Thursday, January 21, 2010

To setup IPSec in CentOS 5.4

這是一篇很精簡的設定方法,更詳細的步驟與說明建議還是至OpenSwan網站查詢。

Test Environment:
(172.17.1.100) IPSec VPN1 (10.12.95.3) ----- (10.12.95.2) IPSec VPN2 (172.17.2.100)

1. 安裝:
# yum install openswan*
2. 透過sysctl.conf修改Kernel參數:
修改Kernel相關參數,使得之後跑ipsec verify時不會出錯。
# vi /etc/sysctl.conf
*********************************************************************
# example entries for /etc/sysctl.conf
# forwarding is needed for subnet or l2tp connections
net.ipv4.ip_forward = 1

# rp_filter is stupid and cannot deal decrypted packets "appearing out of
# nowhere"
net.ipv4.conf.default.rp_filter = 0

# when using 1 interface for two networks, and in some other cases with
# NETKEY, the kernel thinks it can be clever but breaks things.
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

# these are non-ipsec specific security policies you should use
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
*********************************************************************
#sysctl -p
3. 套用並修改範例:
# cp/usr/share/doc/openswan-doc*/examples /etc/ipsec.d/hosttohost.conf
# vi /etc/hosttohost.conf
*********************************************************************
# sample connections
# This file is RCSID $Id: examples,v 1.5 1999/12/13 02:38:16 henry Exp $

# sample tunnel (manually or automatically keyed)
# Here we just use ESP for both encryption and authentication, which is
# the simplest and often the best method.
conn sample
# left security gateway (public-network address)
left=10.12.95.3
# next hop to reach right
#leftnexthop=10.44.55.66
# subnet behind left (omit if left end of the tunnel is just the s.g.)
leftsubnet=172.17.1.0/24
# right s.g., subnet behind it, and next hop to reach left
right=10.12.95.2
#rightnexthop=10.88.77.66
rightsubnet=172.17.2.0/24
# (manual) SPI number
#spi=0x200
# (manual) encryption/authentication algorithm and parameters to it
esp=3des-md5-96
#espenckey=[192 bits]
#espauthkey=[128 bits]
authby=secret
auto=add
*********************************************************************
4. 新增PSK:
# vi /etc/ipsec.secrets
*********************************************************************
include /etc/ipsec.d/*.secrets
10.12.95.3 10.12.95.2 : PSK "1234567890"
10.12.95.2 10.12.95.3 : PSK "1234567890"
5. 修改/etc/ipsec.conf
# vi /etc/ipsec.conf
*********************************************************************
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

PS. 另外一邊的VPN gateway與以上的架設方法都一樣,只是將/etc/hosttohost.conf中的left與right的資訊對調即可。

6. 啟動IPSec:
# /etc/init.d/ipsec start
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.18-164.6.1.el5...
ipsec_setup: multiple ip addresses, using 10.12.95.3 on eth0
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

7. 執行IPSec verify:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.18-164.6.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: centos.example.com [MISSING]
Does the machine have at least one non-private address? [FAILED]

8. 建立IPSec tunnel:
# ipsec auto --up sample
104 "sample" #1: STATE_MAIN_I1: initiate
003 "sample" #1: received Vendor ID payload [Openswan (this version) 2.6.21 ]
003 "sample" #1: received Vendor ID payload [Dead Peer Detection]
003 "sample" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sample" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sample" #1: received Vendor ID payload [CAN-IKEv2]
004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "sample" #2: STATE_QUICK_I1: initiate
004 "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7bd686 <0x193e1d71 xfrm="3DES_0-HMAC_MD5" natoa="none" natd="none" dpd="">
9. 測試:
# ping 172.17.2.100 -I 172.17.1.100 -c 10
PING 172.17.2.100 (172.17.2.100) from 172.17.1.100 : 56(84) bytes of data.
64 bytes from 172.17.2.100: icmp_seq=1 ttl=64 time=1.65 ms
64 bytes from 172.17.2.100: icmp_seq=2 ttl=64 time=0.716 ms
64 bytes from 172.17.2.100: icmp_seq=3 ttl=64 time=1.16 ms
64 bytes from 172.17.2.100: icmp_seq=4 ttl=64 time=1.41 ms
64 bytes from 172.17.2.100: icmp_seq=5 ttl=64 time=1.24 ms
64 bytes from 172.17.2.100: icmp_seq=6 ttl=64 time=1.17 ms
64 bytes from 172.17.2.100: icmp_seq=7 ttl=64 time=1.52 ms
64 bytes from 172.17.2.100: icmp_seq=8 ttl=64 time=0.544 ms
64 bytes from 172.17.2.100: icmp_seq=9 ttl=64 time=0.796 ms
64 bytes from 172.17.2.100: icmp_seq=10 ttl=64 time=1.58 m
Note:
此次使用的版本分別為:
openswan-doc-2.6.21-5.el5_4.1
openswan-2.6.21-5.el5_4.1
不同的版本間,example configure file有點差異,需請注意。

1 comment:

FU said...

請問iptables要開哪些table及哪些port裁不會被檔