OpenSLS:
Documentation: IPsec Working Configuration for Starters
This document describes
setting up two computers to use IPSec using transport mode. It is a quick-start
configuration guide. The following example works for all the Linux Mandrake
distribution from 9.0 to 9.2 (Including CS2.1), and should work with other
distributions with minor modification.
Test machines in this case
are running Mandrake 9.1 (http://www.linux-mandrake.com)
and OpenSLS-Current Alpha (http://www.opensls.org)
Requirements:
You must install the freeswan
package. Install it using urpmi (urpmi will find all dependencies requires for
freeswan):
[root@machineA]# urpmi freeswan |
PSK (Preshared-Secret )
Setup example:
Assuming there are two
machines, machine A with IP 192.168.10.100 and machine B with IP
192.168.10.101. We want to hookup ipsec between the two using PSK
(Preshared-Secret). In this example, the secret between the two machine is
0x123456. The algorithm in the following example 3DES for encryption, and SHA-1
for hash.
Freeswan uses /etc/freeswan/ipsec.secrets
as one of its configuration file. At the bottom of the file, add the following
(ignore the rest of the RSA keying stuff for now):
192.168.0.100 192.168.0.101: PSK 0x123456 |
Now edit /etc/freeswan/ipsec.conf
and add the following to the bottom of the file, ignoring the other
configuration options already present in the file:
conn test auto=start left=192.168.0.100 right=192.168.0.101 keyexchange=ike esp=3des-sha1-96 keyingtries=5 rekeymargin=4m type=transport disablearrivalcheck=no authby=secret pfs=yes |
Now you need to do the same
thing with machine B. Do exactly the same thing, you don’t need to worry about
the switching the left and right. (Simly copy the entire conn test section to
machine B)
Finally, you need to start
the IPSec session. On Machine A execute:
[root@machineA]# service ipsec start |
Do the same on Machine B.
In the syslogs on each
machine, you should see something like:
Jun 4 10:48:20 opensls pluto[3215]: adding interface ipsec0/eth0 192.168.0.100 Jun 4 10:48:20 opensls pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets" Jun 4 10:48:20 opensls pluto[3215]: "test" #1: initiating Main Mode Jun 4 10:48:20 opensls pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’ Jun 4 10:48:20 opensls pluto[3215]: "test" #1: ISAKMP SA established Jun 4 10:48:20 opensls pluto[3215]: "test" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP {using isakmp#1} Jun 4 10:48:20 opensls pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819} Jun 4 10:48:23 opensls pluto[3215]: "test" #3: responding to Main Mode Jun 4 10:48:24 opensls pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11' Jun 4 10:48:24 opensls pluto[3215]: "test" #3: sent MR3, ISAKMP SA established Jun 4 10:48:24 opensls pluto[3215]: "test" #4: responding to Quick Mode Jun 4 10:48:24 opensls pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a} |
This indicates both machines
have established the connection to one another.
Now you can test the
connection. Do so by pinging Machine A from Machine B (ie.
192.168.0.101->192.168.0.100). On Machine A:
[root@machineA]# tcpdump host 192.168.0.101 |
On Machine B:
[root@machineB]# ping 192.168.0.100 |
By watching the tcpdump
output, you’ll see the SPI messages instead of normal ping message from machine
B, somewhat like this:
10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF) 10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4) |
Rsasig (RSA Signature)
Setup example:
Assuming there are two
machines, machine A with IP 192.168.10.100 and machine B with IP
192.168.10.101. We want to hookup ipsec between the two using RSA (RSA
Signature). The algorithm in the following example 3DES for encryption, and
SHA-1 for hash.
Before both machine can
authenticate themselves, each machine should have its own RSA key.
To check whether or not you have key installed on your system type:
[root@machineA]# ipsec showhostkey --left |
The output should look like this (with the key shortened for easy reading):
# RSA 4096 bits xy.example.org Fri Jun 4 14:17:10 2004 leftrsasigkey=0sAQOc4lN5FJ7o……… |
Depending on distribution installation, they RSA Keys may range from 1024 bits up to 4096 or higher.
If you don’t have a key or it shows nothing when you type the above comment, do
[root@machineA]# ipsec newhostkey --output /etc/freeswan/ipsec.secret
|
This will generate a RSA key ranging from 1024 to 4096 bits. You can force it to generate the key length you want using the –bits command:
[root@machineA]# ipsec newhostkey --output /etc/freeswan/ipsec.secret –bits 2048 |
The above example will
generate 2048 bits RSA key.
Make sure both machine shows some type of key when you type
[root@machineA]# ipsec showhostkey –left
|
Now, prepare to obtain the
RSA keys from both machines and put into the configuration.
On machine A, type
[root@machineA]# ipsec newhostkey --output /etc/freeswan/ipsec.secret –bits 2048 |
ipsec showhostkey –left
you’ll see something like this
# RSA 4096 bits xy.example.org Fri Jun 4 14:17:10 2004 leftrsasigkey=0sAQOc4lN5FJ7o……… |
On machine B, type
[root@machineA]# ipsec showhostkey –right |
you’ll see something like this
# RSA 4096 bits xy.example.org Fri Jun 4 14:17:6 2004 rightrsasigkey=0sAQOc4lN5FK7o……… |
Now edit /etc/freeswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file: (IMPORTANT: that both leftrsasigkey and rightrsakey field will be a very LONG line, since the key itself maybe couple lines long, for example, it may look like this:
leftrsasigkey=0sAQOc4lN5FJ7oISHXCEn4ggjtLxwYV1o5T3gbmQTvzGE5JkFlweRm9qe59pKA8ogmAS1fFV6Fcm |
make sure this is one LONG
line instead of couple lines,
conn test auto=start left=192.168.0.100 leftrsasigkey=0sAQOc4lN5FJ7o……………… right=192.168.0.101 rightrsasigkey=0sAQOc4lN5FK7o………… keyexchange=ike esp=3des-sha1-96 keyingtries=5 rekeymargin=4m type=transport disablearrivalcheck=no authby=rsasig pfs=yes |
Now you need to do the same
thing with machine B. Do exactly the same thing, you don’t need to worry about
the switching the left and right. (Simly copy the entire conn test section to
machine B)
Finally, you need to start
the IPSec session. On Machine A execute:
[root@machineA]# service ipsec start |
Do the same on Machine B.
In the syslogs on each
machine, you should see something like:
Jun 4 10:48:20 opensls pluto[3215]: adding interface ipsec0/eth0 192.168.0.100 Jun 4 10:48:20 opensls pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets" Jun 4 10:48:20 opensls pluto[3215]: "test" #1: initiating Main Mode Jun 4 10:48:20 opensls pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’ Jun 4 10:48:20 opensls pluto[3215]: "test" #1: ISAKMP SA established Jun 4 10:48:20 opensls pluto[3215]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP {using isakmp#1} Jun 4 10:48:20 opensls pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819} Jun 4 10:48:23 opensls pluto[3215]: "test" #3: responding to Main Mode Jun 4 10:48:24 opensls pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11' Jun 4 10:48:24 opensls pluto[3215]: "test" #3: sent MR3, ISAKMP SA established Jun 4 10:48:24 opensls pluto[3215]: "test" #4: responding to Quick Mode Jun 4 10:48:24 opensls pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a} |
This indicates both machines
have established the connection to one another.
Now you can test the connection.
Do so by pinging Machine A from Machine B (ie.
192.168.0.101->192.168.0.100). On Machine A:
[root@machineA]# tcpdump host 192.168.0.101 |
On Machine B:
[root@machineB]# ping 192.168.0.100 |
By watching the tcpdump
output, you’ll see the SPI messages instead of normal ping message from machine
B, somewhat like this:
10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF) 10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4) |
This document was written by
Ying-Hung Chen ying@yingternet.com
(http://www.yingternet.com).
Last updated 6-15-2004