Sunday, February 26, 2012

Linux IPSec VPN SETUP


Linux IPSec VPN SETUP(CentOS)

Once I was required to deploy a VoIP infrastructure where we were required to have a VPN connectivity between its two offices located at London and Berlin. One of the office had CISCO PIX and the other office had nothing but our VoIP server for VPN. So, I had to setup an IPsec tunnel between Linux and CISCO. Here is a how-to for public reading and for future references.


UPDATE: A new scenario for Amazon based Linux VPN Server is published on this link.

NETWORK DESIGN

VPN network overview

IPsec SETUP ON CENTOS
On our CentOS server we require to install openswan application. This application will do the job.

Install OpenSWAN:
[root@localhost ~]#yum upgrade
[root@localhost ~]#yum install openswan ipsec-tool
Use this command to start Openswan at boot time
[root@localhost ~]#chkconfig ipsec on

At this point if all commands are successfully executed we've openswan installed. Now we need to configure it accordingly.

Disable ICMP send/accept redirects
Note: Look at *, this is your NIC name i.e eth0 or eth1 on which we are going to terminate the VPN.

Disable /proc/sys/net/ipv4/conf/*/send_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding
[root@localhost ~]#nano /etc/sysctl.conf
Set:
net/ipv4/ip_forward = 1
[root@localhost ~]#sysctl -p

Verify ipsec/openswan

Check if IPSec package is happy with your settings. Mine are copied after VPN was established.

[root@localhost ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey)
Checking for IPsec support in kernel                        [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
Two or more interfaces found, checking IP forwarding        [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain  [MISSING]
Does the machine have at least one non-private address?     [FAILED]
Ignore Opportunistic Encryption DNS Checks Failures


IPsec CONFIGURATIONS

Now we need to configure our linux-vpn, for this we need to edit the ipsec.conf file.

[root@localhost ~]#nano /etc/ipsec.conf

Insert the following lines in that file accordingly.

config setup
        interfaces=%defaultroute
        klipsdebug=all                 #enable debugging
        plutodebug=all
        protostack=netkey

conn BER-LON-VoIP
        type=tunnel          #tunnel mode ipsec
        left= 213.YX.XY.213     #the IP address of your OpenSWAN endpoint
        leftnexthop=%defaultroute      #default gateway
        leftsubnet=10.100.100.0/24     # network behind your endpoint
        right=  123.XX.YY.123            # Your IP, or %any for a road-warrior setup
        rightnexthop=%defaultroute     #defaultroute for road warrior unknown
        rightsubnet=192.168.150.0/24   #network behind the CISCO
        auth=esp
        esp=3des-sha1           #esp: 3des, hmac: sha1
        keyexchange=ike         #use regular ike
        authby=secret           #pre-shared secret, you can also use rsa nounces
        pfs=no                  #use perfect forward secrecy
        auto=start     #don't initiate tunnel, but allow incoming


CONFIGURE  Pre Shared Key

Syntax of ipsec.secrets
<IP of VPN Server{left}> <IP of CISCO Router{right}> : PSK  "<PreShared Key>"

[root@localhost ~]#nano /etc/ipsec.secrets
213.YX.XY.213 123.XX.YY.123 : PSK "$#@$@%$$FDSF#$@#$@#"


Enabling MASQUERADE NAT on VPN Server(Optional)
This will take all the traffic from interface eth1 and send the traffic out from interface eth2. We required this so that all the traffic that is required to go through VPN uses this server as its gateway.

[root@localhost ~]#iptables --append FORWARD --in-interface eth1 -j ACCEPT
[root@localhost ~]#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE


USEFUL IPsec COMMANDS
Check Status of Tunnels :
[root@localhost ~]# ipsec auto –-status

This will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up VPNs.See the end lines corresponding to BER-LON-VoIP


000 #2: "BER-LON-VoIP":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute
owner; isakmp#1; idle; import:admin initiate
000 #2: "BER-LON-VoIP" esp.3b80b0ab@213.YX.XY.213
esp.140f56a9@10.100.100.6 tun.0@ 213.YX.XY.213 tun.0@10.100.100.6
ref=0 refhim=4294901761
000 #1: "BER-LON-VoIP":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate

NOTE: There are no state lines for the disconnected tunnels.

Start-up a tunnel:
[root@localhost ~]# ipsec auto –up <Connection Name>
This command will start an Ipsec tunnel defined by the name in ipsec.conf
[root@localhost ~]#  ipsec auto --up BER-LON-VoIP
117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 "BER-LON-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 "BER-LON-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
last line (STATE QI2) is important for successful VPN establishment.


Shut-down a specific tunnel:
Similarly to disconnect a tunnel use the following.
[root@localhost ~]# ipsec auto –down <Connection Name>


Restart a specific tunnel
[root@localhost ~]# ipsec auto --down BER-LON-VoIP
[root@localhost ~]# ipsec auto --up BER-LON-VoIP

117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 " BER-LON -VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 " BER-LON -VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}


Restart All Tunnels:
[root@localhost ~]# service ipsec restart




CISCO IPsec VPN SETUP

These commands were issued on the CISCO equipment to setup a tunnel.

#ip access-list extended VPN-LON-BER
#permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255
#permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255
#crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address  213.YX.XY.213 no-xauth
#crypto ipsec transform-set VPN-LON-BER-set esp-3des esp-md5-hmac
#crypto map lonbermap 13 ipsec-isakmp
#set peer 213.YX.XY.213
#set transform-set VPN- LON-BER -set
#match address VPN- LON-BER -set



REFERENCES
http://linux.die.net/man/8/ipsec_spi
http://www.daemon.be/maarten/openswanpix.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://www.diverdown.cc/vpn/freeswanciscorouter.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://howtoforums.net/viewtopic.php?t=92
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs

15 comments:

  1. Really nice information, must say that I really appreciate your blogg. I'm working in different VoIP-related projects myself and found your post regarding HA design for a SIP/RTP proxy really helpful.

    May I ask how you create theese smooth network diagrams, any particular application used?

    Best regards
    Tobias Steen

    ReplyDelete
    Replies
    1. Thank you Tobias for your nice comment. I use Microsoft Visio with a specific template found on this link: http://blogs.technet.com/b/seanearp/archive/2010/07/09/free-microsoft-visio-stencils.aspx

      Hope you'll be making these smooth network diagrams soon ;)

      Delete
  2. Hey there, You have done a fantastic job. I will definitely digg it and personally recommend to my friends. I am sure they'll be benefited from this web site. Also visit my web blog ...
    vpn for usa
    uk vpn

    ReplyDelete
  3. Hi Mate, I need some assistance
    We have tplink wireless router which allow vpn tunnel via IPSEC, I have a server in UK which has centos installed.
    I want to create a tunnel between the centos server and tplink but the issue i have is tplink isp only gives dynamic IP where centos server has static IP.
    Can you please guide me how to approach on this i would be deeply indebted ?
    thanks

    ReplyDelete
    Replies
    1. Dear ,

      Although I do wish to help you out but due to my official work demanding more of my time it becomes really hard for me to assist as easily as previously.

      However, I do have an Amazon EC2 Server<==>TPLink router IPSec configurations ready to be put on blog. I hope that would help you sort out your issue.

      In any case do send me private email with a proper visio diagram explaining the situation so that I may suggest you with littel knowledge I have about this.

      Good luck,
      Gohar

      Delete
    2. See this new blog post only for you: http://saevolgo.blogspot.com/2013/07/linux-ipsec-vpn-2-amazon-cloud-sever.html

      Delete
  4. Mate thank you so much for putting that blog out :) Let me send you an email as i do have query about dynamic DNS TPLINK got ISP dynamic Public address. Instead of IP can i use a DNS name to keep the tunnel up from tplink side as IP changes every few days.

    ReplyDelete
    Replies
    1. I suggest you read more about OpenSWAN, yes you can definitely initialize a VPN IPSec peer with one end statuc and other end known by name/DNS only.

      I have not tried that myself so far but I'd recommend use Vyatta as your static VPN/IPSec server and it'll make everything much easier for you.

      Delete
  5. I am unable to find your email can you confirm ?

    ReplyDelete
    Replies
    1. On the right side just below the blog archive listing you may see a LinkedIn button. You can always click there and reach me Or on twitter.

      Delete
  6. I am confused........
    Shouldn't the crypto map match the ACL? So the command:
    #match address VPN- LON-BER -set
    should be:
    #match address VPN- LON-BER
    or am I wrong about that?

    ReplyDelete
    Replies
    1. Give it a go and share the results kindly.

      Delete
    2. actually, when I use the ACL, I see two sessions. It does seem to control the flow, and hence be the proper way.

      Delete
  7. strange, either way seems to be the same

    ReplyDelete
  8. I actually have a better answer: at least as seen from my Cisco 877. It would appeat that using the name of the 'transform set' as the name of 'match address', without explicitly defining that as an acl first, as you have done in this, cuases the router to create a new empty acl with the new name defined in the crpyto map.

    Do you see this behavior?

    ReplyDelete