1 % ----------------------------------------------------------------------
3 \label{section:IPSECgeneral}
5 % ciphersuites current 2013-12-09
7 \subsubsection{Settings}
9 \paragraph{Assumptions:}
10 We assume the use of IKE (v1 or v2) and ESP for this document.
12 \paragraph{Authentication:}
13 IPSEC authentication should optimally be performed via RSA signatures,
14 with a key size of 2048 bits or more. Configuring only the trusted CA
15 that issued the peer certificate provides for additional protection
16 against fake certificates.
18 If you need to use Pre-Shared Key authentication:
21 \item Choose a \textbf{random}, \textbf{long enough} PSK (see below)
22 \item Use a \textbf{separate} PSK for any IPSEC connection
23 \item Change the PSKs regularly
26 The size of the PSK should not be shorter than the output size of
27 the hash algorithm used in IKE\footnote{It is used in a HMAC, see
28 RFC2104~\cite{rfc2104} and the discussion starting
29 in \url{http://www.vpnc.org/ietf-ipsec/02.ipsec/msg00268.html}.}.
31 For a key composed of upper- and lowercase letters, numbers, and two
32 additional symbols\footnote{64 possible values = 6 bits},
33 table~\ref{tab:IPSEC_psk_len} gives the minimum lengths in characters.
38 caption={PSK lengths},
39 label=tab:IPSEC_psk_len,
41 \FL IKE Hash & PSK length (chars)
47 \paragraph{Cryptographic Suites:}
48 IPSEC Cryptographic Suites are pre-defined settings for all the items
49 of a configuration; they try to provide a balanced security level and
50 make setting up VPNs easier.
51 \footnote{RFC6379~\cite{rfc6379}, RFC4308~\cite{rfc4308}}
53 When using any of those suites, make sure to enable ``Perfect Forward
54 Secrecy`` for Phase 2, as this is not specified in the suites. The
55 equivalents to the recommended ciphers suites in section
56 \ref{section:recommendedciphers} are shown in
57 table~\ref{tab:IPSEC_suites}.
60 caption={IPSEC Cryptographic Suites},
61 label=tab:IPSEC_suites,
62 ]{>{\raggedright}p{3cm}>{\raggedright}p{3cm}l}{}{
63 \FL Configuration A & Configuration B & Notes
65 \texttt{Suite-B-GCM-256} &
66 \texttt{Suite-B-GCM-128} \newline \texttt{VPN-B} &
67 All Suite-B variants use NIST elliptic curves
69 \paragraph{IKE or Phase 1:}
71 Alternatively to the pre-defined cipher suites, you can define your
72 own, as described in this and the next section.
74 IKE or Phase 1 is the mutual authentication and key exchange phase;
75 table~\ref{tab:IPSEC_ph1_params} shows the parameters.
77 Use only ``main mode``, as ``aggressive mode`` has known security
78 vulnerabilities \footnote{\url{http://ikecrack.sourceforge.net/}}.
81 caption={IPSEC Phase 1 parameters},
82 label=tab:IPSEC_ph1_params,
84 \FL & Configuration A & Configuration B
85 \ML Mode & Main Mode & Main Mode
86 \NN Encryption & AES-256 & AES, CAMELLIA (-256 or -128)
87 \NN Hash & SHA2-* & SHA2-*, SHA1
88 \NN DH Group & Group 14-18 & Group 14-18
89 %\NN Lifetime & \todo{need recommendations; 1 day seems to be common practice} &
92 \paragraph{ESP or Phase 2:}
93 ESP or Phase 2 is where the actual data are protected; recommended
94 parameters are shown in table \ref{tab:IPSEC_ph2_params}.
97 caption={IPSEC Phase 2 parameters},
98 label=tab:IPSEC_ph2_params,
99 ]{l>{\raggedright}p{4.5cm}>{\raggedright}p{6cm}}{}{%
100 \FL & Configuration A & Configuration B
101 \ML Perfect Forward Secrecy & \yes & \yes
103 \mbox{AES-GCM-16}, \mbox{AES-CTR}, \mbox{AES-CCM-16}, \mbox{AES-256} &%
104 \mbox{AES-GCM-16}, \mbox{AES-CTR}, \mbox{AES-CCM-16}, \mbox{AES-256}, \mbox{CAMELLIA-256}, \mbox{AES-128}, \mbox{CAMELLIA-128}
105 \NN Hash & SHA2-* (or none for AEAD) & SHA2-*, SHA1 (or none for AEAD)
106 \NN DH Group & Same as Phase 1 & Same as Phase 1
107 %\NN Lifetime & \todo{need recommendations; 1-8 hours is common} &
110 \subsubsection{References}
112 \item ``A Cryptographic Evaluation of IPsec'', Niels Ferguson and Bruce
113 Schneier: \url{https://www.schneier.com/paper-ipsec.pdf}
117 %----------------------------------------------------------------------
118 \subsection{Check Point FireWall-1}
120 % Attention, only example...
121 %Checkpoint firewall is a \gls{firewall} that ....
123 \subsubsection{Tested with Versions}
125 \item R77 (should work with any currently supported version)
128 \subsubsection{Settings}
129 Please see section \ref{section:IPSECgeneral} for guidance on
130 parameter choice. In this section, we will configure a strong setup
131 according to ``Configuration A''.
133 This is based on the concept of a ``VPN Community'', which has all the
134 settings for the gateways that are included in that community.
135 Communities can be found in the ``IPSEC VPN'' tab of SmartDashboard.
139 \includegraphics[width=0.592\textwidth]{img/checkpoint_1.png}
140 \caption{VPN Community encryption properties}
141 \label{fig:checkpoint_1}
144 Either chose one of the encryption suites in the properties dialog
145 (figure \ref{fig:checkpoint_1}), or proceed to
146 ``Custom Encryption...'', where you can set encryption and hash for
147 Phase 1 and 2 (figure \ref{fig:checkpoint_2}).
151 \includegraphics[width=0.411\textwidth]{img/checkpoint_2.png}
152 \caption{Custom Encryption Suite Properties}
153 \label{fig:checkpoint_2}
156 The Diffie-Hellman groups and Perfect Forward Secrecy Settings can be
157 found under ``Advanced Settings'' / ``Advanced VPN Properties''
158 (figure \ref{fig:checkpoint_3}).
162 \includegraphics[width=0.589\textwidth]{img/checkpoint_3.png}
163 \caption{Advanced VPN Properties}
164 \label{fig:checkpoint_3}
168 \subsubsection{Additional settings}
169 For remote Dynamic IP Gateways, the settings are not taken from the
170 community, but set in the ``Global Properties'' dialog under ``Remote
171 Access'' / ``VPN Authentication and Encryption''. Via the ``Edit...''
172 button, you can configure sets of algorithms that all gateways support
173 (figure \ref{fig:checkpoint_4}).
177 \includegraphics[width=0.474\textwidth]{img/checkpoint_4.png}
178 \caption{Remote Access Encryption Properties}
179 \label{fig:checkpoint_4}
182 Please note that these settings restrict the available algorithms for
183 \textbf{all} gateways, and also influence the VPN client connections.
185 %\subsubsection{Justification for special settings (if needed)}
187 %\subsubsection{Limitations}
189 \subsubsection{References}
191 \item Check Point \href{https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm}{VPN R77 Administration Guide} (may require a UserCenter account to access)
194 %\subsubsection{How to test}
196 %% cipherstrings current 2013-12-09
197 % ----------------------------------------------------------------------
200 \subsubsection{Tested with Versions}
202 \item OpenVPN 2.3.2 from Debian ``wheezy-backports'' linked against openssl (libssl.so.1.0.0)
203 \item OpenVPN 2.2.1 from Debian Wheezy linked against openssl
205 \item OpenVPN 2.3.2 for Windows
208 \subsubsection{Settings}
211 We describe a configuration with certificate-based authentication; see
212 below for details on the \verb|easyrsa| tool to help you with that.
214 OpenVPN uses TLS only for authentication and key exchange. The
215 bulk traffic is then encrypted and authenticated with the OpenVPN
216 protocol using those keys.
218 Note that while the \verb|tls-cipher| option takes a list of ciphers
219 that is then negotiated as usual with TLS, the \verb|cipher|
220 and \verb|auth| options both take a single argument that must match on
223 \paragraph{Server Configuration}
225 % the cipherlist here is config B without the ECDHE strings, because
226 % it must fit in 256 bytes...
227 % DO NOT CHANGE TO THE CIPHERSTRING MACRO!
228 \configfile{server.conf}{248-250}{Cipher configuration for OpenVPN (Server)}
230 \paragraph{Client Configuration}
231 Client and server have to use compatible configurations, otherwise they can't communicate.
232 The \verb|cipher| and \verb|auth| directives have to be identical.
234 % the cipherlist here is config B without the ECDHE strings, because
235 % it must fit in 256 bytes...
236 % DO NOT CHANGE TO THE CIPHERSTRING MACRO!
237 \configfile{client.conf}{44-45,115-121}{Cipher and TLS configuration for OpenVPN (Server)}
239 \subsubsection{Justification for special settings}
240 OpenVPN 2.3.1 changed the values that the \verb|tls-cipher| option
241 expects from OpenSSL to IANA cipher names. That means from that
242 version on you will get ``Deprecated TLS cipher name'' warnings for
243 the configurations above. You cannot use the selection strings from
244 section \ref{section:recommendedciphers} directly from 2.3.1 on, which
245 is why we give an explicit cipher list here.
247 In addition, there is a 256 character limit on configuration file line
248 lengths; that limits the size of cipher suites, so we dropped all
251 The configuration shown above is compatible with all tested versions.
254 \subsubsection{References}
256 \item OpenVPN Documentation: \emph{Security Overview} \url{https://openvpn.net/index.php/open-source/documentation/security-overview.html}
259 %\subsubsection{How to test}
262 \subsubsection{Additional settings}
264 \paragraph{Key renegotiation interval}
265 The default for renegotiation of encryption keys is one hour
266 (\verb|reneg-sec 3600|). If you
267 transfer huge amounts of data over your tunnel, you might consider
268 configuring a shorter interval, or switch to a byte- or packet-based
269 interval (\verb|reneg-bytes| or \verb|reneg-pkts|).
271 \paragraph{Fixing ``easy-rsa''}
272 When installing an OpenVPN server instance, you are probably using
273 \emph{easy-rsa} to generate keys and certificates.
274 The file \verb|vars| in the easyrsa installation directory has a
275 number of settings that should be changed to secure values:
277 \configfile{vars}{53-53,56-56,59-59}{Sane default values for OpenVPN (easy-rsa)}
280 This will enhance the security of the key generation by using RSA keys
281 with a length of 4096 bits, and set a lifetime of one year for the
282 server/client certificates and five years for the CA certificate. \textbf{NOTE: 4096 bits is only an example of how to do this with easy-rsa.} See also section \ref{section:keylengths} for a discussion on keylengths.
284 In addition, edit the \verb|pkitool| script and replace all occurrences
285 of \verb|sha1| with \verb|sha256|, to sign the certificates with
288 \subsubsection{Limitations}
289 Note that the ciphersuites shown by \verb|openvpn --show-tls| are \emph{known}, but not necessarily \emph{supported} \footnote{\url{https://community.openvpn.net/openvpn/ticket/304}}.
291 Which cipher suite is actually used can be seen in the logs:
293 \verb|Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA256-SHA, 2048 bit RSA|
296 % ----------------------------------------------------------------------
299 PPTP is considered insecure, Microsoft recommends to ``use a more secure VPN
300 tunnel''\footnote{\url{http://technet.microsoft.com/en-us/security/advisory/2743314}}.
302 There is a cloud service that cracks the underlying MS-CHAPv2
303 authentication protocol for the price of USD~200\footnote{\url{https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/}},
304 and given the resulting MD4 hash, all PPTP traffic for a user can
307 % ----------------------------------------------------------------------
308 \subsection{Cisco ASA}
309 The following settings reflect our recommendations as best as possible on the Cisco ASA platform. These are - of course - just settings regarding SSL/TLS (i.e. Cisco AnyConnect) and IPsec. For further security settings regarding this platform the appropriate Cisco guides should be followed.
312 \subsubsection{Tested with Versions}
314 \item 9.1(3) - X-series model
317 \subsubsection{Settings}
319 crypto ipsec ikev2 ipsec-proposal AES-Fallback
320 protocol esp encryption aes-256 aes-192 aes
321 protocol esp integrity sha-512 sha-384 sha-256
322 crypto ipsec ikev2 ipsec-proposal AES-GCM-Fallback
323 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
324 protocol esp integrity sha-512 sha-384 sha-256
325 crypto ipsec ikev2 ipsec-proposal AES128-GCM
326 protocol esp encryption aes-gcm
327 protocol esp integrity sha-512
328 crypto ipsec ikev2 ipsec-proposal AES192-GCM
329 protocol esp encryption aes-gcm-192
330 protocol esp integrity sha-512
331 crypto ipsec ikev2 ipsec-proposal AES256-GCM
332 protocol esp encryption aes-gcm-256
333 protocol esp integrity sha-512
334 crypto ipsec ikev2 ipsec-proposal AES
335 protocol esp encryption aes
336 protocol esp integrity sha-1 md5
337 crypto ipsec ikev2 ipsec-proposal AES192
338 protocol esp encryption aes-192
339 protocol esp integrity sha-1 md5
340 crypto ipsec ikev2 ipsec-proposal AES256
341 protocol esp encryption aes-256
342 protocol esp integrity sha-1 md5
343 crypto ipsec ikev2 sa-strength-enforcement
344 crypto ipsec security-association pmtu-aging infinite
345 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group14
346 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-GCM AES192-GCM AES128-GCM AES-GCM-Fallback AES-Fallback
347 crypto map Outside-DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
348 crypto map Outside-DMZ_map interface Outside-DMZ
350 crypto ikev2 policy 1
351 encryption aes-gcm-256
354 prf sha512 sha384 sha256 sha
355 lifetime seconds 86400
356 crypto ikev2 policy 2
357 encryption aes-gcm-256 aes-gcm-192 aes-gcm
360 prf sha512 sha384 sha256 sha
361 lifetime seconds 86400
362 crypto ikev2 policy 3
363 encryption aes-256 aes-192 aes
364 integrity sha512 sha384 sha256
366 prf sha512 sha384 sha256 sha
367 lifetime seconds 86400
368 crypto ikev2 policy 4
369 encryption aes-256 aes-192 aes
370 integrity sha512 sha384 sha256 sha
372 prf sha512 sha384 sha256 sha
373 lifetime seconds 86400
374 crypto ikev2 enable Outside-DMZ client-services port 443
375 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
377 ssl server-version tlsv1-only
378 ssl client-version tlsv1-only
379 ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
380 ssl trust-point ASDM_TrustPoint0 Outside-DMZ
383 \subsubsection{Justification for special settings}
384 New IPsec policies have been defined which do not make use of ciphers that may be cause for concern. Policies have a "Fallback" option to support legacy devices.
386 3DES has been completely disabled as such Windows XP AnyConnect Clients will no longer be able to connect.
388 The Cisco ASA platform does not currently support RSA Keys above 2048bits.
390 Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.
392 \subsubsection{References}
394 \item \url{http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html}
395 \item \url{http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html}
398 % add any further references or best practice documents here
400 %%\subsubsection{How to test}
401 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
404 % ----------------------------------------------------------------------
405 \subsection{Openswan}
408 \subsubsection{Tested with Version}
410 \item Openswan 2.6.39 (Gentoo)
413 \subsubsection{Settings}
414 NB: The available algorithms depend on your kernel configuration (when using protostack=netkey) and/or
417 To list the supported algorithms
419 $ ipsec auto --status | less
421 and look for 'algorithm ESP/IKE' at the beginning.
425 # ike format: cipher-hash;dhgroup
426 # recommended ciphers:
428 # recommended hashes:
429 # - sha2_256 with at least 43 byte PSK
430 # - sha2_512 with at least 86 byte PSK
431 # recommended dhgroups:
437 ike=aes-sha2_256;modp2048
440 # esp format: cipher-hash;dhgroup
441 # recommended ciphers configuration A:
442 # - aes_gcm_c-256 = AES_GCM_16
444 # - aes_ccm_c-256 = AES_CCM_16
446 # additional ciphers configuration B:
450 # recommended hashes configuration A:
454 # - null (only with GCM/CCM ciphers)
455 # additional hashes configuration B:
457 # recommended dhgroups: same as above
458 phase2alg=aes_gcm_c-256-sha2_256;modp2048
464 \subsubsection{How to test}
465 Start the vpn and using
467 $ ipsec auto --status | less
469 and look for 'IKE algorithms wanted/found' and 'ESP algorithms wanted/loaded'.
471 \subsubsection{References}
472 \todo{more specific References}
474 \item \url{https://www.openswan.org/}
479 \subsubsection{Tested with Version}
481 \item tinc 1.0.23 from Gentoo linked against OpenSSL 1.0.1e
482 \item tinc 1.0.23 from Sabayon linked against OpenSSL 1.0.1e
485 \paragraph*{Defaults}\mbox{}\\
486 tinc uses 2048 bit RSA keys, Blowfish-CBC, and SHA1 as default settings and suggests the usage of CBC mode ciphers.
487 Any key length up to 8196 is supported and it does not need to be a power of two. OpenSSL Ciphers and Digests are supported by tinc.
489 \paragraph*{Settings}\mbox{}\\
491 \begin{lstlisting}[breaklines]
492 tincd -n NETNAME -K8196
494 Old keys will not be deleted (but disabled), you have to delete them manually. Add the following lines to your tinc.conf on all machines
495 \configfile{tinc.conf}{3-4}{Cipher and digest selection in tinc}
497 \paragraph*{References}\mbox{}\\
499 \item tincd(8) man page
500 \item tinc.conf(5) man page
501 \item \href{http://www.tinc-vpn.org/pipermail/tinc/2014-January/003538.html}{tinc mailinglist}
505 % ----------------------------------------------------------------------
506 %%\subsection{Juniper VPN}
507 %%\todo{write this subsubsection. AK: ask Hannes}
512 % ----------------------------------------------------------------------
513 %\subsection{L2TP over IPSec}
514 %\todo{write this subsubsection}
519 % ----------------------------------------------------------------------
521 %\todo{write this subsubsection}