How to use the public, private key-pair and certificate?



I can meet lots of SSL certification to protect web server host. I am not the security engineer. Therefore, It is difficult to understand the relationship private-public key pair and the certification. I have recently found the answer from here. Now I will follow these if it works or not. In this post, I will use "openssl" to handle.


1. Install the "openssl" on ubuntu


Basically, this openssl has been installed on ubuntu, therfore, I do not need to install again.


# apt-get install openssl 


2. Generate the private keys


In this post, I create private key of 2048 size with RSA algorithm at first. 


# openssl genrsa -out myprivate.pem 2048

Generating RSA private key, 2048 bit long modulus

......+++

...............................................+++

e is 65537 (0x10001)


# cat myprivate.pem

-----BEGIN RSA PRIVATE KEY-----

something............xxxxxxxxxxxxxxxxxxxxxxxxx

-----END RSA PRIVATE KEY----- 


3. Generate the public keys


With the private key, I can generate the public key with RSA key management command.


# openssl rsa -in myprivate.pem -outform PEM -pubout -out public.pem

writing RSA key


# cat public.pem

-----BEGIN PUBLIC KEY-----

something............xxxxxxxxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----


4. Create a CSR (Certificate Signing Request)


To create a CSR, "req" command is for PKCS#10 X.509 Certificate Signing Request (CSR) Management. CSR should be created with the private key which is created. During creation, some information are required to insert.


# openssl req -new -key myprivate.pem -out mycert.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:KR

State or Province Name (full name) [Some-State]:SEOUL

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


After above status, I will get csr file.


5. Create a Self-signed Certificate 


With the create CSR file and Private key, I can create the Self-signed Certificate (CRT) file, which I can share

# openssl x509 -req -days 365 -in mycert.csr -signkey myprivate.pem -out cert.crt

Signature ok

subject=/C=KR/ST=SEOUL/O=Internet Widgits Pty Ltd

Getting Private key


I create the CRT file with expiration. (-days option define the date to expire). This is important because CRT file can be shared.


6. How to Use these Keys and Certifications


Now, I have four files (Public-Private Key Pairs, CSR and CRT files). At first, I create sample documentation. 


# cat this_sample.txt

Hi, I am doing some test now


Before I encrypt file above. I want to see the command option of "openssl rsautl". In this command, I will use -encrypt and -decrypt options. Please note that -encrypt require "public key" not "private key" and reverse versa. "-pkcs" option is default pandding option.


# openssl rsautl --help

Usage: rsautl [options]

-in file        input file

-out file       output file

-inkey file     input key

-keyform arg    private key format - default PEM

-pubin          input is an RSA public

-certin         input is a certificate carrying an RSA public key

-ssl            use SSL v2 padding

-raw            use no padding

-pkcs           use PKCS#1 v1.5 padding (default)

-oaep           use PKCS#1 OAEP

-sign           sign with private key

-verify         verify with public key

-encrypt        encrypt with public key

-decrypt        decrypt with private key

-hexdump        hex dump output

-engine e       use engine e, possibly a hardware device.

-passin arg    pass phrase source


Now, I encrypt this file with Public key with RSA utility command which are used for signing, verification, encryption and decryption. Please, note "-pubin" option is important factor to encrypt file.


# openssl rsautl -encrypt -inkey public.pem -pubin -in this_sample.txt -out encrypted_sample


Now, I have encrypted file. At this time, I have some question. How can I recover this file. 


# openssl rsautl -decrypt -inkey myprivate.pem -keyform PEM -in encrypted_sample -out decrypted_sample


# cat decrypted_sample

Hi, I am doing some test now


It's works. However, I have something left. What is the CRT file for?. CRT file can be shared. Someone can get the public key from this CRT file.


# openssl x509 -pubkey -in cert.crt -out certpubkey.pem

-----BEGIN PUBLIC KEY-----

something......... xxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----


With this public key, I can send some file with encryption.


7. Encrypt with Private Key and Decrypt with Public Key


So far, I encrypt with Public key and I decrypt with Private key. However, I have question if it is do with reverse. The answer is "yes". However, it is not possible with "openssl" command line. Therefore, I can not handle this anymore at this time in this post.


Reference


[ 1 ] https://security.stackexchange.com/questions/108508/how-do-i-produce-a-ca-signed-public-key

[ 2 ] https://unix.stackexchange.com/questions/296697/how-to-encrypt-a-file-with-private-key

저작자표시 비영리 변경금지

'System Basic Engineering > OpenSource' 카테고리의 다른 글

How to use etcd (multi-machine cluster TLS/SSL security mode) in Ubuntu?  (0) 2018.10.19
How to use etcd (multi-machine cluster basic mode) in Ubuntu?  (0) 2018.10.19
How does create Intermediate certificate with openssl?  (0) 2018.10.19
How to use ECDSA?  (0) 2018.10.18
What to use WMI(Windows Management Instrumentation) from remote Linux server?  (0) 2018.10.01

How to make connection of Strongswan with Azure?


In this post, I will write the way how to create the connection using Strongswan for IPsec connection for Azure VPN connection. In AWS, it is not difficult, because AWS offer the configuration for Strongswan and Openswan. However, Azure does not offer it. Because of I can not know the Peer VPN status. it is not simple. 


1. About test environment.


My test environment is like below.


On-prem Host and VPN server <------> Internet <------> Azure VPN <------> Azure vNet <------> Azure Host


A) On-prem Host and VPN server - 10.0.0.0/8 

B) Azure Host - 172.21.0.0/16


2. Create local network gateway


Local network gateway means the on-premise site. Therefore, I need to insert on-premise network information into these fields.




A) IP address : On-premise VPN Device Public IP address.

B) Address space : On-premise Network range which is used.  


In my case, Address space should be "10.0.0.0/8". After generation, I can modify in the configuration of the resource. If I need to add more network range. I have add in here.




3. Create virtual network gateway


Virtual network gateway means the endpoint of Azure site. I insert the Azure vNet information into here. Before, I create the virtual network gateway. I need to create the "gateway subnet" where VPN instance is located in. In subnet of vNet, I can see the button "Gateway subnet".



Don't worry if I create the gateway subnet or not. If I don't, It will be created automatically. The menu for create virtual network gateway look like below.



A) SKU


SKU

S2S/VNet 

P2S

BW
VpnGw1

Max 30*

Max 128**650Mbps
VpnGw2Max 30*Max 128**1Gbps
VpnGw3Max 30*Max 128**1.25Gbps
BasicMax 10

Max 128

100Mbps

B) Virtual Network : The vNet which I want to connect with on-premise site.

C) Public IP address : Azure VPN Public IP address. (Note, I can not make static IP address


After creation, I can see that virtual network gateway and public IP address are created in my resource group like below.



4. Create connection


Now, I prepare each point for the Azure and On-premise site. I need to connect between them. So I will create connection. During this process, I need to select "local network gateway" and "virtual network gateway" which are created at above.



A) Shared key (PSK) : It is kind of the password. Therefore, I should be secret and shared with peers.


And I can see more detail. Also I can change PSK values




After connection, I can download the configuration file. 

It looks like


tidcne-s2s-connection-1.txt



5. Update the routing table.


Now, I prepared all of infrastructure. However, it is not perfect. Because of I need to control the traffic flow. I hope I remember "I choose Route-based, not Policy-based VPN". I need to update my routing table like below. In my route table, I need to watch the subnet which are associate. In my case, I want to all network to connect with my on-premise. therefore I associated all networks.



In route tap, I add the on-premise network range with "virtual network gateway" as next hop. In my case, 10.0.0.0/8 network should be transfer to the virtual network gateway.




6. Create on-premise VPN server.


From now, I create the on-premise VPN server which are installed with Strongswan. I use "apt-get". 


# apt-get install strongswan


# ipsec version

Linux strongSwan U5.3.5/K4.4.0-134-generic

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil, Switzerland

See 'ipsec --copyright' for copyright information.


7. Configure packet forwarding enable.


# vi /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1


# sysctl -p /etc/sysctl.conf

net.ipv4.ip_forward = 1


# cat /proc/sys/net/ipv4/ip_forward

1


8. Configure preshared key (PSK)


This PSK is similar with the password. It should be the same between peers. This information will be inserted into /etc/ipsec.secrets. The string is <leftside IPaddress> <rightside IPaddress> : PSK "xxxxxxxxx"


# vi /etc/ipsec.secrets

1xx.7x.3x.4x 1x.1xx.1xx.7x : PSK "xxxxxx_xxxx"


9. Configure IPsec configuration.


This is the IPsec configuration. I will add some information in /etc/ipsec.conf.


# vi /etc/ipsec.conf

conn azure

        authby=secret

        type=tunnel

        left=147.75.105.103 # My Public IP address

        leftsubnet=0.0.0.0/0 # My IP address space / protected network(s)

        right=52.231.73.164 #Azure Dynamic Gateway

        rightsubnet=172.21.0.0/24,172.21.1.0/24 #Azure Vnet prefixes

        auto=route

        keyexchange=ikev2 # Mandatory for Dynamic / Route-based gateway

        mark=100


There are some important things I need to focus. First, Azure only support ikev2. Second, I can write multiple subnet in left/rightsubnet field because the mode is ikev2. If I want to use ikev1, only first subnet before comma is valid. Third, mark field is necessary when the VPN should have multiple connection. This mark value is used to separate interface 


This is the Sample configuration for IKEv2

config setup

        # strictcrlpolicy=yes

        uniqueids = no


# Add connections here.


# Sample VPN connections

conn Tunnel1

        auto=start

        left=%defaultroute

        leftid=46.101.124.161

        right=52.231.191.30

        type=tunnel

        leftauth=psk

        rightauth=psk

        keyexchange=ikev2

        ike=aes256-sha1-modp1024

        ikelifetime=1h

        esp=aes256gcm128

        lifetime=1h

        keyingtries=%forever

        leftsubnet=0.0.0.0/0

        rightsubnet=0.0.0.0/0

        dpddelay=10s

        dpdtimeout=30s

        dpdaction=restart

        mark=100

Please Look  https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites



10. Create virtual tunnel interface on VPN host.


If I remove "mark" value in /etc/ipsec.conf, All of packet are transferred over encryption by VPN. That is not what I want. I want to specific network traffic can transfer over VPN. This is the reason why I use mark and virtual tunnel interface is necessary. At first I need to merge the routing table because the strongswan create another route table to handle.


# vi /etc/strongswan.d/charon.conf

install_routes=no


I will create "tunnel interface" with "ip link add". Look at the below. I used the name "vti1" as interface name. Please, note that the mark values should be the same.


# sudo ip link add vti1 type vti local 147.75.105.103 remote 52.231.73.164 key 100

sudo ip link set vti1 up mtu 1419

sudo ip route add 172.21.0.0/24 dev vti1

sudo ip route add 172.21.1.0/24 dev vti1

sysctl -w "net.ipv4.conf.vti1.disable_policy=1"


11. Check the IPsec status.


Now, I can do all of things for the IPsec VPN connection. I can check the status for this with "ipsec status" command. 


# ipsec status azure

Routed Connections:

       azure{1}:  ROUTED, TUNNEL, reqid 1

       azure{1}:   0.0.0.0/0 === 172.21.0.0/24 172.21.1.0/24

Security Associations (1 up, 0 connecting):

       azure[1]: ESTABLISHED 76 minutes ago, 147.75.105.103[147.75.105.103]...52.231.73.164[52.231.73.164]

       azure{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4e7887b_i f62d7a96_o

       azure{3}:   0.0.0.0/0 === 172.21.0.0/24 172.21.1.0/24


On the GUI of Azure, I also can check the status for VPN connection.





12. Troubleshooting 


My Azure Host has the IP address with "172.21.1.4". Therefore, I try to ping on on-premise VPN host like below. However, there is no answer.


# ping 172.21.1.4

84 packets transmitted, 0 received, 100% packet loss, time 83664ms


So I dump the packet to analysis this issue. I can see the NONESP and ESP pakcets. Thus, the ICMP is sending to destination. 


# tcpdump -ni bond0 host 52.231.73.164

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on bond0, link-type EN10MB (Ethernet), capture size 262144 bytes

07:30:44.805879 IP xxx.xxx.xxx.xxx.4500 > yy.yyy.yy.yyy.4500: NONESP-encap: isakmp: child_sa  inf2

07:30:44.806508 IP yy.yyy.yy.yyy.4500 > xxx.xxx.xxx.xxx.4500: NONESP-encap: isakmp: child_sa  inf2[IR]

07:30:50.168456 IP xxx.xxx.xxx.xxx > yy.yyy.yy.yyy: ESP(spi=0x60237774,seq=0xc), length 132

07:30:51.176661 IP xxx.xxx.xxx.xxx > yy.yyy.yy.yyy: ESP(spi=0x60237774,seq=0xd), length 132


I will give you answer for this issue. It is happen due to the source IP address. In this case, the ICMP packet will send to destination with interface IP address which is selected by routing table.  I will check my  network security group for Azure. I will add the interface IP address.



Please, note on-premise network range should be added in this network security group. Now I can do ping.


# ping 172.21.1.4

PING 172.21.1.4 (172.21.1.4) 56(84) bytes of data.

64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=42 time=191 ms

64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=42 time=192 ms


However, the IP address which is returned is not private IP address of the Azure host. It will be the Public IP address. Because, the source IP address from on-premise VPN host is the public IP address. So I will do some trick for this. I will use the SNAT like below.


# iptables -t nat -A POSTROUTING -d 172.21.0.0/24 -o vti1 -j SNAT --to-source 10.99.8.131

# iptables -t nat -A POSTROUTING -d 172.21.1.0/24 -o vti1 -j SNAT --to-source 10.99.8.131


Now, I will do ping again.


# ping 172.21.1.4

PING 172.21.1.4 (172.21.1.4) 56(84) bytes of data.

64 bytes from 172.21.1.4: icmp_seq=1 ttl=64 time=192 ms

64 bytes from 172.21.1.4: icmp_seq=2 ttl=64 time=193 ms


So, I have done all of things. I can have IPsec VPN connection between on-premise and Azure.


Reference 


[ 1 ] https://tscr.io/2018/01/03/azure-routed-vpn-with-strongswan-on-linux/

[ 2 ] https://docs.microsoft.com/ko-kr/azure/vpn-gateway/vpn-gateway-about-vpngateways

[ 3 ] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

저작자표시 비영리 변경금지

How to create Spot instance in Packet.net cloud?


I usually use this Packet.net cloud which offers the bare-metal public cloud. It is so much useful. AWS, Azure and GCP also offer public cloud. However, they base on the virtualization environment which make unknown issues. The cost is not cheap due to bare-metal offering. However, I don't worry about this cost, because they have spot instance. Please note, the instance will be removed without alarms and notification. Therefore it is not proper for the production.


1. Create new server.


I create the new server in my projects like below.


 

After "Click" the "New Server" button, I can see the "Deploy On Demand Servers", which insert some information to generate the servers.



2. Configure spot price.


When I deploy with information on the blanked field above figure, I can obtain the normal server which pay the full-cost. However, I do not want this in this post. I can see the "Options" button which is tagged with "SSH & USER DATA" 



After open the category, I can see the "Spot Market Options". When I insert the price which I want to pay, I can get the spot instance. Please note that the current bid is changeable. So I need to look this information more carefully. 


3. Deploy server.


Now, I am ready to deploy the spot instance. It is so simple. Now I can see the my processing status. I can see the "Type" information which is written with "Spot Instance"




4. Troubleshooting.


This is not about the Packet.net. I want to talk about Linux configuration. In my case, I usually use Ubuntu. After login, I can not "apt-get update", because of the repository issue. Most of usually, OS request to IPv4 address. However, IPv6 request is happend sometimes. In this case, I need to change some configuration. I have add single file in "/etc/apt/apt.conf.d/99force-ipv4"


# echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4

Acquire::ForceIPv4 "true";


After then, I can run "apt-get" something. However, if I can "apt-get" something without this above, I do not need this.


Reference 


[ 1 ] https://www.packet.com/

[ 2 ] https://unix.stackexchange.com/questions/9940/convince-apt-get-not-to-use-ipv6-method

저작자표시 비영리 변경금지

+ Recent posts

티스토리툴바