Thursday, January 21, 2010

To setup IPSec in CentOS 5.4


Test Environment:
( IPSec VPN1 ( ----- ( IPSec VPN2 (

1. 安裝:
# yum install openswan*
2. 透過sysctl.conf修改Kernel參數:
修改Kernel相關參數,使得之後跑ipsec verify時不會出錯。
# vi /etc/sysctl.conf
# example entries for /etc/sysctl.conf
# forwarding is needed for subnet or l2tp connections
net.ipv4.ip_forward = 1

# rp_filter is stupid and cannot deal decrypted packets "appearing out of
# nowhere"
net.ipv4.conf.default.rp_filter = 0

# when using 1 interface for two networks, and in some other cases with
# NETKEY, the kernel thinks it can be clever but breaks things.
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

# these are non-ipsec specific security policies you should use
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
#sysctl -p
3. 套用並修改範例:
# cp/usr/share/doc/openswan-doc*/examples /etc/ipsec.d/hosttohost.conf
# vi /etc/hosttohost.conf
# sample connections
# This file is RCSID $Id: examples,v 1.5 1999/12/13 02:38:16 henry Exp $

# sample tunnel (manually or automatically keyed)
# Here we just use ESP for both encryption and authentication, which is
# the simplest and often the best method.
conn sample
# left security gateway (public-network address)
# next hop to reach right
# subnet behind left (omit if left end of the tunnel is just the s.g.)
# right s.g., subnet behind it, and next hop to reach left
# (manual) SPI number
# (manual) encryption/authentication algorithm and parameters to it
#espenckey=[192 bits]
#espauthkey=[128 bits]
4. 新增PSK:
# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets : PSK "1234567890" : PSK "1234567890"
5. 修改/etc/ipsec.conf
# vi /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# Manual: ipsec.conf.5
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
# Enable this if you see "failed to find any available worker"

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

PS. 另外一邊的VPN gateway與以上的架設方法都一樣,只是將/etc/hosttohost.conf中的left與right的資訊對調即可。

6. 啟動IPSec:
# /etc/init.d/ipsec start
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.18-164.6.1.el5...
ipsec_setup: multiple ip addresses, using on eth0
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

7. 執行IPSec verify:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.18-164.6.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: [MISSING]
Does the machine have at least one non-private address? [FAILED]

8. 建立IPSec tunnel:
# ipsec auto --up sample
104 "sample" #1: STATE_MAIN_I1: initiate
003 "sample" #1: received Vendor ID payload [Openswan (this version) 2.6.21 ]
003 "sample" #1: received Vendor ID payload [Dead Peer Detection]
003 "sample" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sample" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sample" #1: received Vendor ID payload [CAN-IKEv2]
004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "sample" #2: STATE_QUICK_I1: initiate
004 "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7bd686 <0x193e1d71 xfrm="3DES_0-HMAC_MD5" natoa="none" natd="none" dpd="">
9. 測試:
# ping -I -c 10
PING ( from : 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.65 ms
64 bytes from icmp_seq=2 ttl=64 time=0.716 ms
64 bytes from icmp_seq=3 ttl=64 time=1.16 ms
64 bytes from icmp_seq=4 ttl=64 time=1.41 ms
64 bytes from icmp_seq=5 ttl=64 time=1.24 ms
64 bytes from icmp_seq=6 ttl=64 time=1.17 ms
64 bytes from icmp_seq=7 ttl=64 time=1.52 ms
64 bytes from icmp_seq=8 ttl=64 time=0.544 ms
64 bytes from icmp_seq=9 ttl=64 time=0.796 ms
64 bytes from icmp_seq=10 ttl=64 time=1.58 m
不同的版本間,example configure file有點差異,需請注意。

