From various sources on internet, I am able to setup IPSEC on Linux. I have done the following to achieve this
Pre-requisites:
(Check if IPSec is already installed by typing the command
setkey and press enter. If it works then it means it has the ipsec support). If it fails, then do the following till section 3
1)
Kernel should be configured to support IPSec. This could be done as follows
a ) Go to kernel sources location
If you do not have the kernel sources then do the followingThe installation requires at least a Linux kernel of version 2.5.47 or 2.6.*. The kernel source may be downloaded at
http://www.kernel.org/. After downloading the source the kernel source package must be extracted, configured and compiled.
cd /usr/local/src
tar xvjf /path-to-source/linux-.tar.bz2
cd linux-b) make xconfig OR make menuconfig
Select the following
Networking support (NET) [Y/n/?] y
*
* Networking options
*
PF_KEY sockets (NET_KEY) [Y/n/m/?] y
IP: AH transformation (INET_AH) [Y/n/m/?] y
IP: ESP transformation (INET_ESP) [Y/n/m/?] y
IP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y
Cryptographic API (CRYPTO) [Y/n/?] y
HMAC support (CRYPTO_HMAC) [Y/n/?] y
Null algorithms (CRYPTO_NULL) [Y/n/m/?] y
MD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] y
SHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] y
DES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] y
AES cipher algorithms (CRYPTO_AES) [Y/n/m/?] yc)
make bzImage OR
make uImage (depending on what you want the required output. By default for Linux, it is make bzImage)
d)
make modulese)
make modules_installf)
make installg) Boot from this built image (Please check on the internet about configuring the new built image to boot. This is out of scope of the document)
2)
Install the ipsec-tools on the Linux machine. (Check if is already installed by typing setkey and enter. If it works then it means it has the support)
a) Get the iptools from
http://ipsec-tools.sourceforge.net/.
b) Then configure and install ipsec-tools using the following
./configure --with-kernel-headers=/lib/modules/2.6.X/build/include (Or give the path where you have the kernel-headers installed)
makemake installNow, everything should be ready to setup the IPSEC. Now type setkey and enter. It should work. If not, there is some problem in configuring. Make sure you have the setkey and other binaries like racoon in the exported PATH
SETTING UP IPSEC.Our assumption would be as followsSetting up IPSec between 2 hosts 10.0.0.216 (zakir) and 10.0.0.11 (laptop)3) Manual Keyinga) On the host 10.0.0.216, write a script host_216
#!/sbin/setkey -fflush;spdflush;# AHadd 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";# ESPadd 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";spdadd 10.0.0.216 10.0.0.11 any -P out ipsec esp/transport//require ah/transport//require;spdadd 10.0.0.11 10.0.0.216 any -P in ipsec esp/transport//require ah/transport//require; b) On host 10.0.0.11, write a script host_11
#!/sbin/setkey -fflush;spdflush;# AHadd 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";# ESPadd 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";spdadd 10.0.0.11 10.0.0.216 any -P out ipsec esp/transport//require ah/transport//require;spdadd 10.0.0.216 10.0.0.11 any -P in ipsec esp/transport//require ah/transport//require;c)
chmod +x host_11 host_216d) On host 216, run host_216
./host_216e) On host 11, run host_11
./host_11f) Run
setkey -D on both machines to check whether what you have configured is getting reflected
g)
ping 10.0.0.216 from 10.0.0.11. It should ping to each other.
h) Run tcpdump on one machine and ping on the other machine.
tcpdump -i eth0 -n -vvv 'host 10.0.0.11' > capture_11 (On machine 10.0.0.216)
ping 10.0.0.216 (on machine 10.0.0.11)
i) Open capture_11 using vim, you will be able to see the AH and ESP what you have set in the scripts host_11 and host_216. This confirms that ipsec is working. This is still a startup
4) Automatic keying:In manual keying, we had hardcored the value of AH, now, we shall allow racoon to generate automatically.
4.1) On both hosts, do the following
a) if there is no /etc/racoon, then
mkdir -p /etc/racoonb) write the script, /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
lifetime time 2 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 2 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
4.2) On host 10.0.0.216,
a) Open a file /etc/racoon/psk.txt, type
10.0.0.11 passwd1b) Write a file host_216_auto
#!/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
esp/transport//require;
spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
esp/transport//require;4.3) On host 10.0.0.11,
a) Open a file /etc/racoon/psk.txt, type
10.0.0.216 passwd1b) Write a script, host_11_auto
#!/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.11 10.0.0.216 any -P out ipsec
esp/transport//require;
spdadd 10.0.0.216 10.0.0.11 any -P in ipsec
esp/transport//require;4.4)
chmod +x host_11_auto host_216_auto4.5)
chmod 0600 /etc/racoon/*. Without this it might fail to work
4.6) Run racoon using the following command on both hosts
killall racoonracoon -f /etc/racoon/racoon.conf -F &4.7) On host 10.0.0.216, run host_216_auto and on host 10.0.0.11, run host_11_auto
4.8) Ping to each other. First time, it fails to ping, but establishes IPSEC. It pings from second time
4.9) These also, could be captured using tcpdump as explained in Section 3) Manual keying, step h)
5) Automatic Keying using X509 certificatesWe used preshared key secret in Automatic Keying, now, we shall use the certificates
5.1) Generate 4 keys for our hosts (public and private key combinations). We shall name our hosts as zakir and laptop
a)
openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout zakir.private \ -outform PEM -out request.pemIt might ask some questions, which you can just type enter if you don't want to.
Repeat this for the other host laptop as well
b) Create a public certificate by self signing it
openssl x509 -req -in request.pem -signkey zakir.private -out zakir.publicRepeat this for the other host laptop as well
5.2) On host 10.0.0.216 ( zakir)
a) Write a script /etc/racoon/racoon_cert.conf
path certificate "/etc/racoon/certs";
remote 10.0.0.216
{
exchange_mode aggressive,main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "zakir.public" "zakir.private";
peers_certfile "laptop.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2 ;
}}sainfo anonymous{ pfs_group 1; lifetime time 2 min; encryption_algorithm 3des ;authentication_algorithm hmac_sha1; compression_algorithm deflate ;}b) Create a directory /etc/racoon/certs
mkdir /etc/racoon/certschmod 0700 certsc) Copy the created certificates for the host zakir and the public certificates here
cp zakir.private zakir.public laptop.public /etc/racoon/certschmod 0600 /etc/racoon/certs/*chmod 0600 /etc/racoon/racoon_cert.conf5.3) On host 10.0.011 (host laptop)
a) Write a script /etc/racoon/racoon_cert.conf
path certificate "/etc/racoon/certs";
remote 10.0.0.11
{
exchange_mode aggressive,main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "laptop.public" "laptop.private";
peers_certfile "zakir.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2 ;
}
}sainfo anonymous{pfs_group 1;lifetime time 2 min; encryption_algorithm 3des ;authentication_algorithm hmac_sha1; compression_algorithm deflate ;}b) Create a directory /etc/racoon/certs
mkdir /etc/racoon/certschmod 0700 certsc) Copy the created certificates for the host laptop and the public certificates here
cp laptop.private laptop.public zakir.public /etc/racoon/certs
chmod 0600 /etc/racoon/certs/*
chmod 0600 /etc/racoon/racoon_cert.conf5.4) Run racoon on both hosts
killall racoonracoon -f /etc/racoon/racoon_cert.conf -F &5.5) Run the same host scripts that we have written in Section 4
On host 10.0.0.216 (zakir),
./host_216_autoOn host 10.0.0.11 (laptop),
./host_11_auto5.6) ping to each other. First ping fails but you could see the IPSEC handshake messages on the console. Subsequent pings should work correctly. The following are the messages you get on the console
Apr 4 17:14:58 terrapin racoon: INFO: IPsec-SA request for 192.168.1.169 queued due to no phase1 found. Apr 4 17:14:58 terrapin racoon: INFO: initiate new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.169[500] Apr 4 17:14:58 terrapin racoon: INFO: begin Aggressive mode. Apr 4 17:14:58 terrapin racoon: INFO: received Vendor ID: DPDApr 4 17:14:58 terrapin racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Apr 4 17:14:58 terrapin racoon: INFO: ISAKMP-SA established 192.168.1.1[500]-192.168.1.169[500] spi:58c4669f762abf10:60593eb9e3dd7406Apr 4 17:14:59 terrapin racoon: INFO: initiate new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.169[0] Apr 4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.169->host1ip; spi=232781799(0xddff7e7) Apr 4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.1->192.168.1.169 spi=93933800(0x59950e8)