Mocana Guide for VPNC IPsec Interoperability

Overview of Mocana NanoSec

Mocana delivers an open standards based, full featured, RFC compliant Embedded IPsec and IKE solution that also offers IKEv1, IKEv2, MOBIKE and IPv6. The Mocana NanoSec is a high performance, small footprint software, that resides on a device and provides data confidentiality, integrity and authentication between networked peers at the IP layer. Mocana NanoSec is uniquely architected with an asynchronous core to fully leverage hardware acceleration. It is ideally suited to securing voice, video and data networks.


Scenario 1: Gateway-to-gateway with preshared secrets

The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.

10.5.6.0/24                                            172.23.9.0/24
    |                                                          |
  --|                                                          |--
    |     +-----------+     /-^-^-^-^--\     +-----------+     |
    |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
    |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
  --| 10.5.6.1   14.15.16.17           22.23.24.25  172.23.9.1 |--
    |                                                          |

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

The IKE Phase 2 parameters used in Scenario 1 are:

To set up Gateway A for this scenario, use the following steps:


Windows XP Instructions

Note: Mocana Embedded IPsec/IKE is a source code based product that is platform independent. The following are instructions after the binaries are built specificly for Windows Platform.
  1. Install Passthru Driver
    - Go to Network Properties, click on Install > Service
    - Click on Have Disk and select %mocanadir%/Driver/netsf.inf and click OK
    - Click Continue until Driver is installed.

    Note: Please uninstall if there is existing Passthru Driver.

  2. Disable Windows IPsec
    - Go to Control Panel > Administrative Tools > Services
    - Double-click on IPsec Services, and click on Stop.
    - Change Startup type to Disabled so that if Windows will not automatically startup Windows IPsec service.

  3. Decrease MTU Size
    - Go to Start > Run > regedit to go to Registry Editor
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ Interfaces\[Adapter ID]
    - Double-click on MTU and set it to MTU size 1430 in decimal (if default is bigger than 1430)

    Note: Mocana driver currently does NOT handle fragmentation (yet). If Mocana driver is the server, its outbound packets may be dropped if packets size exceeds the MTU size.

  4. Enable TCP/IP Routing
    - Go to Start > Run > regedit to go to Registry Editor
    - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    - Double-click on IPEnableRouter and set it to 1
    - Reboot Windows

  5. Make sure Default route 0.0.0.0 is using Gateway A address
    - Open Command Prompt and run route print
    - Make sure there is only 1 default route 0.0.0.0 to Gateway A address. ie. Network destination 0.0.0.0 Netmask 0.0.0.0 Gateway 14.15.16.17
    - If other 0.0.0.0 route exist beside using 14.15.16.17, delete the rest. ie. route delete 0.0.0.0 10.5.6.1

  6. Run Mocana IKE server
    - Open Command Prompt and go to %mocanadir% folder
    - For ikev1 run: ike.exe 14.15.16.17
    - For ikev2 run: ike.exe -v 2 14.15.16.17

    Note: Ctrl+C to kill ike.

  7. Configure IPsec policy using TestIOCTL
    - Open Command Prompt and go to%mocanadir% folder
    - Run: TestIOCTL.exe /add t1.conf

    Note: t1.conf contain the IPsec policy. Please see TestIOCTL utility for more information.

TestIOCTL Utility

# To Add policy, use:
TestIOCTL /add t1.conf

# To display SA information, use:
TestIOCTL /dump 

# To display SPD, use:
TestIOCTL /dump spd

# To flush/delete SPD, use:
TestIOCTL /flush spd

# To flush/delete SA, use:
TestIOCTL /flush 
  • t1.conf file contain the IPsec policy.
     { laddr 10.5.6.0/24 raddr 172.23.9.0/24 } ipsec {  encr_algs 3des encr_auth_algs sha1 tladdr 14.15.16.17 traddr 22.23.24.25 } 
    
    

    IKE New features

    For help, run "ike ?"
    
    ike <option>* <ipaddr>*
      option:
        -m [mode]   sets or shows phase 1 exchange mode
        -p <ascii>  sets pre-shared key
        -v <num>    sets or shows IKE version
        -l <secs>   sets IKE_SA lifetime seconds
        -L <secs>   sets IPsec SA lifetime seconds
        -a [eap]    sets EAP authenticator protocol
        -s [eap]    sets EAP supplicant protocol
        -h          displays this help
        -o <file>   sets debug console output
        -w <secs>   sets socket wait time (in seconds)
    
      mode: { main | aggressive | m | a | M | A }
      eap : { aka | leap | md5 | mschapv2 | psk | radius | sim | srp | tls }
    
    

    IPv6 support

    Note: IPv6 support is added in Release 4.2
      2001:2::0/64                                            2001:3::0/64
          |                                                          |
        --|                                                          |--
          |     +-----------+     /-^-^-^-^--\     +-----------+     |
          |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
          |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
        --| 2001:2::1   2001:1::17           2001:1::25  2001:3::1   |--
          |                                                          |
      

    1. Install IPv6 in Windows
         C:\> ipv6 install
      

    2. Add IPv6 global address
         C:\> netsh interface ipv6 add address "Local Area Connection" 2001:1::17
         C:\> netsh interface ipv6 add address "Local Area Connection 2" 2001:2::1
      

    3. Enable IPv6 forwarding
       
         C:\> netsh interface ipv6 set interface "Local Area Connection" forwarding=enabled advertise=enabled
         C:\> netsh interface ipv6 set interface "Local Area Connection 2" forwarding=enabled advertise=enabled
      

    4. Add routes
       
         C:\> netsh interface ipv6 add route 2001:1::/64 "Local Area Connection" publish=yes
         C:\> netsh interface ipv6 add route 2001:2::/64 "Local Area Connection 2" publish=yes
         C:\> netsh interface ipv6 add route 2001:3::/64 "Local Area Connection" nexthop=2001:1::25 publish=yes
      

    5. Use Ping6 to ping the other IPv6 gateway address and end point.
         i.e. ping6 2001:1::25
      
      or if using local address, use %<dest scopeid>
         i.e. ping6 fe80::213:72ff:fec9:6a25%4
      
      Note: If ping6 doesn't work, you might have to reboot the machine to make sure the global address is in effect.

    6. Run Mocana IKE IPv6
         ike.exe 2001:1::17
      
      or if you are using Local address, be sure to add the dest scope id:
         i.e. ike.exe fe80::213:72ff:fec9:8917%4
      

    7. Edit t1.conf to set IPv6 policies
           i.e. { laddr 2001:2::0/112 raddr 2001:3::0/112 } ipsec  { encr_algs 3des encr_auth_algs sha1 tladdr 2001:1::17 traddr 2001:1::25}  
      
    8. Configure IPsec policy using TestIOCTL
           TestIOCTL.exe /add t1.conf
      

      Linux Instructions

      Note: Mocana Embedded IPsec/IKE is a source code based product that is platform independent. The following are instructions after the binaries are build specificly for Linux Platform.
      1. Create Mocana devices (One time only)
        mknod /dev/moc_memdrv c 250 0 
        mknod /dev/moc_ipsec c 103 1 
        

      2. Setup 2nd interface and route table
        /sbin/ifconfig eth1 <2nd interface ipaddr> netmask 255.255.255.0
        /sbin/route del default gw gateway1
        /sbin/route add -net <dest internal network> netmask 255.255.255.0 gw <dest gw ipaddr>
        

      3. Turn on IP forwarding
        echo "1" > /proc/sys/net/ipv4/ip_forward
        

      4. Install Mocana loadable kernel module
        /sbin/insmod moc_memdrv.ko
        /sbin/insmod moc_ipsec.ko
        

      5. Run Mocana IKE server
        ./ike <local gw address> &
        
        Note: For ikev2, use ./ike -v 2 <local gw address> &

      6. Load IPsec policy
        ./loadConfig -f <policy.conf>
        
      Note: The setup scripts below only run Step 2-6. Please run step 1 manually.

      Setup script for Gateway A, setup.gatewayA

      /sbin/ifconfig eth1 10.5.6.1 netmask 255.255.255.0
      /sbin/route del default gw gateway1
      /sbin/route add -net 172.23.9.0 netmask 255.255.255.0 gw 22.23.24.25
      echo "1" > /proc/sys/net/ipv4/ip_forward
      /sbin/insmod moc_memdrv.ko
      /sbin/insmod moc_ipsec.ko
      sleep 3
      ./ike 14.15.16.17 &
      ./loadConfig -f policyA.conf
      

      Setup script for Gateway B, setup.gatewayB

      /sbin/ifconfig eth1 172.23.9.1 netmask 255.255.255.0
      /sbin/route del default gw gateway1
      /sbin/route add -net 10.5.6.0 netmask 255.255.255.0 gw 14.15.16.17
      echo "1" > /proc/sys/net/ipv4/ip_forward
      /sbin/insmod moc_memdrv.ko
      /sbin/insmod moc_ipsec.ko
      sleep 3
      ./ike 22.23.24.25 &
      ./loadConfig -f policyB.conf
      

      IPv6 support

      Note: IPv6 support is added in Release 4.2 and only with IKE with PF_KEY2
        2001:2::0/64                                            2001:3::0/64
            |                                                          |
          --|                                                          |--
            |     +-----------+     /-^-^-^-^--\     +-----------+     |
            |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
            |   AL+-----------+AW   \--v-v-v-v-/   BW+-----------+BL   |
          --| 2001:2::1   2001:1::17           2001:1::25  2001:3::1   |--
            |                                                          |
        

      1. Make sure your Linux system is IPv6 ready
           ls /proc/net/if_inet6
        or
           /sbin/ifconfig
        and it should return inet6 information
           i.e. inet6 addr: fe80::213:72ff:fec9:8917/64 Scope:Link
        

      2. Add IPv6 global address
           /sbin/ip addr add 2001:1::17/64 dev eth0
           /sbin/ip addr add 2001:2::1/64 dev eth1
        

      3. Add proper route
           /sbin/ip -6 route add 2001:3::/64 via 2001:1::25
        

      4. Use Ping6 to ping the other IPv6 gateway address.
           i.e. ping6 2001:1::25
        
        or if you are using link local address, use
           i.e. ping6 fe80::213:72ff:fec9:6a25
        

      5. Run Mocana IKE IPv6
           ./ike 2001:1::17 &
        
        or if you are using Local address, be sure to add the dest scope id:
           i.e. ike.exe fe80::213:72ff:fec9:8917%4
        

      6. Edit t1.conf to set IPv6 policies
             i.e. { laddr 2001:2::0/112 raddr 2001:3::0/112 } ipsec  { encr_algs 3des encr_auth_algs sha1 tladdr 2001:1::17 traddr 2001:1::25}  
        
      7. Configure IPsec policy using loadConfig
             ./loadConfig -f t1.conf
        

        IPsec policy files

        Policy format
        =============
        {laddr <local IP address> raddr <dest IP address> ulp [icmp|tcp|udp|any] } ipsec { encr_algs [3des|aes|blowfish|any] 
        encr_auth_algs [sha1|md5|any] tladdr <tunnel local address> traddr <tunnel dest address> }
        
        Explanation:
        laddr		: local IP address
        raddr		: remote IP address
        ulp		: upper layer protocol
        ipsec		: both direction or use permit/apply for unidirection 
        encr_algs 	: encryption
        encr_auth_algs	: authentication
        tladdr		: local gateway IP address
        traddr		: remote gateway IP address
        
        policyA.conf
        =============
        {laddr 10.5.6.0/24 raddr 172.23.9.0/24 } ipsec { encr_algs 3des encr_auth_algs sha1 tladdr 14.15.16.17 traddr 22.23.24.25 }
        
        policyB.conf
        =============
        {laddr 172.23.9.0/24 raddr 10.5.6.0/24 } ipsec { encr_algs 3des encr_auth_algs sha1 tladdr 22.23.24.25 traddr 14.15.16.17 }
        

        loadConfig application

        loadConfig -f <policy.conf>   to load IPsec policy. It also flush the SA and SPD before loading the new policy.
                   -F                 flush SA
                   -FP                flush SPD
                   -d                 display key
                   -dP                display policy
        In Linux, loadConfig output to /var/log/message. Run tail -f /var/log/message to see output from loadConfig -d
        

        Mocana Corporation 350 Sansome Street, Suite 1010, San Francisco, CA 94104. +1.415.617.0055