Linux IPSec VPN SETUP(CentOS)
 |
| VPN network overview |
IPsec SETUP ON CENTOS
On our CentOS server we require to install openswan application. This application will do the job.
Install OpenSWAN:
[root@localhost ~]#yum upgrade[root@localhost ~]#yum install openswan ipsec-tool
Use this command to start Openswan at boot time
[root@localhost ~]#chkconfig ipsec on
At this point if all commands are successfully executed we've openswan installed. Now we need to configure it accordingly.
Disable ICMP send/accept redirects
Note: Look at *, this is your NIC name i.e eth0 or eth1 on which we are going to terminate the VPN.
Disable /proc/sys/net/ipv4/conf/*/send_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"
Disable /proc/sys/net/ipv4/conf/*/accept_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"
Enable IP Forwarding
[root@localhost ~]#nano /etc/sysctl.conf
Set:
net/ipv4/ip_forward = 1
[root@localhost ~]#sysctl -p
Verify ipsec/openswan
Check if IPSec package is happy with your settings. Mine are copied after VPN was established.
[root@localhost ~]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption DNS checks: Looking for TXT in forward dns zone: localhost.localdomain [MISSING] Does the machine have at least one non-private address? [FAILED] Ignore Opportunistic Encryption DNS Checks Failures
IPsec CONFIGURATIONS
Now we need to configure our linux-vpn, for this we need to edit the ipsec.conf file.
config setup
interfaces=%defaultroute
klipsdebug=all #enable debugging
plutodebug=all
protostack=netkey
conn BER-LON-VoIP
type=tunnel #tunnel mode ipsec
left= 213.YX.XY.213 #the IP address of your OpenSWAN endpoint
leftnexthop=%defaultroute #default gateway
leftsubnet=10.100.100.0/24 # network behind your endpoint
right= 123.XX.YY.123 # Your IP, or %any for a road-warrior setup
rightnexthop=%defaultroute #defaultroute for road warrior unknown
rightsubnet=192.168.150.0/24 #network behind the CISCO
auth=esp
esp=3des-sha1 #esp: 3des, hmac: sha1
keyexchange=ike #use regular ike
authby=secret #pre-shared secret, you can also use rsa nounces
pfs=no #use perfect forward secrecy
auto=start #don't initiate tunnel, but allow incoming
CONFIGURE Pre Shared Key
Syntax of ipsec.secrets
<IP of VPN Server{left}> <IP of CISCO Router{right}> : PSK "<PreShared Key>"
[root@localhost ~]#nano /etc/ipsec.secrets
213.YX.XY.213 123.XX.YY.123 : PSK "$#@$@%$$FDSF#$@#$@#"
Enabling MASQUERADE NAT on VPN Server(Optional)
This will take all the traffic from interface eth1 and send the traffic out from interface eth2. We required this so that all the traffic that is required to go through VPN uses this server as its gateway.
[root@localhost ~]#iptables --append FORWARD --in-interface eth1 -j ACCEPT
[root@localhost ~]#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE
USEFUL IPsec COMMANDS
Check Status of Tunnels :[root@localhost ~]# ipsec auto –-status
This will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up VPNs.See the end lines corresponding to BER-LON-VoIP
000 #2: "BER-LON-VoIP":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute
owner; isakmp#1; idle; import:admin initiate
000 #2: "BER-LON-VoIP" esp.3b80b0ab@213.YX.XY.213
esp.140f56a9@10.100.100.6 tun.0@ 213.YX.XY.213 tun.0@10.100.100.6
ref=0 refhim=4294901761
000 #1: "BER-LON-VoIP":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate
NOTE: There are no state lines for the disconnected tunnels.
Start-up a tunnel:
[root@localhost ~]# ipsec auto –up <Connection Name>
This command will start an Ipsec tunnel defined by the name in ipsec.conf
[root@localhost ~]# ipsec auto --up BER-LON-VoIP
117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 "BER-LON-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 "BER-LON-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
last line (STATE QI2) is important for successful VPN establishment.
Shut-down a specific tunnel:
Similarly to disconnect a tunnel use the following.
[root@localhost ~]# ipsec auto –down <Connection Name>
Restart a specific tunnel
[root@localhost ~]# ipsec auto --down BER-LON-VoIP
[root@localhost ~]# ipsec auto --up BER-LON-VoIP
117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 " BER-LON -VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 " BER-LON -VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
Restart All Tunnels:
[root@localhost ~]# service ipsec restart
These commands were issued on the CISCO equipment to setup a tunnel.
#ip access-list extended VPN-LON-BER
#permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255
#permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255
#crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address 213.YX.XY.213 no-xauth
#crypto ipsec transform-set VPN-LON-BER-set esp-3des esp-md5-hmac
#crypto map lonbermap 13 ipsec-isakmp
#set peer 213.YX.XY.213
#set transform-set VPN- LON-BER -set
#match address VPN- LON-BER -set
REFERENCES
http://linux.die.net/man/8/ipsec_spi
http://www.daemon.be/maarten/openswanpix.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://www.diverdown.cc/vpn/freeswanciscorouter.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://howtoforums.net/viewtopic.php?t=92
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs
117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 " BER-LON -VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 " BER-LON -VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
Restart All Tunnels:
[root@localhost ~]# service ipsec restart
CISCO IPsec VPN SETUP
#ip access-list extended VPN-LON-BER
#permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255
#permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255
#crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address 213.YX.XY.213 no-xauth
#crypto ipsec transform-set VPN-LON-BER-set esp-3des esp-md5-hmac
#crypto map lonbermap 13 ipsec-isakmp
#set peer 213.YX.XY.213
#set transform-set VPN- LON-BER -set
#match address VPN- LON-BER -set
REFERENCES
http://linux.die.net/man/8/ipsec_spi
http://www.daemon.be/maarten/openswanpix.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://www.diverdown.cc/vpn/freeswanciscorouter.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://howtoforums.net/viewtopic.php?t=92
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs