{"id":261,"date":"2023-12-10T20:54:11","date_gmt":"2023-12-10T20:54:11","guid":{"rendered":"https:\/\/www.alanknipmeyer.phd\/?p=261"},"modified":"2023-12-10T20:54:11","modified_gmt":"2023-12-10T20:54:11","slug":"lab-build-10-12-23","status":"publish","type":"post","link":"https:\/\/www.alanknipmeyer.phd\/index.php\/2023\/12\/10\/lab-build-10-12-23\/","title":{"rendered":"Lab build 10\/12\/23"},"content":{"rendered":"\n

Initial build of the lab with 2*Raspberry Pi 4 and DUALCOMM ETAP-2003<\/p>\n\n\n\n

\n
\"\"
ETAP between RPI4<\/figcaption><\/figure>\n\n\n\n
\"\"
ETAP Status lights<\/figcaption><\/figure>\n<\/figure>\n\n\n\n

Raspberry Pi Image Buster loaded onto RPI4. In RPI Imager setup Wifi and user account so could SSH from home LAN to RPI’s. Matched hostname to labels printed, node0 and node1.<\/p>\n\n\n\n

Configured the ethernet interfaces to static IP’s for a point-to-point link<\/p>\n\n\n\n

-172.160.0.1---172.16.0.2\n\/etc\/dhcpcd.conf\n\ninterface eth0\nstatic ip_address=172.16.0.1\/24\n#static routers=8.0.1\nstatic domain_name_servers=8.8.8.8<\/code><\/pre>\n\n\n\n
Rebooted and tested basic IPv4 networking between hosts, i.e. ping 172.16.0.1 from .2<\/p>\n\n\n\n
ping -c 1 172.16.0.2\nPING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.\n64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=0.931 ms\n\n--- 172.16.0.2 ping statistics ---\n1 packets transmitted, 1 received, 0% packet loss, time 0ms\nrtt min\/avg\/max\/mdev = 0.931\/0.931\/0.931\/0.000 ms\n<\/code><\/pre>\n\n\n\n
Connected ETAP and confirmed packets passing over TAP device, the device that will perform the packet inspection is yet to be built (awaiting SD card), this will be a Desktop version of Debian\/Ubuntu to allow wireshark\/GNURadio to be used to communicate with the TAP device and HackRF device.<\/p>\n\n\n\n
Installed strongswan and created certificates, first iteration is a host-to-host IPSEC connection using PSK.<\/p>\n\n\n\n
apt install strongswan strongswan-pki -y\n\n# Create Root CA\npki --self --ca --lifetime 3652 --in strongswanKey.pem \\\n           --dn \"C=GB, O=knipmeyer-it-testlab, CN=TestLab Knipmeyer IT Root CA\" \\\n           --outform pem > TestLabCert.pem\n# Create Req for host, note the SAN values in the csr\npki --req --type priv --in node0Key.pem \\\n          --dn \"C=GB, O=knipmeyer-it-testlab, CN=node0.testlab.knipmeyer-it.ltd\" \\\n          --san node0.testlab.knipmeyer-it.ltd --san 172.16.0.0.1 --outform pem > node0Req.pem\n# Sign Req for Host\npki --issue --cacert TestLabCert.pem --cakey strongswanKey.pem \\\n            --type pkcs10 --in node0Req.pem --serial 01 --lifetime 1826 \\\n            --outform pem --flag serverAuth > node0Cert.pem\n# Put certs in correct place\ncp TestLabCert.pem \/etc\/ipsec.d\/cacerts\/\ncp node0Cert.pem \/etc\/ipsec.d\/certs\/\ncp node0Key.pem \/etc\/ipsec.d\/private\/\n# Repeat for node1\npki --gen --type ed25519 --outform pem > node1Key.pem\npki --gen --type rsa --size 3072 > node1Key.der\npki --req --type priv --in node1Key.pem \\\n          --dn \"C=GB, O=knipmeyer-it-testlab, CN=node1.testlab.knipmeyer-it.ltd\" \\\n          --san node1.testlab.knipmeyer-it.ltd --san 172.16.0.0.2 --outform pem > node1Req.pem\npki --issue --cacert TestLabCert.pem --cakey strongswanKey.pem \\\n            --type pkcs10 --in node1Req.pem --serial 01 --lifetime 1826 \\\n            --outform pem --flag serverAuth > node1Cert.pem\n# SCP Node1 Certs (CA, Node1 Key, Node1 Cert)<\/code><\/pre>\n\n\n\n
Strongstrong configuration for host-to-host (no network behind, IPSEC over eth0)<\/p>\n\n\n\n
config setup\nconn node0-node1\n    authby=secret\n    auto=route\n    keyexchange=ike\n    left=172.16.0.1\n    right=172.16.0.2\n    type=transport\n    esp=aes128gcm16!\n# node1\nconfig setup\nconn node1-node0\n    authby=secret\n    auto=route\n    keyexchange=ike\n    left=172.16.0.2\n    right=172.16.0.1\n    type=transport\n    esp=aes128gcm16!\n# \/etc\/ipsec.secrets\n172.16.0.1 172.16.0.2 : PSK \"simplepassword\"\n# reboot\nreboot<\/code><\/pre>\n\n\n\n
Upon reboot the following error –<\/p>\n\n\n\n
allocating SPI failed: Operation not supported (95)\nunable to get SPI\nunable to allocate SPIs from kernel<\/code><\/pre>\n\n\n\n
This is due to 64 bit version of Debian running 32 bit IPSec (Charon) fix from pi forums<\/a><\/p>\n\n\n\n
#add to \/boot\/config.txt (both nodes)\n#end of file after all other entries is fine\narm_64bit=0\nreboot\n<\/code><\/pre>\n\n\n\n
Monitor ipsec status, notice there is no ipsec0 interface, as eth0 is used to establish the ipsec tunnel<\/p>\n\n\n\n
watch ipsec statusall\nStatus of IKE charon daemon (strongSwan 5.9.1, Linux 6.1.21-v7l+, armv7l):\n  uptime: 3 hours, since Dec 10 17:33:36 2023\n  malloc: sbrk 1343488, mmap 0, used 472856, free 870632\n  worker threads: 11 of 16 idle, 5\/0\/0\/0 working, job queue: 0\/0\/0\/0, scheduled: 4\n  loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs\n8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-defa\nult connmark stroke updown eap-mschapv2 xauth-generic counters\nListening IP addresses:\n  172.16.0.2\n  192.168.1.3\nConnections:\n node1-node0:  172.16.0.2...172.16.0.1  IKEv1\/2\n node1-node0:   local:  [172.16.0.2] uses pre-shared key authentication\n node1-node0:   remote: [172.16.0.1] uses pre-shared key authentication\n node1-node0:   child:  dynamic === dynamic TRANSPORT\nRouted Connections:\n node1-node0{1}:  ROUTED, TRANSPORT, reqid 1\n node1-node0{1}:   172.16.0.2\/32 === 172.16.0.1\/32\nSecurity Associations (1 up, 0 connecting):\n node1-node0[5]: ESTABLISHED 29 minutes ago, 172.16.0.2[172.16.0.2]...172.16.0.1[172.16.0.1]\n node1-node0[5]: IKEv2 SPIs: 679efab9abc11b8f_i 8250a21f18bbd528_r*, pre-shared key re-authentication in 2 hours\n node1-node0[5]: IKE proposal: AES_CBC_128\/HMAC_SHA2_256_128\/PRF_HMAC_SHA2_256\/ECP_256\n node1-node0{9}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c2339191_i c8878edc_o\n node1-node0{9}:  AES_GCM_16_128, 64 bytes_i (1 pkt, 741s ago), 64 bytes_o (1 pkt, 741s ago), rekeying in 16 minutes\n node1-node0{9}:   172.16.0.2\/32 === 172.16.0.1\/32<\/code><\/pre>\n\n\n\n
Test traffic is encapsulated<\/p>\n\n\n\n
#node1 ping to node0 <\/p>\n\n\n\n
root@node1:\/home\/alan# ping -c 3 172.16.0.1\nPING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.\n64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.439 ms\n64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.436 ms\n64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=0.353 ms\n\n--- 172.16.0.1 ping statistics ---\n3 packets transmitted, 3 received, 0% packet loss, time 2043ms\nrtt min\/avg\/max\/mdev = 0.353\/0.409\/0.439\/0.039 ms\n# tcpdump node0\ntcpdump -i eth0 esp\ntcpdump: verbose output suppressed, use -v[v]... for full protocol decode\nlistening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n20:51:39.165606 IP node1-eth0 > node0-eth0: ESP(spi=0xc8878edc,seq=0x2), length 100\n20:51:39.165798 IP node0-eth0 > node1-eth0: ESP(spi=0xc2339191,seq=0x2), length 100\n20:51:40.225107 IP node1-eth0 > node0-eth0: ESP(spi=0xc8878edc,seq=0x3), length 100\n20:51:40.225340 IP node0-eth0 > node1-eth0: ESP(spi=0xc2339191,seq=0x3), length 100<\/code><\/pre>\n\n\n\n
This completes the initial setup of the lab IPSEC tunnel.<\/p>\n","protected":false},"excerpt":{"rendered":"
Initial build of the lab with 2*Raspberry Pi 4 and DUALCOMM ETAP-2003 Raspberry Pi Image Buster loaded onto RPI4. In RPI Imager setup Wifi and user account so could SSH from home LAN to RPI’s. Matched hostname to labels printed, node0 and node1. Configured the ethernet interfaces to static IP’s for a point-to-point link Rebooted […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-261","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/posts\/261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/comments?post=261"}],"version-history":[{"count":1,"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/posts\/261\/revisions"}],"predecessor-version":[{"id":265,"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/posts\/261\/revisions\/265"}],"wp:attachment":[{"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/media?parent=261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/categories?post=261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.alanknipmeyer.phd\/index.php\/wp-json\/wp\/v2\/tags?post=261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}