A Working fwknopd installation using a mixture of v1.9 and v2.0

Summary

[+] NOT  heavily Tested and currently NOT working:
c++ 2.0 client cannot connect to perl 1.9 server
[+] Tested and currently WORKING:
perl 1.9 client connecting to perl 1.9 server
perl 1.9 client connecting to c++ 2.0 server - with snat dnat
force_nat all perfect
c++ 2.0 client connecting to c++ 2.0 server - with snat dnat
force_nat all perfect

Links

fwknop homepage -www.cipherdyne.org/fwknop/

Environment

For this test I have used four machines:
1 x Client workstation with both fwknop v1.9 and v2.0 installed on
it
1 x v2.0 fwknopd server with three network interfaces
   eth0 connected to the internet with and ip address of 192.168.1.1
   eth1 connected to internal subnet with an ip address of 192.168.2.1
   eth2 connected to another internal subnet with an ip address of
192.168.3.1
1 x SSH server connected to the fwknopd servers eth1 and with an ip
address of 192.168.2.2
1 x SSH server connected to the fwknopd servers eth2 and with an ip
address of 192.168.3.2

FWKNOPD Port Mapping

Port  Protocol  Description
80400 fwknop    Knock Port
80043 ssh       SSH fwknop-server
80044 ssh       SSH server1 – 192.168.2.2 connected via eth1
80045 ssh       SSH server2 – 192.168.3.2 connected via eth2

fwknopd.conf

PCAP_INTF                   eth0;
ENABLE_PCAP_PROMISC         Y;
PCAP_FILTER                 udp port 80400;
ENABLE_SPA_PACKET_AGING     N;
ENABLE_IPT_FORWARDING       Y;
ENABLE_IPT_LOCAL_NAT        Y;
ENABLE_IPT_SNAT             N;
SNAT_TRANSLATE_IP           192.168.1.1;
ENABLE_IPT_OUTPUT           Y;
NOTE SPA_PACKET_AGING and SNAT currently not set

access.conf

SOURCE: ANY;
REQUIRE_USERNAME: fwknop-server;
OPEN_PORTS: tcp/80043;
KEY: password1;
FW_ACCESS_TIMEOUT: 3600;

SOURCE: ANY;
REQUIRE_USERNAME: server1;
OPEN_PORTS: tcp/80044;
KEY: password2;
FORCE_NAT 192.168.2.2 22;
FW_ACCESS_TIMEOUT: 3600;

SOURCE: ANY;
REQUIRE_USERNAME: server2;
OPEN_PORTS: tcp/80045;
KEY: password3;
FORCE_NAT 192.168.3.2 22
FW_ACCESS_TIMEOUT: 3600;

keyfiles

knockfwknop-server
<yourdomain.com>:password1
knockserver1
<yourdomain.com>:password2
knockserver2
<yourdomain.com>:password3

fwknop client commands

Perl Version 1.9
fwknop -D <yourdomain.com> -A tcp/80043 --Server-port 80400 -s --
get-key knockfwknop-server --Spoof-user fwknop-server
ssh <username>@<yourdomain.com> -p80043

fwknop -D <yourdomain.com> -A tcp/80044 --Server-port 80400 -s --
get-key knockserver1 --Spoof-user server1
ssh <username>@<yourdomain.com> -p80044

fwknop -D <yourdomain.com> -A tcp/80045 --Server-port 80400 -s --
get-key knockserver2 --Spoof-user server2
ssh <username>@<yourdomain.com> -p80045

c++ Version 2.0
fwknop -D <yourdomain.com> -A tcp/80043 -p 80400 -s -U fwknop-
server --get-key knockfwknop-server
ssh <username>@<yourdomain.com> -p80043

fwknop -D <yourdomain.com> -A tcp/80044 -p 80400 -s -U server1 --
get-key knockserver1
ssh <username>@<yourdomain.com> -p80044

fwknop -D <yourdomain.com> -A tcp/80045 -p 80400 -s -U server2 --
get-key knockserver2
ssh <username>@<yourdomain.com> -p80045

resulting daemon.log entries

For port 80043:
fwknopd[19265]: (stanza #1) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: Added Rule to FWKNOP_INPUT for XXX.XXX.XXX.XXX,
tcp/80043 expires at1332245168
fwknopd[19265]: Added OUTPUT Rule to FWKNOP_OUTPUT for
XXX.XXX.XXX.XXX, tcp/80043 expires at1332245168

For port 80044:
fwknopd[2504]: (stanza #1) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[2504]: (stanza #1) Error creating fko context: Decryption
failed or decrypted data is invalid
fwknopd[2504]: (stanza #2) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[2504]: Added FORWARD Rule to FWKNOP_FORWARD for
XXX.XXX.XXX.XXX, tcp/80044 expires at1332216742
fwknopd[2504]: Added DNAT Rule to FWKNOP_PREROUTING for
XXX.XXX.XXX.XXX, tcp/80044 expires at1332216742

For port 80045:
fwknopd[19265]: (stanza #1) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: (stanza #1) Error creating fko context: Decryption
failed or decrypted data is invalid
fwknopd[19265]: (stanza #2) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: (stanza #2) Error creating fko context: Decryption
failed or decrypted data is invalid
fwknopd[19265]: (stanza #3) SPA Packet from IP: XXX.XXX.XXX.XXX
received with access source match
fwknopd[19265]: Added FORWARD Rule to FWKNOP_FORWARD for
XXX.XXX.XXX.XXX, tcp/80045 expires at1332244853
fwknopd[19265]: Added DNAT Rule to FWKNOP_PREROUTING for
XXX.XXX.XXX.XXX, tcp/80045 expires at1332244853

resulting iptables created

Chain FWKNOP_FORWARD (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  XXX.XXX.XXX.XXX        192.168.3.2
tcp dpt:22 /* _exp_1332244853 */
ACCEPT     tcp  --  XXX.XXX.XXX.XXX        192.168.2.2
tcp dpt:22 /* _exp_1332244986 */

Chain FWKNOP_INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  XXX.XXX.XXX.XXX        0.0.0.0/0            tcp
dpt:80043 /* _exp_1332245168 */

Chain FWKNOP_OUTPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            XXX.XXX.XXX.XXX        tcp
spt:80043 /* _exp_1332245168 */

And NAT table:

Chain FWKNOP_PREROUTING (1 references)
target     prot opt source               destination
DNAT       tcp  --  XXX.XXX.XXX.XXX        0.0.0.0/0            tcp
dpt:80045 /* _exp_1332244853 */ to:192.168.3.2:22
DNAT       tcp  --  XXX.XXX.XXX.XXX        0.0.0.0/0            tcp
dpt:80044 /* _exp_1332244986 */ to:192.168.2.2:80044

notes

Need to lockdown the firewall more immediately - probably doing
some more blocking and using the SNAT options

Now that we're natted ssh locks up a bit - to fix it add the
following
$ cat .ssh/config
Host *
   ServerAliveInterval 240

FORCE_NAT mode: For iptables firewalls, a new FORCE_NAT mode has
been implemented that works as follows: for any valid  SPA packet,
force the requested connection to be NAT'd through to the specified
(usually internal) IP and port value.
This is useful if there are multiple internal systems running a
service such as SSHD, and you want to give transparent access to
only one internal system for each stanza in the access.conf file.
This way, multiple external users can each directly access only one
internal system per SPA key.

conclusions

It seemed a powerdown of the entire environment last night was all
it took to get this going
The only two things I would like to do is re-write the above
documentation and pass it on to the fwknop devs for an example
installation.
Also try to contribute somehow in the development direction of the
FORCE_NAT stanza. Development of the stanza could contain Source
port we could add multiple FORCE_NAT statements to each ACCESS.CONF
stanza's and thus only require one username/key for each user
rather than three. If the FORCE_NAT could be able to accept in and
out interfaces we might also be able to segment better - i think :)



On 19/03/2012, at 9:15, Poignant Murf <poignantmurf@gmail.com> wrote:

1st and most importantly thankyou for fwknop it's ~£{?|£|\ awesome

2nd confirming that only one FORCE_NAT option allowed for each access.conf stanza - and since most of my networks are NAT possibility of changing the setup in the future to 'FORCE_NAT <source port> <NAT ip address> <NAT port>' which would allow multiple NAT statements for stanza

3rd is just a query - has anyone had any success with using a version 1.9 fwknop client  knocking into a version 2 server - keeping defaults on both ATM and key file accross 1.9 and 2 client so password not my issue - figure I need to change something in the .fwknoprc file on the client - error is 'error creating fko context: decryption failed or decryption data is invalid'  as i still support clients and servers running the version 1.9 would be handy

Thankyou all very much