Initial build of the lab with 2*Raspberry Pi 4 and DUALCOMM ETAP-2003
Raspberry Pi Image Buster loaded onto RPI4. In RPI Imager setup Wifi and user account so could SSH from home LAN to RPI’s. Matched hostname to labels printed, node0 and node1.
Configured the ethernet interfaces to static IP’s for a point-to-point link
-172.160.0.1---172.16.0.2
/etc/dhcpcd.conf
interface eth0
static ip_address=172.16.0.1/24
#static routers=8.0.1
static domain_name_servers=8.8.8.8 Rebooted and tested basic IPv4 networking between hosts, i.e. ping 172.16.0.1 from .2
ping -c 1 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=0.931 ms
--- 172.16.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.931/0.931/0.931/0.000 ms
Connected ETAP and confirmed packets passing over TAP device, the device that will perform the packet inspection is yet to be built (awaiting SD card), this will be a Desktop version of Debian/Ubuntu to allow wireshark/GNURadio to be used to communicate with the TAP device and HackRF device.
Installed strongswan and created certificates, first iteration is a host-to-host IPSEC connection using PSK.
apt install strongswan strongswan-pki -y
# Create Root CA
pki --self --ca --lifetime 3652 --in strongswanKey.pem \
--dn "C=GB, O=knipmeyer-it-testlab, CN=TestLab Knipmeyer IT Root CA" \
--outform pem > TestLabCert.pem
# Create Req for host, note the SAN values in the csr
pki --req --type priv --in node0Key.pem \
--dn "C=GB, O=knipmeyer-it-testlab, CN=node0.testlab.knipmeyer-it.ltd" \
--san node0.testlab.knipmeyer-it.ltd --san 172.16.0.0.1 --outform pem > node0Req.pem
# Sign Req for Host
pki --issue --cacert TestLabCert.pem --cakey strongswanKey.pem \
--type pkcs10 --in node0Req.pem --serial 01 --lifetime 1826 \
--outform pem --flag serverAuth > node0Cert.pem
# Put certs in correct place
cp TestLabCert.pem /etc/ipsec.d/cacerts/
cp node0Cert.pem /etc/ipsec.d/certs/
cp node0Key.pem /etc/ipsec.d/private/
# Repeat for node1
pki --gen --type ed25519 --outform pem > node1Key.pem
pki --gen --type rsa --size 3072 > node1Key.der
pki --req --type priv --in node1Key.pem \
--dn "C=GB, O=knipmeyer-it-testlab, CN=node1.testlab.knipmeyer-it.ltd" \
--san node1.testlab.knipmeyer-it.ltd --san 172.16.0.0.2 --outform pem > node1Req.pem
pki --issue --cacert TestLabCert.pem --cakey strongswanKey.pem \
--type pkcs10 --in node1Req.pem --serial 01 --lifetime 1826 \
--outform pem --flag serverAuth > node1Cert.pem
# SCP Node1 Certs (CA, Node1 Key, Node1 Cert)Strongstrong configuration for host-to-host (no network behind, IPSEC over eth0)
config setup
conn node0-node1
authby=secret
auto=route
keyexchange=ike
left=172.16.0.1
right=172.16.0.2
type=transport
esp=aes128gcm16!
# node1
config setup
conn node1-node0
authby=secret
auto=route
keyexchange=ike
left=172.16.0.2
right=172.16.0.1
type=transport
esp=aes128gcm16!
# /etc/ipsec.secrets
172.16.0.1 172.16.0.2 : PSK "simplepassword"
# reboot
rebootUpon reboot the following error –
allocating SPI failed: Operation not supported (95)
unable to get SPI
unable to allocate SPIs from kernelThis is due to 64 bit version of Debian running 32 bit IPSec (Charon) fix from pi forums
#add to /boot/config.txt (both nodes)
#end of file after all other entries is fine
arm_64bit=0
reboot
Monitor ipsec status, notice there is no ipsec0 interface, as eth0 is used to establish the ipsec tunnel
watch ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 6.1.21-v7l+, armv7l):
uptime: 3 hours, since Dec 10 17:33:36 2023
malloc: sbrk 1343488, mmap 0, used 472856, free 870632
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs
8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-defa
ult connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
172.16.0.2
192.168.1.3
Connections:
node1-node0: 172.16.0.2...172.16.0.1 IKEv1/2
node1-node0: local: [172.16.0.2] uses pre-shared key authentication
node1-node0: remote: [172.16.0.1] uses pre-shared key authentication
node1-node0: child: dynamic === dynamic TRANSPORT
Routed Connections:
node1-node0{1}: ROUTED, TRANSPORT, reqid 1
node1-node0{1}: 172.16.0.2/32 === 172.16.0.1/32
Security Associations (1 up, 0 connecting):
node1-node0[5]: ESTABLISHED 29 minutes ago, 172.16.0.2[172.16.0.2]...172.16.0.1[172.16.0.1]
node1-node0[5]: IKEv2 SPIs: 679efab9abc11b8f_i 8250a21f18bbd528_r*, pre-shared key re-authentication in 2 hours
node1-node0[5]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
node1-node0{9}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c2339191_i c8878edc_o
node1-node0{9}: AES_GCM_16_128, 64 bytes_i (1 pkt, 741s ago), 64 bytes_o (1 pkt, 741s ago), rekeying in 16 minutes
node1-node0{9}: 172.16.0.2/32 === 172.16.0.1/32Test traffic is encapsulated
#node1 ping to node0
root@node1:/home/alan# ping -c 3 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.439 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.436 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=0.353 ms
--- 172.16.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2043ms
rtt min/avg/max/mdev = 0.353/0.409/0.439/0.039 ms
# tcpdump node0
tcpdump -i eth0 esp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:51:39.165606 IP node1-eth0 > node0-eth0: ESP(spi=0xc8878edc,seq=0x2), length 100
20:51:39.165798 IP node0-eth0 > node1-eth0: ESP(spi=0xc2339191,seq=0x2), length 100
20:51:40.225107 IP node1-eth0 > node0-eth0: ESP(spi=0xc8878edc,seq=0x3), length 100
20:51:40.225340 IP node0-eth0 > node1-eth0: ESP(spi=0xc2339191,seq=0x3), length 100This completes the initial setup of the lab IPSEC tunnel.