Mocana Guide for VPNC IPsec Interoperability

Overview of Mocana NanoSec

NanoSec is Mocana's ultra-optimized, microfootprint IPsec/IKE solution specifically designed to speed product development while providing best-in-class device security services for resource-constrained environments. And its surprisingly affordable: your NanoSec total cost of ownership will usually be substantially less expensive than open source. NanoSec latest features include NSA Suite B support, RFC4301 compliance, Certificate management client integration, hardware acceleration support, PKCS #8 support, Dead Peer detection, IKEv2, IPv6, MOBIKE and XAUTH.


Scenario 1: Gateway-to-gateway with preshared secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.

10.5.6.0/24                                            172.23.9.0/24
    |                                                          |
  --|                                                          |--
    |     +-----------+     /-^-^-^-^--\     +-----------+     |
    |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
    |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
  --| 10.5.6.1   14.15.16.17           22.23.24.25  172.23.9.1 |--
    |                                                          |

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

The IKE Phase 2 parameters used in Scenario 1 are:

To set up Gateway A for this scenario, use the following steps:


Windows XP Instructions

Note: Mocana Embedded IPsec/IKE is a source code based product that is platform independent. The following are instructions after the binaries are built specificly for Windows Platform.
  1. Install Passthru Driver
    - Go to Network Properties, click on Install > Service
    - Click on Have Disk and select %mocanadir%/Driver/netsf.inf and click OK
    - Click Continue until Driver is installed.

    Note: Please uninstall if there is existing Passthru Driver.

  2. Disable Windows IPsec
    - Go to Control Panel > Administrative Tools > Services
    - Double-click on IPsec Services, and click on Stop.
    - Change Startup type to Disabled so that if Windows will not automatically startup Windows IPsec service.

  3. Decrease MTU Size
    - Go to Start > Run > regedit to go to Registry Editor
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ Interfaces\[Adapter ID]
    - Double-click on MTU and set it to MTU size 1430 in decimal (if default is bigger than 1430)

    Note: Mocana driver currently does NOT handle fragmentation (yet). If Mocana driver is the server, its outbound packets may be dropped if packets size exceeds the MTU size.

  4. Disable PMTU Discovery
    - Go to Start > Run > regedit to go to Registry Editor
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    - Edit "EnablePMTUDiscovery" and set to 0. If "EnablePMTUDiscovery" not exist, create new DWORD and set to 0

  5. Enable TCP/IP Routing
    - Go to Start > Run > regedit to go to Registry Editor
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    - Double-click on IPEnableRouter and set it to 1
    - Reboot Windows

  6. Make sure Default route 0.0.0.0 is using Gateway A address
    - Open Command Prompt and run route print
    - Make sure there is only 1 default route 0.0.0.0 to Gateway A address. ie. Network destination 0.0.0.0 Netmask 0.0.0.0 Gateway 14.15.16.17
    - If other 0.0.0.0 route exist beside using 14.15.16.17, delete the rest. ie. route delete 0.0.0.0 10.5.6.1

  7. Run Mocana IKE server
    - Open Command Prompt and go to %mocanadir% folder
    - For ikev1 run: ike.exe -p "hr5xb84l6aa9r6" 14.15.16.17
    - For ikev2 run: ike.exe -v 2 -p "hr5xb84l6aa9r6" 14.15.16.17

    Note: Ctrl+C to kill ike.

  8. Configure IPsec policy using TestIOCTL
    - Open Command Prompt and go to%mocanadir% folder
    - Run: TestIOCTL.exe /add t1.conf

    Note: t1.conf contain the IPsec policy. Please see TestIOCTL utility for more information.

TestIOCTL Utility

# To Add policy, use:
TestIOCTL /add t1.conf

# To display SA information, use:
TestIOCTL /dump

# To display SPD, use:
TestIOCTL /dump spd

# To flush/delete SPD, use:
TestIOCTL /flush spd

# To flush/delete SA, use:
TestIOCTL /flush
  • t1.conf file contain the IPsec policy.
     { laddr 10.5.6.0/24 raddr 172.23.9.0/24 } ipsec {  encr_algs 3des encr_auth_algs sha1 tladdr 14.15.16.17 traddr 22.23.24.25 }
    
    

    IKE New features

    For help, run "ike ?"
    
    ike <option>* <ipaddr>*
      option:
        -c <ipaddr>     initiates connection
        -d [mins]       sets or shows DPD interval (in minutes)
        -p <ascii>  sets pre-shared key
        -v <num>    sets or shows IKE version
    
        -g <dh|0>       sets DH group; 0=default
        -G <dh|0|-1>    sets PFS; 0=no PFS, -1=parent DH group
        -l <secs>   sets IKE_SA lifetime seconds
        -L <secs>   sets IPsec SA lifetime seconds
        -a [eap]    sets EAP authenticator protocol
        -s [eap]    sets EAP supplicant protocol
        -h          displays this help
        -w <secs>   sets socket wait time (in seconds)
    
      dh: { 1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 }
      eap : { aka | leap | md5 | mschapv2 | psk | radius | sim | srp | tls }
    
    

    IPv6 support

    Note: IPv6 support is added in Release 4.2 and later
      2001:2::0/64                                            2001:3::0/64
          |                                                          |
        --|                                                          |--
          |     +-----------+     /-^-^-^-^--\     +-----------+     |
          |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
          |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
        --| 2001:2::1   2001:1::17           2001:1::25  2001:3::1   |--
          |                                                          |
      

    1. Install IPv6 in Windows
         C:\> ipv6 install
      

    2. Add IPv6 global address
         C:\> netsh interface ipv6 add address "Local Area Connection" 2001:1::17
         C:\> netsh interface ipv6 add address "Local Area Connection 2" 2001:2::1
      

    3. Enable IPv6 forwarding
         C:\> netsh interface ipv6 set interface "Local Area Connection" forwarding=enabled advertise=enabled
      

    4. Add routes
         C:\> netsh interface ipv6 add route 2001:1::/64 "Local Area Connection" publish=yes
         C:\> netsh interface ipv6 add route 2001:2::/64 "Local Area Connection 2" publish=yes
         C:\> netsh interface ipv6 add route 2001:3::/64 "Local Area Connection" nexthop=2001:1::25 publish=yes
      

    5. Use Ping6 to ping the other IPv6 gateway address and end point.
         i.e. ping6 2001:1::25
      
      or if using local address, use %<dest scopeid>
         i.e. ping6 fe80::213:72ff:fec9:6a25%4
      
      Note: If ping6 doesn't work, you might have to reboot the machine to make sure the global address is in effect.

    6. Run Mocana IKE IPv6
         ike.exe -p "hr5xb84l6aa9r6" 2001:1::17
      
      or if you are using Local address, be sure to add the dest scope id:
         i.e. ike.exe -p "hr5xb84l6aa9r6" fe80::213:72ff:fec9:8917%4
      

    7. Edit t1.conf to set IPv6 policies
           i.e. { laddr 2001:2::0/64 raddr 2001:3::0/64} ipsec { encr_algs aes encr_auth_algs sha1 tladdr 2001:1::17 traddr 2001:1::25}
      
    8. Configure IPsec policy using TestIOCTL
           TestIOCTL.exe /add t1.conf
      

    Linux Instructions

    Note: Mocana Embedded IPsec/IKE is a source code based product that is platform independent. The following are instructions after the binaries are build specificly for Linux Platform.
    1. Create Mocana devices (Run one time only after bootup/reboot)
      mknod /dev/moc_memdrv c 255 0
      mknod /dev/moc_ipsec c 103 1
      

    2. Setup 2nd interface and route table
      /sbin/ifconfig eth1 <2nd interface ipaddr> netmask 255.255.255.0
      /sbin/route add -net <dest internal network> netmask 255.255.255.0 gw <dest gw ipaddr>
      
      Note: Run /sbin/route to check if there is more than 1 default route. If more than 1 default route, delete eth1 default route.
      ie. /sbin/route del default gw gateway1
      

    3. Turn on IP forwarding
      echo "1" > /proc/sys/net/ipv4/ip_forward
      

    4. Install Mocana loadable kernel module
      /sbin/insmod moc_memdrv.ko
      /sbin/insmod moc_ipsec.ko
      

    5. Run Mocana IKE server
      ./ike -p "hr5xb84l6aa9r6" <local gw address> &
      
      Note: For ikev2, use ./ike -v 2 -p "hr5xb84l6aa9r6" <local gw address> &

    6. Load IPsec policy
      ./loadConfig -f <policy.conf>
      
    Note: The setup scripts below only run Step 2-6. Please run step 1 manually.

    Setup script for Gateway A, setup.gatewayA

    /sbin/ifconfig eth1 10.5.6.1 netmask 255.255.255.0
    /sbin/route add -net 172.23.9.0 netmask 255.255.255.0 gw 22.23.24.25
    echo "1" > /proc/sys/net/ipv4/ip_forward
    /sbin/insmod moc_memdrv.ko
    /sbin/insmod moc_ipsec.ko
    sleep 3
    ./ike -p "hr5xb84l6aa9r6" 14.15.16.17 &
    ./loadConfig -f policyA.conf
    

    Setup script for Gateway B, setup.gatewayB

    /sbin/ifconfig eth1 172.23.9.1 netmask 255.255.255.0
    /sbin/route add -net 10.5.6.0 netmask 255.255.255.0 gw 14.15.16.17
    echo "1" > /proc/sys/net/ipv4/ip_forward
    /sbin/insmod moc_memdrv.ko
    /sbin/insmod moc_ipsec.ko
    sleep 3
    ./ike -p "hr5xb84l6aa9r6" 22.23.24.25 &
    ./loadConfig -f policyB.conf
    

    To cleanup IKE and IPSEC

     # killall ike
       -> to kill ike process
    
      # rmmod moc_ipsec
        -> to remove ipsec_modules
    
    Note: If run ike in foreground, press Ctrl+\ to kill ike.
    

    IPv6 support

    Note: IPv6 Linux support is added after Release 5.3.1
      2001:2::0/64                                            2001:3::0/64
          |                                                          |
        --|                                                          |--
          |     +-----------+     /-^-^-^-^--\     +-----------+     |
          |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
          |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
        --| 2001:2::1   2001:1::17           2001:1::25  2001:3::1   |--
          |                                                          |
      

    1. Make sure your Linux system is IPv6 ready
         ls /proc/net/if_inet6
      or
         /sbin/ifconfig
      and it should return inet6 information
         i.e. inet6 addr: fe80::213:72ff:fec9:8917/64 Scope:Link
      

    2. Add IPv6 global address
         /sbin/ip addr add 2001:1::17/64 dev eth0
         /sbin/ip addr add 2001:2::1/64 dev eth1
      

    3. Add proper route and enable ipv6 forwarding
         /sbin/ip -6 route add 2001:3::/64 via 2001:1::25
         echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
      

    4. Use Ping6 to ping the other IPv6 gateway address.
         i.e. ping6 2001:1::25
      
      or if you are using link local address, use
         i.e. ping6 fe80::213:72ff:fec9:6a25
      

    5. Run Mocana IKE IPv6
         ./ike -p "hr5xb84l6aa9r6" 2001:1::17 &
      
      or if you are using Local address, be sure to add the dest scope id:
         i.e. ike.exe -p "hr5xb84l6aa9r6" fe80::213:72ff:fec9:8917%4
      

    6. Edit t1.conf to set IPv6 policies
           i.e. { laddr 2001:2::0/64 raddr 2001:3::0/64 } ipsec { encr_algs aes encr_auth_algs sha1 tladdr 2001:1::17 traddr 2001:1::25}
      
    7. Configure IPsec policy using loadConfig
           ./loadConfig -f t1.conf
      

    IPsec policy files

    Policy format
    =============
    {laddr <local IP address> raddr <dest IP address> ulp [icmp|tcp|udp|any] } ipsec { encr_algs [3des|aes|blowfish|any]
    encr_auth_algs [sha1|md5|any] tladdr <tunnel local address> traddr <tunnel dest address> }
    
    Explanation:
    laddr		: local IP address
    raddr		: remote IP address
    ulp		: upper layer protocol
    ipsec		: both direction or use permit/apply for unidirection
    encr_algs 	: encryption
    encr_auth_algs	: authentication
    tladdr		: local gateway IP address
    traddr		: remote gateway IP address
    
    policyA.conf
    =============
    {laddr 10.5.6.0/24 raddr 172.23.9.0/24 } ipsec { encr_algs 3des encr_auth_algs sha1 tladdr 14.15.16.17 traddr 22.23.24.25 }
    
    policyB.conf
    =============
    {laddr 172.23.9.0/24 raddr 10.5.6.0/24 } ipsec { encr_algs 3des encr_auth_algs sha1 tladdr 22.23.24.25 traddr 14.15.16.17 }
    

    loadConfig application

    loadConfig -f <policy.conf>   to load IPsec policy. It also flush the SA and SPD before loading the new policy.
               -F                 flush SA
               -FP                flush SPD
               -d                 display key
               -dP                display policy
    In Linux, loadConfig output to /var/log/message. Run tail -f /var/log/message or dmesg to see output from loadConfig
    

    Mocana Corporation 350 Sansome Street, Suite 1010, San Francisco, CA 94104. +1.415.617.0055