This tutorial will aid you in creating a simple host to host IPsec tunnel that will provide end to end encryption of traffic between two hosts. This is a basic configuration that uses a RSA key pair to establish ISAKMP Security Association. Traffic will be encrypted using ESP.
Tested on Red Hat Enterprise 5, Red Hat Enterprise 6, and Fedora 17.
Install Openswan
First we need to install openswan:
yum -y install openswan
Let's clean up the installation defaults:
NOTE: Leave passwords blank
rm -r /etc/ipsec.d/*.db; rm -f /etc/ipsec.secrets; certutil -N -d /etc/ipsec.d/
Generate RSA Keys
Now generate RSA keys. This must be done on each host (sometimes takes 4-6 minutes).
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets
Gather Host Keys
Obtain keys from each host and place into a text file. You will need this later.
ON HOST 1 RUN:
ipsec showhostkey --left
ON HOST 2 RUN:
ipsec showhostkey --right
Edit Configuration File
Uncomment the following line in /etc/ipsec.conf file.
Change:
#include /etc/ipsec.d/*.conf
to
include /etc/ipsec.d/*.conf
Create Connection Specific Configuration
Create a connection specific conf file in /etc/ipsec.d/ - For example /etc/ipsec.d/host1-2.conf.
You can use this same file on both hosts, the indentations after the first line are needed.
conn host1-2
left=10.0.0.1
leftrsasigkey=[left host value from step 3]
right=10.0.0.40
rightrsasigkey=[right host value from step 3]
auto=start
authby=rsasig
NOTE: Don’t forget to copy this configuration file to /etc/ipsec.d/ on host2.
Start ipsec Services
Start the ipsec services (pluto) on each host:
service ipsec start
Confirm Connection
Check /var/log/secure and look for and established messages like “IPsec SA established”.
# tail -99 /var/log/secure | grep -i “ipsec sa established”
Aug 7 13:37:06 host2 pluto[25754]: “host1-host2” #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xfcfb638f <0x5c787237 dpd="none}<br" natd="none" natoa="none" xfrm="AES_128-HMAC_SHA1">
Aug 7 13:37:13 host2 pluto[25754]: “host1-host2” #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x2cb7bd96 <0xd47a1d6c dpd="none}</p" natd="none" natoa="none" xfrm="AES_128-HMAC_SHA1">
...OUTPUT TRUNCATED...
Check the tunnels status via kernel policies:
ip xfrm policy
src 10.0.0.40/32 dst 10.0.0.1/32
dir out priority 2080 ptype main
tmpl src 10.0.0.40 dst 10.0.0.1
proto esp reqid 16385 mode tunnel
src 10.0.0.1/32 dst 10.0.0.40/32
dir fwd priority 2080 ptype main
tmpl src 10.0.0.1 dst 10.0.0.40
proto esp reqid 16385 mode tunnel
src 10.0.0.1/32 dst 10.0.0.40/32
dir in priority 2080 ptype main
tmpl src 10.0.0.1 dst 10.0.0.40
proto esp reqid 16385 mode tunnel
More information can be found with the “service ipsec status” and “ipsec auto --status” commands.
All the posts about openswan miss something ESSENTIAL : Iptables rules... very frustrating.
This comment has been removed by a blog administrator.