IPSec working configuration for starters:

OpenSLS: Documentation: IPsec Working Configuration for Starters

This document describes setting up two computers to use IPSec using transport mode. It is a quick-start configuration guide. The following example works for all the Linux Mandrake distribution from 9.0 to 9.2 (Including CS2.1), and should work with other distributions with minor modification.

Test machines in this case are running Mandrake 9.1 (http://www.linux-mandrake.com) and OpenSLS-Current Alpha (http://www.opensls.org)

Requirements:

You must install the freeswan package. Install it using urpmi (urpmi will find all dependencies requires for freeswan):

[root@machineA]# urpmi freeswan

PSK (Preshared-Secret ) Setup example:

Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using PSK (Preshared-Secret). In this example, the secret between the two machine is 0x123456. The algorithm in the following example 3DES for encryption, and SHA-1 for hash.

Freeswan uses /etc/freeswan/ipsec.secrets as one of its configuration file. At the bottom of the file, add the following (ignore the rest of the RSA keying stuff for now):

192.168.0.100 192.168.0.101: PSK 0x123456

Now edit /etc/freeswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file:

conn test

    auto=start

    left=192.168.0.100

    right=192.168.0.101

    keyexchange=ike

    esp=3des-sha1-96

    keyingtries=5

    rekeymargin=4m

    type=transport

    disablearrivalcheck=no

    authby=secret

    pfs=yes

Now you need to do the same thing with machine B. Do exactly the same thing, you don’t need to worry about the switching the left and right. (Simly copy the entire conn test section to machine B)

Finally, you need to start the IPSec session. On Machine A execute:

[root@machineA]# service ipsec start

Do the same on Machine B.

In the syslogs on each machine, you should see something like:

Jun  4 10:48:20 opensls pluto[3215]: adding interface ipsec0/eth0 192.168.0.100

Jun  4 10:48:20 opensls pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets"

Jun  4 10:48:20 opensls pluto[3215]: "test" #1: initiating Main Mode

Jun  4 10:48:20 opensls pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’

Jun  4 10:48:20 opensls pluto[3215]: "test" #1: ISAKMP SA established

Jun  4 10:48:20 opensls pluto[3215]: "test" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP {using isakmp#1}

Jun  4 10:48:20 opensls pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819}

Jun  4 10:48:23 opensls pluto[3215]: "test" #3: responding to Main Mode

Jun  4 10:48:24 opensls pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11'

Jun  4 10:48:24 opensls pluto[3215]: "test" #3: sent MR3, ISAKMP SA established

Jun  4 10:48:24 opensls pluto[3215]: "test" #4: responding to Quick Mode

Jun  4 10:48:24 opensls pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a}

This indicates both machines have established the connection to one another.

Now you can test the connection. Do so by pinging Machine A from Machine B (ie. 192.168.0.101->192.168.0.100). On Machine A:

[root@machineA]# tcpdump host 192.168.0.101

On Machine B:

[root@machineB]# ping 192.168.0.100

By watching the tcpdump output, you’ll see the SPI messages instead of normal ping message from machine B, somewhat like this:

10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF)

10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4)

Rsasig (RSA Signature) Setup example:

Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using RSA (RSA Signature). The algorithm in the following example 3DES for encryption, and SHA-1 for hash.

Before both machine can authenticate themselves, each machine should have its own RSA key.

To check whether or not you have key installed on your system type:

[root@machineA]# ipsec showhostkey --left

The output should look like this (with the key shortened for easy reading):

 # RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:10 2004

    leftrsasigkey=0sAQOc4lN5FJ7o………

Depending on distribution installation, they RSA Keys may range from 1024 bits up to 4096 or higher.

If you don’t have a key or it shows nothing when you type the above comment, do

[root@machineA]# ipsec newhostkey --output /etc/freeswan/ipsec.secret

This will generate a RSA key ranging from 1024 to 4096 bits. You can force it to generate the key length you want using the –bits command:

[root@machineA]# ipsec newhostkey --output /etc/freeswan/ipsec.secret –bits 2048

The above example will generate 2048 bits RSA key.

Make sure both machine shows some type of key when you type

[root@machineA]# ipsec showhostkey –left

Now, prepare to obtain the RSA keys from both machines and put into the configuration.

On machine A, type

[root@machineA]# ipsec newhostkey --output /etc/freeswan/ipsec.secret –bits 2048

ipsec showhostkey –left

you’ll see something like this

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:10 2004

leftrsasigkey=0sAQOc4lN5FJ7o………

On machine B, type

[root@machineA]# ipsec showhostkey –right

you’ll see something like this

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:6 2004

rightrsasigkey=0sAQOc4lN5FK7o………

Now edit /etc/freeswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file: (IMPORTANT: that both leftrsasigkey and rightrsakey field will be a very LONG line, since the key itself maybe couple lines long, for example, it may look like this:

leftrsasigkey=0sAQOc4lN5FJ7oISHXCEn4ggjtLxwYV1o5T3gbmQTvzGE5JkFlweRm9qe59pKA8ogmAS1fFV6Fcm
OLaoqsZJIVEgt02EhmlBNABPfxe/qKgd8VVO+gUxKMvLte1uTTpHLIAyai/Cmsdq//Phi0cSDU/c4OUWGAALI2Mr
7ab0IteU8p/Yuj1+bg8DVSVJLFCQA4uz6TXjSH/43v1X7CI+wY7Bf0gvR50RrI8eTjnDrPWCrzg5cycDqLAmlwZkaj
MvijCd80MHAzqpF3mgF0sEDkoIJiimyGVVUo9G0MB7AWYGCMY//OZuyfHYthO3apLRpkAZi+ZP8mrPZgnaHE
T0IB9Ix3im/+7QbuSN7YGo18mmIoVl6F9t2AE7S7pCvLi1+LG7kf8jj5xC1UFt4ZtnJff+repsnxbTNZf0k2rYfst9XjpZa
OY7SgbephxBKpo/enpfFVXOjzVGFaf3230i9/lw6dGCk70VdfUSQrAnftRp46Jn6INEE8xL6FCPAlYymMGvQk+Fq
kLFQQFjvG/Os7EYS2DYzbyq3RWSqQwdUVAM95CHcOu/k6DAZupzpBu2Ar2ePmyaRnuz6QDBmnpp0YIq+Ww
sQi8WPip0HrpyUP4A1RVEIJzIxmVCxLMlR+ntIquHtAHwJmmy2nfMPRVIcXIJTvy5/2Gxxh/a2/tOiHsGPSSw==

make sure this is one LONG line instead of couple lines,

conn test

    auto=start

    left=192.168.0.100

    leftrsasigkey=0sAQOc4lN5FJ7o………………

    right=192.168.0.101

    rightrsasigkey=0sAQOc4lN5FK7o…………

    keyexchange=ike

    esp=3des-sha1-96

    keyingtries=5

    rekeymargin=4m

    type=transport

    disablearrivalcheck=no

    authby=rsasig

    pfs=yes