript

  1. Լ४උ  w *1Wύέοτసૹͷ༗ޮԽ w QGͷઃఆ w JLFEͷىಈઃఆ ras# cp

    /etc/examples/sysctl.conf /etc/ ras# vi /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets ras# vi /etc/rc.conf.local iked_flags="" ras# vi /etc/pf.conf pass in log on smsc0 proto udp from any to 192.168.11.254 port {isakmp, ipsec-nat-t} pass in log on enc0 4
  2. Լ४උ  w ϓϩΩγ"31ͷઃఆ ras# ifconfig smsc0 smsc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu

    1500 lladdr b8:27:eb:b7:4a:f4 index 3 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.11.254 netmask 0xffffff00 broadcast 192.168.11.255 ras# arp -s 192.168.11.240 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.241 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.242 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.243 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.244 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.245 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.246 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.247 b8:27:eb:b7:4a:f4 pub 5
  3. $"ͷઃఆ  ras# ikectl ca vpn create CA passphrase: Retype

    CA passphrase: Generating RSA private key, 2048 bit long modulus .........+++++ ................................................................................................ +++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- ... 6
  4. $"ͷઃఆ  ... ----- Country Name (2 letter code) [JP]:

    State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: Common Name (eg, fully qualified host name) [VPN CA]: Email Address [[email protected]]: Signature ok subject=/C=JP/ST=Niigata/L=Sanjo/O=Ginzado/OU=BT/CN=VPN CA/[email protected] Getting Private key Using configuration from /etc/ssl/vpn/ca-revoke-ssl.cnf ras# ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl 7
  5. αʔό伴ϖΞͷઃఆ  ras# ikectl ca vpn certificate ras.my.domain create Generating

    RSA private key, 2048 bit long modulus ..............................................................................+++++ ..................................+++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: ... 8
  6. αʔό伴ϖΞͷઃఆ  ... Common Name (eg, fully qualified host name)

    [ras.my.domain]: Email Address [[email protected]]: Using configuration from /etc/ssl/vpn/ras.my.domain-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :ASN.1 12:'Niigata' localityName :ASN.1 12:'Sanjo' organizationName :ASN.1 12:'Ginzado' organizationalUnitName:ASN.1 12:'BT' commonName :ASN.1 12:'ras.my.domain' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Feb 5 04:51:16 2021 GMT (365 days) Write out database with 1 new entries Data Base Updated ras# ikectl ca vpn certificate ras.my.domain install writing RSA key 9
  7. 0QFO*,&%ͷઃఆ ras# touch /etc/iked.conf ras# chmod 600 /etc/iked.conf ras# vi

    /etc/iked.conf user "m-asama" "password" ikev2 passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local 192.168.11.254 peer any \ srcid ras.my.domain \ eap "mschap-v2" \ config address 192.168.11.240/29 \ config netmask 255.255.255.0 \ config name-server 192.168.11.1 10
  8. *1 6%1 )%3 4"J ,&J /J *1 6%1 )%3 4"S

    ,&S /S $&353&2 *OJUJBUPS 3FTQPOEFS *,&@4"@*/*5SFRVFTU *,&@4"@*/*5SFTQPOTF *,&@"65)SFRVFTU *,&@"65)SFTQPOTF *1 6%1 &41 1BZMPBE &41QBDLFU &"1ͷ৔߹*,&@"65)ΛԿԟ෮͔͢Δ *1 6%1 )%3 *%J $1 54J 54S 4"J ҉߸จ ฏจ *,&WʹΑΔ伴ަ׵ ࣮τϥώοΫ *,&@"65)Λ อޢ͢ΔͨΊͷ ΍ΓͱΓ ࣮τϥώοΫΛ อޢ͢ΔͨΊͷ ΍ΓͱΓ 24 Πϥετ $ ͍Β͢ͱ΍ *1 6%1 )%3 *%S "65) &"1 $&35
  9. 4"4FDVSJUZ"TTPDJBUJPO w ཁ͢Δʹl઀ଓzΛදݱ͢ΔϞϊ w ҉߸ԽΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ׬શੑݕূΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ٖࣅཚ਺ੜ੒ΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w

    %J⒏F)FMMNBOάϧʔϓ ˞ޙड़ ͸Կ͔ w ߦ͖ͱؼΓͰͦΕͧΕผͷ4"͕༻ҙ͞ΕΔ w *,&ͷ΍ΓͱΓͷͨΊͷ4" *,&4" ͱ&41ͷ΍ΓͱΓͷͨΊͷ 4" $IJME4" ͕ผʹͳ͍ͬͯΔ w લทͷ4"J͸*OJUJBUPS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͠ 4"S͸3FTQPOEFS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͢ 25
  10. %J⒏F)FMMNBO伴ަ׵ *OJUJBUPS 3FTQPOEFS 伴ަ׵ʹ༻͍Δ%J⒏F)FMMNBOάϧʔϓΛܾఆ͢Δ *,&@4"@*/*5ͷ4"J4"SͰܾ·Δ ྫ͑͹(SPVQ CJU.0%1 ͷ৔߹ Q?? ?

    \<?QJ> ^ H 㱡J㱡QͱͳΔ ཚ਺JΛੜ੒ 㱡S㱡QͱͳΔ ཚ਺SΛੜ੒ H?JNPEQΛ,&Jͱͯ͠ૹ৴ H?SNPEQΛ,&Sͱͯ͠ૹ৴ H?SNPEQ ?JNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 H?JNPEQ ?SNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 Q͕େ͖͍ͱQ H H?JNPEQ H?SNPEQͷ৘ใ͔Β H? J S NPEQΛܭࢉ͢Δͷ͸೉͍͠Β͍͠ ཭ࢄର਺໰୊  ଞʹ΋ପԁۂઢ҉߸Λ༻͍ͨ΋ͷͳͲ΋͋Δ 28 Πϥετ $ ͍Β͢ͱ΍
  11. *,&4"ͷ伴ͷੜ੒ ఆٛ QSG , 4 4ͱ,͔Βݻఆ௕ͷٖࣅཚ਺Λੜ੒͢Δؔ਺ QSG  , 4

    QSGΛ࢖ͬͯQSGͰੜ੒͞ΕΔٖࣅཚ਺ΑΓ େ͖͍ٖࣅཚ਺ ٖࣅཚ਺ͷ࿈ଓ Λੜ੒͢Δؔ਺ QSG JTEFpOFEBT QSG  , 4 5c5c5c5c XIFSF 5QSG , 4cY  5QSG , 5c4cY  5QSG , 5c4cY  5QSG , 5c4cY   3'$͔ΒҾ༻ લड़ͷ%J⒏F)FMMNBO伴ަ׵ͰH? J S Λܭࢉ͠4ͱ͠ /Jͱ/SΛ͚ͬͭͨ͘΋ͷΛ,ͱ͢Δ ˞ॳճͷ৔߹  ˣ ,ͱ4͔ΒQSG , 4 Λܭࢉ͠4,&:4&&%ͱ͢Δ ˣ /Jͱ/Sͱ41*Jͱ41*SΛ͚ͬͭͨ͘΋ͷΛ4ͱ͢Δ ˞41*͸)%3ʹॻ͔Εͨ*%ͷΑ͏ͳ΋ͷ  ˣ 4,&:4&&%ͱ4͔ΒQSG  4,&:4&&% 4 Λܭࢉ͠ ٖࣅཚ਺ͷ࿈ଓΛಘΔ ˣ ੜ੒͞Εٖͨࣅཚ਺ͷ࿈ଓΛઌ಄͔Β੾ΓऔΓ 4,@E $IJME4"ੜ੒༻ٖࣅཚ਺ੜ੒伴  4,@BJ 4,@BS *OJUJBUPS3FTQPOEFSͷ׬શੑݕূ伴  4,@FJ 4,@FS *OJUJBUPS3FTQPOEFSͷ҉߸伴  4,@QJ 4,@QS "65)༻ٖࣅཚ਺ੜ੒伴 ͱ͢Δ 29
  12. ೝূ &"1ͷ৔߹ w 3FTQPOEFS͔ΒΈͨ*OJUJBUPSͷೝূ w 111ͳͲͰ࢖ΘΕ͍ͯΔ.4$)"1WΛ༻͍Δ w ಉ͘͡.4$)"1WΛ༻͍Δ1151͸੬ऑੑ͕ݟ͔͍ͭͬͯΔ͕ *,&W͸*,&4"Ͱ௨৴͕อޢ͞Ε͍ͯΔͷͰେৎ෉Β͍͠ w

    3FTQPOEFS͕νϟϨϯδΛૹͬͯ*OJUJBUPS͕ਖ਼͍͠ϨεϙϯεΛฦͤ Ε͹ೝূ੒ޭ w *OJUJBUPS͔ΒΈͨ3FTQPOEFSͷೝূ w 3FTQPOEFS͸*,&@4"@*/*5ͳͲͷ಺༰Λൿີ伴Ͱॺ໊͠*OJUJBUPSʹ ૹΔ w *OJUJBUPS͸$"ͷެ։伴Ͱݕূ͢Δ͜ͱͰ3FTQPOEFSΛೝূ ଟ෼ 30
  13. 4"ͷߋ৽ w ΊΜͲ͍ͷͰলུ w $3&"5&@$)*-%@4"ͱ͍͏ϝοηʔδͰ w *,&4"ͷߋ৽ w ͦΜͳʹසൟʹ͸΍Βͳ͍ w

    ͜ͷ৔߹͸طଘͷ$IJME4"Λ৽͍͠*,&4"ʹඥ෇͚Δ w $IJME4"ͷߋ৽ w *,&4"ΑΓ͸සൟʹ΍Δ w Λߦ͏Μ͚ͩͲ͜Ε͕·ͨ௒ઈΊΜͲ͍ ओʹύέοτফࣦ΍ΤϥʔରԠ  w *OJUJBUPS3FTQPOEFSͷͲͪΒ΋$3&"5&@$)*-%@4"Λ։࢝͢Δ͜ͱ ͕Ͱ͖ͯͦΕ͕ಉ࣌ʹى͖ͨ࣌͸Ͳ͏͢Δ͔ͱ͔ߟ͑ͳ͍ͱ͚ͳ͍ 32
  14. 54J54S5SB⒏D4FMFDUPS w $IJME4"Ͱอޢ͢Δ w ΞυϨεൣғ w ϙʔτ൪߸ൣғ w Λࢦఆ͢ΔϞϊ w

    ࠓճͷྫͰ͸3FTQPOEFSͷઃఆ্͸54Jͱ54S͕ڞʹʹઃ ఆ͞Ε͍ͯΔ͕࣮ࡍʹ͸54JΛೝূͨ࣌͠఺Ͱ*OJUJBUPSʹׂΓ౰ͯͨΞ υϨεͷΈʹڱΊ͍ͯΔ 33 ras# ipsecctl -s flow flow esp in from 192.168.11.246 to 0.0.0.0/0 peer 203.0.113.85 \ srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type use flow esp out from 0.0.0.0/0 to 192.168.11.246 peer 203.0.113.85 srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type require flow esp out from ::/0 to ::/0 type deny
  15. &41Ҏ֎ w ࠓճ͸&41Λલఏͱͨ͠આ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞʹ") ΍*1$PNQͱ͍͏Ϟϊ΋͋Δ w ")͸҉߸Խͤͣ׬શੑ ్தͰվ᜵͞Ε͍ͯͳ͍͜ͱ Λอূ͢Δ͚ͩ ͷϞϊ w

    େੲ͸&41͸҉߸Խ͢Δ͚ͩͰ׬શੑ͸อূͤͣ׬શੑΛ୲อͨ͠ ͍࣌͸")ͱ૊Έ߹ΘͤΔͱ͍͏Ϟϊ͚ͩͬͨͲ&41Ͱ׬શੑ΋อ ূͰ͖ΔΑ͏ʹͳͬͯ")͸શ͘ͱݴ͍͍ͬͯ΄Ͳ࢖ΘΕͳ͔ͬͨ w ηΩϡϦςΟతʹ΋׬શੑΛνΣοΫ͠ͳ͍҉߸Խ͸ྑ͘ͳ͍Β͍͠ w *1$PNQ͸ϖΠϩʔυΛѹॖ͢ΔͨΊͷϞϊ 36
  16. τϯωϧϞʔυҎ֎ w ࠓճ͸τϯωϧϞʔυΛલఏͱ͢Δઆ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞ ʹτϥϯεϙʔτϞʔυͱ͍͏Ϟϊ΋͋Δ w τϯωϧϞʔυ͸ΦϦδφϧͷ*1ύέοτΛ*1TFD૷ஔ͕ΧϓηϧԽ ͯ͠શମΛอޢ͢Δ͕τϥϯεϙʔτϞʔυ͸*1TFD૷ஔؒͷ௨৴ͷத ਎ͷΈΛอޢ͢Δ ΦϦδφϧͷ*1ϔομͷ಺ଆͷΈΛอޢ 

    w 3'$ʹ͸lτϥϯεϙʔτϞʔυ͸Ϋη͕ڧ͍zΈ͍ͨͳ͜ͱ͕ ॻ͔Ε͍ͯͯݸਓతʹ͸͋·ΓؔΘΓͨ͘ͳ͍ 5IJTTDFOBSJPFOBCMFTUIFFOEUPFOETFDVSJUZUIBUIBTCFFOBHVJEJOHQSJODJQMFGPSUIF *OUFSOFUTJODF<"3$)13*/$> <53"/41"3&/$:> BOEBNFUIPEPGMJNJUJOHUIFJOIFSFOU QSPCMFNTXJUIDPNQMFYJUZJOOFUXPSLTOPUFECZ<"3$)(6*%&1)*-> 3'$&OEQPJOUUP&OEQPJOU5SBOTQPSU.PEF 37
  17. ཧ૝ओٛWTݱ࣮ओٛ w ϦϞʔτΞΫηεʹ͸-51W͕͋ΔΜ͔ͩΒ*1TFDʹ͸ෆཁ ˠ ΍ͬͺΞυϨεׂΓ౰ͯػೳ͋ͬͨํ͕͍͍ΑͶ w /"5͸ѱ")ͱ&41͸*1ͷϓϩτίϧͰ ˠ ෆศ͗͢6%1Ͱ/"5ӽ͑Ͱ͖ΔΑ͏ʹ͠Α w

    ׬શੑΛ୲อ͍͚ͨ͠Ͳػີੑ͸ඞཁͳ͍࣌΋͋Ε͹ػີੑΛ୲อ͍ͨ͠ ͚Ͳ׬શੑ͕ඞཁͳ͍࣌΋͋Δ͸ͣͳͷͰඞཁʹԠͯ͡")ͱ&41Λ૊ Έ߹Θͤͯ࢖͏΂͖ ˠ ࣮ࡍʹ͸&41͔͠࢖ΘΕͣޙ͔Β׬શੑ΋୲อ͞ΕΔ w Πϯλʔωοτ͸ΤϯυπʔΤϯυ͡Όͳ͍ͱ ˠ τϥϯεϙʔτϞʔυ୭΋࢖ͬͯͳ͍ 38 ˞ݸਓͷภݟͰ͢