Annvix: Documentation/IPSec

From Annvix

Documentation: IPSec Working Configuration for Starters

This document describes setting up two computers to use IPSec using transport mode. It is a quick-start configuration guide. The following example works for all the Linux Mandrake distribution from 9.0 to 9.2 (Including CS2.1), and should work with other distributions with minor modification.

Test machines in this case are running Annvix 1.1-RELEASE and Annvix 1.2-RELEASE.

Requirements

You must install the openswan package. Install it using urpmi (urpmi will find all dependencies requires for openswan):

[root@machineA]# urpmi openswan

PSK (Preshared-Secret ) Setup example

Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using PSK (Preshared-Secret). In this example, the secret between the two machines is 0x123456. The algorithm in the following example AES for encryption. You can use Triple-DES by replacing aes with 3des

Openswan uses /etc/openswan/ipsec.secrets as one of its configuration file. At the bottom of the file, add the following (ignore the rest of the RSA keying stuff for now):

192.168.0.100 192.168.0.101: PSK 0x123456

Now edit /etc/openswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file:

conn test
    auto=start
    left=192.168.0.100
    right=192.168.0.101
    keyexchange=ike
    esp=aes
    ike=aes
    keyingtries=0
    rekeymargin=4m
    type=transport
    disablearrivalcheck=no
    authby=secret

Now you need to do the same thing with machine B. Do exactly the same thing; you don’t need to worry about the switching the left and right. (Simply copy the entire "conn test" section to machine B)

Finally, you need to start the IPSec session. On Machine A execute:

[root@machineA]# service ipsec start

Do the same on Machine B.

In the syslogs on each machine, you should see something like:

Jun  4 10:48:20 annvix pluto[3215]: adding interface ipsec0/eth0 192.168.0.100
Jun  4 10:48:20 annvix pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets"
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: initiating Main Mode
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: ISAKMP SA established
Jun  4 10:48:20 annvix pluto[3215]: "test" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP {using isakmp#1}
Jun  4 10:48:20 annvix pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819}
Jun  4 10:48:23 annvix pluto[3215]: "test" #3: responding to Main Mode
Jun  4 10:48:24 annvix pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11'
Jun  4 10:48:24 annvix pluto[3215]: "test" #3: sent MR3, ISAKMP SA established
Jun  4 10:48:24 annvix pluto[3215]: "test" #4: responding to Quick Mode
Jun  4 10:48:24 annvix pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a}

This indicates both machines have established the connection to one another.

Now you can test the connection. Do so by pinging Machine A from Machine B (ie. 192.168.0.101->192.168.0.100). On Machine A:

[root@machineA]# tcpdump host 192.168.0.101

On Machine B:

[root@machineB]# ping 192.168.0.100

By watching the tcpdump output, you’ll see the SPI messages instead of normal ping message from machine B, somewhat like this:

10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF)
10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4)

Rsasig (RSA Signature) Setup example

Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using RSA (RSA Signature). The algorithm in the following example AES for encryption. You can use Triple-DES by replacing aes with 3des

Before both machines can authenticate themselves, each machine should have its own RSA key.

To check whether or not you have key installed on your system type:

# ipsec showhostkey --left

The output should look like this (with the key shortened for easy reading):

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:10 2004
leftrsasigkey=0sAQOc4lN5FJ7o………

Depending on distribution installation, they RSA Keys may range from 1024 bits up to 4096 or higher.

If you don’t have a key or it shows nothing when you type the above comment, do

# ipsec newhostkey --output /etc/openswan/ipsec.secret

This will generate a RSA key ranging from 1024 to 4096 bits. You can force it to generate the key length you want using the "–bits" command:

# ipsec newhostkey --output /etc/openswan /ipsec.secret –bits 2048

The above example will generate 2048 bits RSA key.

Make sure both machine shows some type of key when you type

# ipsec showhostkey –left

Now, prepare to obtain the RSA keys from both machines and put into the configuration.

On machine A, type

[root@machineA]# ipsec showhostkey –left

you’ll see something like this

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:10 2004
leftrsasigkey=0sAQOc4lN5FJ7o………

On machine B, type

[root@machineB]# ipsec showhostkey –right

you’ll see something like this

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:6 2004
rightrsasigkey=0sAQOc4lN5FK7o………

Now edit /etc/openswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file: (IMPORTANT: that both leftrsasigkey and rightrsakey field will be a very LONG line, since the key itself maybe couple lines long, for example, it may look like this:

leftrsasigkey=0sAQOc4lN5FJ7oISHXCEn4ggjtLxwYV1o5T3gbmQTvzGE5JkFlweRm9qe59pKA8ogmAS1fFV6FcmOLaoqsZJIVEgt02EhmlBNABPfxe/qKgd8VVO
+gUxKMvLte1uTTpHLIAyai/Cmsdq//Phi0cSDU/c4OUWGAALI2Mr7ab0IteU8p/Yuj1+bg8DVSVJLFCQA4uz6TXjSH/43v1X7CI
+wY7Bf0gvR50RrI8eTjnDrPWCrzg5cycDqLAmlwZkajMvijCd80MHAzqpF3mgF0sEDkoIJiimyGVVUo9G0MB7AWYGCMY//OZuyfHYthO3apLRpkAZi
+ZP8mrPZgnaHET0IB9Ix3im/+7QbuSN7YGo18mmIoVl6F9t2AE7S7pCvLi1
+LG7kf8jj5xC1UFt4ZtnJff+repsnxbTNZf0k2rYfst9XjpZaOY7SgbephxBKpo/enpfFVXOjzVGFaf3230i9/
lw6dGCk70VdfUSQrAnftRp46Jn6INEE8xL6FCPAlYymMGvQk+FqkLFQQFjvG/Os7EYS2DYzbyq3RWSqQwdUVAM95CHcOu/
k6DAZupzpBu2Ar2ePmyaRnuz6QDBmnpp0YIq
+WwsQi8WPip0HrpyUP4A1RVEIJzIxmVCxLMlR
+ntIquHtAHwJmmy2nfMPRVIcXIJTvy5/2Gxxh/a2/tOiHsGPSSw==

make sure this is one LONG line instead of a couple lines.

conn test
    auto=start
    left=192.168.0.100
    right=192.168.0.101
    keyexchange=ike
    esp=aes
    ike=aes
    keyingtries=5
    rekeymargin=4m
    type=transport
    disablearrivalcheck=no
    authby=rsasig
    leftid=@machineA.yingternet.com
    rightid=@machineB.yingternet.com
    leftrsasigkey=0sAQOc4lN5FJ7o………………
    rightrsasigkey=0sAQOc4lN5FK7o…………

Now you need to do the same thing with machine B. Do exactly the same thing, you don’t need to worry about the switching the left and right. (Simply copy the entire conn test section to machine B)

Finally, you need to start the IPSec session. On Machine A execute:

[root@machineA]# service ipsec start

Do the same on Machine B.

In the syslogs on each machine, you should see something like:

Jun  4 10:48:20 annvix pluto[3215]: adding interface ipsec0/eth0 192.168.0.100
Jun  4 10:48:20 annvix pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets"
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: initiating Main Mode
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: ISAKMP SA established
Jun  4 10:48:20 annvix pluto[3215]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP {using isakmp#1}
Jun  4 10:48:20 annvix pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819}
Jun  4 10:48:23 annvix pluto[3215]: "test" #3: responding to Main Mode
Jun  4 10:48:24 annvix pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11'
Jun  4 10:48:24 annvix pluto[3215]: "test" #3: sent MR3, ISAKMP SA established
Jun  4 10:48:24 annvix pluto[3215]: "test" #4: responding to Quick Mode
Jun  4 10:48:24 annvix pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a}

This indicates both machines have established the connection to one another.

Now you can test the connection. Do so by pinging Machine A from Machine B (ie. 192.168.0.101->192.168.0.100). On Machine A:

[root@machineA]# tcpdump host 192.168.0.101

On Machine B:

[root@machineB]# ping 192.168.0.100

By watching the tcpdump output, you’ll see the SPI messages instead of normal ping message from machine B, somewhat like this:

10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF)
10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4)

Retrieved from "http://annvix.org/Documentation/IPSec"

Categories: Documentation | Services

Personal tools

Search

Toolbox

From Annvix

Requirements

PSK (Preshared-Secret ) Setup example

Rsasig (RSA Signature) Setup example

Views

Home Recent changes Donations Page Index About Annvix Project Goals Development Team News Developer's Blog Resources User Guide Documentation Release Notes Changelog Mailing Lists Download Annvix Development Tools View Subversion CIA Project Page Ohloh Project Page Search Toolbox What links here Related changes Upload file Special pages Printable version	/Documentation/IPSec From Annvix Documentation: IPSec Working Configuration for Starters Author: Ying-Hung Chen This document describes setting up two computers to use IPSec using transport mode. It is a quick-start configuration guide. The following example works for all the Linux Mandrake distribution from 9.0 to 9.2 (Including CS2.1), and should work with other distributions with minor modification. Test machines in this case are running Annvix 1.1-RELEASE and Annvix 1.2-RELEASE. Requirements You must install the openswan package. Install it using urpmi (urpmi will find all dependencies requires for openswan): [root@machineA]# urpmi openswan PSK (Preshared-Secret ) Setup example Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using PSK (Preshared-Secret). In this example, the secret between the two machines is 0x123456. The algorithm in the following example AES for encryption. You can use Triple-DES by replacing aes with 3des Openswan uses /etc/openswan/ipsec.secrets as one of its configuration file. At the bottom of the file, add the following (ignore the rest of the RSA keying stuff for now): 192.168.0.100 192.168.0.101: PSK 0x123456 Now edit /etc/openswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file: conn test auto=start left=192.168.0.100 right=192.168.0.101 keyexchange=ike esp=aes ike=aes keyingtries=0 rekeymargin=4m type=transport disablearrivalcheck=no authby=secret Now you need to do the same thing with machine B. Do exactly the same thing; you don’t need to worry about the switching the left and right. (Simply copy the entire "conn test" section to machine B) Finally, you need to start the IPSec session. On Machine A execute: [root@machineA]# service ipsec start Do the same on Machine B. In the syslogs on each machine, you should see something like: Jun 4 10:48:20 annvix pluto[3215]: adding interface ipsec0/eth0 192.168.0.100 Jun 4 10:48:20 annvix pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets" Jun 4 10:48:20 annvix pluto[3215]: "test" #1: initiating Main Mode Jun 4 10:48:20 annvix pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’ Jun 4 10:48:20 annvix pluto[3215]: "test" #1: ISAKMP SA established Jun 4 10:48:20 annvix pluto[3215]: "test" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP {using isakmp#1} Jun 4 10:48:20 annvix pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819} Jun 4 10:48:23 annvix pluto[3215]: "test" #3: responding to Main Mode Jun 4 10:48:24 annvix pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11' Jun 4 10:48:24 annvix pluto[3215]: "test" #3: sent MR3, ISAKMP SA established Jun 4 10:48:24 annvix pluto[3215]: "test" #4: responding to Quick Mode Jun 4 10:48:24 annvix pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a} This indicates both machines have established the connection to one another. Now you can test the connection. Do so by pinging Machine A from Machine B (ie. 192.168.0.101->192.168.0.100). On Machine A: [root@machineA]# tcpdump host 192.168.0.101 On Machine B: [root@machineB]# ping 192.168.0.100 By watching the tcpdump output, you’ll see the SPI messages instead of normal ping message from machine B, somewhat like this: 10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF) 10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4) Rsasig (RSA Signature) Setup example Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using RSA (RSA Signature). The algorithm in the following example AES for encryption. You can use Triple-DES by replacing aes with 3des Before both machines can authenticate themselves, each machine should have its own RSA key. To check whether or not you have key installed on your system type: # ipsec showhostkey --left The output should look like this (with the key shortened for easy reading): # RSA 4096 bits xy.example.org Fri Jun 4 14:17:10 2004 leftrsasigkey=0sAQOc4lN5FJ7o……… Depending on distribution installation, they RSA Keys may range from 1024 bits up to 4096 or higher. If you don’t have a key or it shows nothing when you type the above comment, do # ipsec newhostkey --output /etc/openswan/ipsec.secret This will generate a RSA key ranging from 1024 to 4096 bits. You can force it to generate the key length you want using the "–bits" command: # ipsec newhostkey --output /etc/openswan /ipsec.secret –bits 2048 The above example will generate 2048 bits RSA key. Make sure both machine shows some type of key when you type # ipsec showhostkey –left Now, prepare to obtain the RSA keys from both machines and put into the configuration. On machine A, type [root@machineA]# ipsec showhostkey –left you’ll see something like this # RSA 4096 bits xy.example.org Fri Jun 4 14:17:10 2004 leftrsasigkey=0sAQOc4lN5FJ7o……… On machine B, type [root@machineB]# ipsec showhostkey –right you’ll see something like this # RSA 4096 bits xy.example.org Fri Jun 4 14:17:6 2004 rightrsasigkey=0sAQOc4lN5FK7o……… Now edit /etc/openswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file: (IMPORTANT: that both leftrsasigkey and rightrsakey field will be a very LONG line, since the key itself maybe couple lines long, for example, it may look like this: leftrsasigkey=0sAQOc4lN5FJ7oISHXCEn4ggjtLxwYV1o5T3gbmQTvzGE5JkFlweRm9qe59pKA8ogmAS1fFV6FcmOLaoqsZJIVEgt02EhmlBNABPfxe/qKgd8VVO +gUxKMvLte1uTTpHLIAyai/Cmsdq//Phi0cSDU/c4OUWGAALI2Mr7ab0IteU8p/Yuj1+bg8DVSVJLFCQA4uz6TXjSH/43v1X7CI +wY7Bf0gvR50RrI8eTjnDrPWCrzg5cycDqLAmlwZkajMvijCd80MHAzqpF3mgF0sEDkoIJiimyGVVUo9G0MB7AWYGCMY//OZuyfHYthO3apLRpkAZi +ZP8mrPZgnaHET0IB9Ix3im/+7QbuSN7YGo18mmIoVl6F9t2AE7S7pCvLi1 +LG7kf8jj5xC1UFt4ZtnJff+repsnxbTNZf0k2rYfst9XjpZaOY7SgbephxBKpo/enpfFVXOjzVGFaf3230i9/ lw6dGCk70VdfUSQrAnftRp46Jn6INEE8xL6FCPAlYymMGvQk+FqkLFQQFjvG/Os7EYS2DYzbyq3RWSqQwdUVAM95CHcOu/ k6DAZupzpBu2Ar2ePmyaRnuz6QDBmnpp0YIq +WwsQi8WPip0HrpyUP4A1RVEIJzIxmVCxLMlR +ntIquHtAHwJmmy2nfMPRVIcXIJTvy5/2Gxxh/a2/tOiHsGPSSw== make sure this is one LONG line instead of a couple lines. conn test auto=start left=192.168.0.100 right=192.168.0.101 keyexchange=ike esp=aes ike=aes keyingtries=5 rekeymargin=4m type=transport disablearrivalcheck=no authby=rsasig leftid=@machineA.yingternet.com rightid=@machineB.yingternet.com leftrsasigkey=0sAQOc4lN5FJ7o……………… rightrsasigkey=0sAQOc4lN5FK7o………… Now you need to do the same thing with machine B. Do exactly the same thing, you don’t need to worry about the switching the left and right. (Simply copy the entire conn test section to machine B) Finally, you need to start the IPSec session. On Machine A execute: [root@machineA]# service ipsec start Do the same on Machine B. In the syslogs on each machine, you should see something like: Jun 4 10:48:20 annvix pluto[3215]: adding interface ipsec0/eth0 192.168.0.100 Jun 4 10:48:20 annvix pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets" Jun 4 10:48:20 annvix pluto[3215]: "test" #1: initiating Main Mode Jun 4 10:48:20 annvix pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’ Jun 4 10:48:20 annvix pluto[3215]: "test" #1: ISAKMP SA established Jun 4 10:48:20 annvix pluto[3215]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP {using isakmp#1} Jun 4 10:48:20 annvix pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819} Jun 4 10:48:23 annvix pluto[3215]: "test" #3: responding to Main Mode Jun 4 10:48:24 annvix pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11' Jun 4 10:48:24 annvix pluto[3215]: "test" #3: sent MR3, ISAKMP SA established Jun 4 10:48:24 annvix pluto[3215]: "test" #4: responding to Quick Mode Jun 4 10:48:24 annvix pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a} This indicates both machines have established the connection to one another. Now you can test the connection. Do so by pinging Machine A from Machine B (ie. 192.168.0.101->192.168.0.100). On Machine A: [root@machineA]# tcpdump host 192.168.0.101 On Machine B: [root@machineB]# ping 192.168.0.100 By watching the tcpdump output, you’ll see the SPI messages instead of normal ping message from machine B, somewhat like this: 10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF) 10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4) Retrieved from "http://annvix.org/Documentation/IPSec" Categories: Documentation \| Services
	Views Page Discussion View source History This page was last modified 17:44, 10 February 2007. About Annvix Disclaimers Sponsors: Mortgage Calculator - Credit Card Consolidation - Phoenix Pools - Arizona Landscaping