Sunday, February 26, 2012

Linux IPSec VPN SETUP


Linux IPSec VPN SETUP(CentOS)

Once I was required to deploy a VoIP infrastructure where we were required to have a VPN connectivity between its two offices located at London and Berlin. One of the office had CISCO PIX and the other office had nothing but our VoIP server for VPN. So, I had to setup an IPsec tunnel between Linux and CISCO. Here is a how-to for public reading and for future references.


UPDATE: A new scenario for Amazon based Linux VPN Server is published on this link.

NETWORK DESIGN

VPN network overview

IPsec SETUP ON CENTOS
On our CentOS server we require to install openswan application. This application will do the job.

Install OpenSWAN:
[root@localhost ~]#yum upgrade
[root@localhost ~]#yum install openswan ipsec-tool
Use this command to start Openswan at boot time
[root@localhost ~]#chkconfig ipsec on

At this point if all commands are successfully executed we've openswan installed. Now we need to configure it accordingly.

Disable ICMP send/accept redirects
Note: Look at *, this is your NIC name i.e eth0 or eth1 on which we are going to terminate the VPN.

Disable /proc/sys/net/ipv4/conf/*/send_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding
[root@localhost ~]#nano /etc/sysctl.conf
Set:
net/ipv4/ip_forward = 1
[root@localhost ~]#sysctl -p

 Verify ipsec/openswan

Check if IPSec package is happy with your settings. Mine are copied after VPN was established.


[root@localhost ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey)
Checking for IPsec support in kernel                        [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
Two or more interfaces found, checking IP forwarding        [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain  [MISSING]
Does the machine have at least one non-private address?     [FAILED]
Ignore Opportunistic Encryption DNS Checks Failures







IPsec CONFIGURATIONS







Now we need to configure our linux-vpn, for this we need to edit the ipsec.conf file.





[root@localhost ~]#nano /etc/ipsec.conf





Insert the following lines in that file accordingly.





config setup

        interfaces=%defaultroute

        klipsdebug=all                 #enable debugging

        plutodebug=all

        protostack=netkey



conn BER-LON-VoIP

        type=tunnel          #tunnel mode ipsec

        left=
213.YX.XY.213     #the IP address of your OpenSWAN endpoint

        leftnexthop=%defaultroute      #default gateway

        leftsubnet=10.100.100.0/24     # network behind your endpoint

        right= 
123.XX.YY.123            # Your IP, or %any for a road-warrior setup

        rightnexthop=%defaultroute     #defaultroute for road warrior unknown

        rightsubnet=192.168.150.0/24   #network behind the CISCO

        auth=esp

        esp=3des-sha1           #esp: 3des, hmac: sha1

        keyexchange=ike         #use regular ike

        authby=secret           #pre-shared secret, you can also use rsa nounces

        pfs=no                  #use perfect forward secrecy

        auto=start     #don't initiate tunnel, but allow incoming





CONFIGURE  Pre Shared Key



Syntax of ipsec.secrets

<IP of VPN Server{left}> <IP of CISCO Router{right}> : PSK  "<PreShared Key>"



[root@localhost ~]#nano /etc/ipsec.secrets

213.YX.XY.213 123.XX.YY.123 : PSK "$#@$@%$$FDSF#$@#$@#"





Enabling MASQUERADE NAT on VPN Server(Optional)

This will take all the traffic from interface eth1 and send the traffic out from interface eth2. We required this so that all the traffic that is required to go through VPN uses this server as its gateway.



[root@localhost ~]#iptables --append FORWARD --in-interface eth1 -j ACCEPT

[root@localhost ~]#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE













USEFUL IPsec COMMANDS

Check Status of Tunnels :

[root@localhost ~]# ipsec auto –-status


This will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up VPNs.See the end lines corresponding to BER-LON-VoIP





000 #2: "BER-LON-VoIP":500 STATE_QUICK_I2 (sent QI2, IPsec SA

established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute

owner; isakmp#1; idle; import:admin initiate

000 #2: "BER-LON-VoIP" esp.3b80b0ab@213.YX.XY.213

esp.140f56a9@10.100.100.6 tun.0@
213.YX.XY.213 tun.0@10.100.100.6

ref=0 refhim=4294901761

000 #1: "BER-LON-VoIP":500 STATE_MAIN_I4 (ISAKMP SA established);

EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0

out:0); idle; import:admin initiate



NOTE: There are no state lines for the disconnected tunnels.



Start-up a tunnel:

[root@localhost ~]# ipsec auto –up <Connection Name>

This command will start an Ipsec tunnel defined by the name in ipsec.conf

[root@localhost ~]#  ipsec auto --up  BER-LON-VoIP

117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate

003 "BER-LON-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079

004 "BER-LON-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-

HMAC_SHA1 NATOA=none NATD=none DPD=none}

last line (STATE QI2) is important for successful VPN establishment.





Shut-down a specific tunnel:

Similarly to disconnect a tunnel use the following.

[root@localhost ~]# ipsec auto –down <Connection Name>




Restart a specific tunnel


[root@localhost ~]# ipsec auto --down  BER-LON-VoIP



[root@localhost ~]# ipsec auto --up  BER-LON-VoIP



117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate

003 "
BER-LON -VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079

004 "
BER-LON -VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-

HMAC_SHA1 NATOA=none NATD=none DPD=none}





Restart All Tunnels:

[root@localhost ~]# service ipsec restart











CISCO IPsec VPN SETUP





These commands were issued on the CISCO equipment to setup a tunnel.



#ip access-list extended VPN-LON-BER

#permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255

#permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255

#crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address  213.YX.XY.213 no-xauth

#crypto ipsec transform-set VPN-LON-BER-set esp-3des esp-md5-hmac

#crypto map lonbermap 13 ipsec-isakmp

#set peer 213.YX.XY.213

#set transform-set VPN- LON-BER -set

#match address VPN- LON-BER -set







REFERENCES

http://linux.die.net/man/8/ipsec_spi

http://www.daemon.be/maarten/openswanpix.html

http://www.wlug.org.nz/FreeSwanToCiscoPix

http://www.diverdown.cc/vpn/freeswanciscorouter.html

http://www.wlug.org.nz/FreeSwanToCiscoPix

http://howtoforums.net/viewtopic.php?t=92

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs


















Posted by



at






















Labels:
,
,
,
,
,


















15 comments:








  1. AnonymousFebruary 12, 2013 at 2:07 AM
    Really nice information, must say that I really appreciate your blogg. I'm working in different VoIP-related projects myself and found your post regarding HA design for a SIP/RTP proxy really helpful.

    May I ask how you create theese smooth network diagrams, any particular application used?

    Best regards
    Tobias Steen
    ReplyDelete
    Replies
    1. UnknownFebruary 12, 2013 at 3:24 AM
      Thank you Tobias for your nice comment. I use Microsoft Visio with a specific template found on this link: http://blogs.technet.com/b/seanearp/archive/2010/07/09/free-microsoft-visio-stencils.aspx

      Hope you'll be making these smooth network diagrams soon ;)
      Delete
  2. UnknownMay 15, 2013 at 3:37 AM
    Hey there, You have done a fantastic job. I will definitely digg it and personally recommend to my friends. I am sure they'll be benefited from this web site. Also visit my web blog ... 
    vpn for usa
    uk vpn
    ReplyDelete
  3. AnonymousJuly 27, 2013 at 6:51 AM
    Hi Mate, I need some assistance
    We have tplink wireless router which allow vpn tunnel via IPSEC, I have a server in UK which has centos installed.
    I want to create a tunnel between the centos server and tplink but the issue i have is tplink isp only gives dynamic IP where centos server has static IP.
    Can you please guide me how to approach on this i would be deeply indebted ?
    thanks 
    ReplyDelete
    Replies
    1. Gohar AhmedJuly 28, 2013 at 12:49 AM
      Dear ,

      Although I do wish to help you out but due to my official work demanding more of my time it becomes really hard for me to assist as easily as previously.

      However, I do have an Amazon EC2 Server<==>TPLink router IPSec configurations ready to be put on blog. I hope that would help you sort out your issue.

      In any case do send me private email with a proper visio diagram explaining the situation so that I may suggest you with littel knowledge I have about this.

      Good luck,
      Gohar
      Delete
    2. Gohar AhmedJuly 28, 2013 at 2:37 AM
      See this new blog post only for you: http://saevolgo.blogspot.com/2013/07/linux-ipsec-vpn-2-amazon-cloud-sever.html
      Delete
  4. AnonymousJuly 28, 2013 at 5:53 AM
    Mate thank you so much for putting that blog out :) Let me send you an email as i do have query about dynamic DNS TPLINK got ISP dynamic Public address. Instead of IP can i use a DNS name to keep the tunnel up from tplink side as IP changes every few days.
    ReplyDelete
    Replies
    1. Gohar AhmedJuly 28, 2013 at 10:43 AM
      I suggest you read more about OpenSWAN, yes you can definitely initialize a VPN IPSec peer with one end statuc and other end known by name/DNS only. 

      I have not tried that myself so far but I'd recommend use Vyatta as your static VPN/IPSec server and it'll make everything much easier for you.
      Delete
  5. AnonymousJuly 29, 2013 at 3:58 AM
    I am unable to find your email can you confirm ? 
    ReplyDelete
    Replies
    1. Gohar AhmedJuly 29, 2013 at 10:51 AM
      On the right side just below the blog archive listing you may see a LinkedIn button. You can always click there and reach me Or on twitter.
      Delete
  6. AnonymousJune 17, 2014 at 8:37 PM
    I am confused........
    Shouldn't the crypto map match the ACL? So the command:
    #match address VPN- LON-BER -set
    should be:
    #match address VPN- LON-BER
    or am I wrong about that?
    ReplyDelete
    Replies
    1. Gohar AhmedJune 17, 2014 at 8:51 PM
      Give it a go and share the results kindly.
      Delete
    2. AnonymousJune 17, 2014 at 10:37 PM
      actually, when I use the ACL, I see two sessions. It does seem to control the flow, and hence be the proper way. 
      Delete
  7. AnonymousJune 17, 2014 at 10:34 PM
    strange, either way seems to be the same
    ReplyDelete
  8. AnonymousJune 18, 2014 at 1:04 PM
    I actually have a better answer: at least as seen from my Cisco 877. It would appeat that using the name of the 'transform set' as the name of 'match address', without explicitly defining that as an acl first, as you have done in this, cuases the router to create a new empty acl with the new name defined in the crpyto map. 

    Do you see this behavior?  
    ReplyDelete



































        

      









Subscribe to:
Post Comments (Atom)