Annvix: Documentation/IPSec

From Annvix

Documentation: IPSec Working Configuration for Starters

This document describes setting up two computers to use IPSec using transport mode. It is a quick-start configuration guide. The following example works for all the Linux Mandrake distribution from 9.0 to 9.2 (Including CS2.1), and should work with other distributions with minor modification.

Test machines in this case are running Annvix 1.1-RELEASE and Annvix 1.2-RELEASE.

Requirements

You must install the openswan package. Install it using urpmi (urpmi will find all dependencies requires for openswan):

[root@machineA]# urpmi openswan

PSK (Preshared-Secret ) Setup example

Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using PSK (Preshared-Secret). In this example, the secret between the two machines is 0x123456. The algorithm in the following example AES for encryption. You can use Triple-DES by replacing aes with 3des

Openswan uses /etc/openswan/ipsec.secrets as one of its configuration file. At the bottom of the file, add the following (ignore the rest of the RSA keying stuff for now):

192.168.0.100 192.168.0.101: PSK 0x123456

Now edit /etc/openswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file:

conn test
    auto=start
    left=192.168.0.100
    right=192.168.0.101
    keyexchange=ike
    esp=aes
    ike=aes
    keyingtries=0
    rekeymargin=4m
    type=transport
    disablearrivalcheck=no
    authby=secret

Now you need to do the same thing with machine B. Do exactly the same thing; you don’t need to worry about the switching the left and right. (Simply copy the entire "conn test" section to machine B)

Finally, you need to start the IPSec session. On Machine A execute:

[root@machineA]# service ipsec start

Do the same on Machine B.

In the syslogs on each machine, you should see something like:

Jun  4 10:48:20 annvix pluto[3215]: adding interface ipsec0/eth0 192.168.0.100
Jun  4 10:48:20 annvix pluto[3215]: loading secrets from "/etc/freeswan/ipsec.secrets"
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: initiating Main Mode
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.100’
Jun  4 10:48:20 annvix pluto[3215]: "test" #1: ISAKMP SA established
Jun  4 10:48:20 annvix pluto[3215]: "test" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP {using isakmp#1}
Jun  4 10:48:20 annvix pluto[3215]: "test" #2: sent QI2, IPsec SA established {ESP=>0xaa286b25 <0x600f5819}
Jun  4 10:48:23 annvix pluto[3215]: "test" #3: responding to Main Mode
Jun  4 10:48:24 annvix pluto[3215]: "test" #3: Peer ID is ID_IPV4_ADDR: '192.168.10.11'
Jun  4 10:48:24 annvix pluto[3215]: "test" #3: sent MR3, ISAKMP SA established
Jun  4 10:48:24 annvix pluto[3215]: "test" #4: responding to Quick Mode
Jun  4 10:48:24 annvix pluto[3215]: "test" #4: IPsec SA established {ESP=>0xaa286b26 <0x600f581a}

This indicates both machines have established the connection to one another.

Now you can test the connection. Do so by pinging Machine A from Machine B (ie. 192.168.0.101->192.168.0.100). On Machine A:

[root@machineA]# tcpdump host 192.168.0.101

On Machine B:

[root@machineB]# ping 192.168.0.100

By watching the tcpdump output, you’ll see the SPI messages instead of normal ping message from machine B, somewhat like this:

10:49:53.881975 machineB.yingternet.org > machineA.yingternet.org: ESP(spi=0xaa286b26,seq=0x4) (DF)
10:49:53.882221 machineA.yingternet.org > machineB.yingternet.org: ESP(spi=0x600f581a,seq=0x4)

Rsasig (RSA Signature) Setup example

Assuming there are two machines, machine A with IP 192.168.10.100 and machine B with IP 192.168.10.101. We want to hookup ipsec between the two using RSA (RSA Signature). The algorithm in the following example AES for encryption. You can use Triple-DES by replacing aes with 3des

Before both machines can authenticate themselves, each machine should have its own RSA key.

To check whether or not you have key installed on your system type:

# ipsec showhostkey --left

The output should look like this (with the key shortened for easy reading):

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:10 2004
leftrsasigkey=0sAQOc4lN5FJ7o………

Depending on distribution installation, they RSA Keys may range from 1024 bits up to 4096 or higher.

If you don’t have a key or it shows nothing when you type the above comment, do

# ipsec newhostkey --output /etc/openswan/ipsec.secret

This will generate a RSA key ranging from 1024 to 4096 bits. You can force it to generate the key length you want using the "–bits" command:

# ipsec newhostkey --output /etc/openswan /ipsec.secret –bits 2048

The above example will generate 2048 bits RSA key.

Make sure both machine shows some type of key when you type

# ipsec showhostkey –left

Now, prepare to obtain the RSA keys from both machines and put into the configuration.

On machine A, type

[root@machineA]# ipsec showhostkey –left

you’ll see something like this

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:10 2004
leftrsasigkey=0sAQOc4lN5FJ7o………

On machine B, type

[root@machineB]# ipsec showhostkey –right

you’ll see something like this

# RSA 4096 bits   xy.example.org   Fri Jun  4 14:17:6 2004
rightrsasigkey=0sAQOc4lN5FK7o………

Now edit /etc/openswan/ipsec.conf and add the following to the bottom of the file, ignoring the other configuration options already present in the file: (IMPORTANT: that both leftrsasigkey and rightrsakey field will be a very LONG line, since the key itself maybe couple lines long, for example, it may look like this:

leftrsasigkey=0sAQOc4lN5FJ7oISHXCEn4ggjtLxwYV1o5T3gbmQTvzGE5JkFlweRm9qe59pKA8ogmAS1fFV6FcmOLaoqsZJIVEgt02EhmlBNABPfxe/qKgd8VVO
+gUxKMvLte1uTTpHLIAyai/Cmsdq//Phi0cSDU/c4OUWGAALI2Mr7ab0IteU8p/Yuj1+bg8DVSVJLFCQA4uz6TXjSH/43v1X7CI
+wY7Bf0gvR50RrI8eTjnDrPWCrzg5cycDqLAmlwZkajMvijCd80MHAzqpF3mgF0sEDkoIJiimyGVVUo9G0MB7AWYGCMY//OZuyfHYthO3apLRpkAZi
+ZP8mrPZgnaHET0IB9Ix3im/+7QbuSN7YGo18mmIoVl6F9t2AE7S7pCvLi1
+LG7kf8jj5xC1UFt4ZtnJff+repsnxbTNZf0k2rYfst9XjpZaOY7SgbephxBKpo/enpfFVXOjzVGFaf3230i9/
lw6dGCk70VdfUSQrAnftRp46Jn6INEE8xL6FCPAlYymMGvQk+FqkLFQQFjvG/Os7EYS2DYzbyq3RWSqQwdUVAM95CHcOu/
k6DAZupzpBu2Ar2ePmyaRnuz6QDBmnpp0YIq
+WwsQi8WPip0HrpyUP4A1RVEIJzIxmVCxLMlR
+ntIquHtAHwJmmy2nfMPRVIcXIJTvy5/2Gxxh/a2/tOiHsGPSSw==

make sure this is one LONG line instead of a couple lines.

conn test
    auto=start
    left=192.168.0.100
    right=192.168.0.101
    keyexchange=ike
    esp=aes
    ike=aes
    keyingtries=5
    rekeymargin=4m
    type=transport
    disablearrivalcheck=no
    authby=rsasig
    leftid=@machineA.yingternet.com
    rightid=@machineB.yingternet.com
    leftrsasigkey=0sAQOc4lN5FJ7o………………
    rightrsasigkey=0sAQOc4lN5FK7o…………

Now you need to do the same thing with machine B. Do exactly the same thing, you don’t need to worry about the switching the left and right. (Simply copy the entire conn test section to machine B)