Introduction

This document is intended to showcase the overview of configuration and implementation of IPSec in Linux virtual machines. The two types of IPSec configurations are Host-to-Host and Network-toNetwork IPSec configurations. Host-to-host IPSec configuration is to make secure tunnel between two hosts within the network. Network-to-network IPSec configuration is to make secure tunnel between two different entire network. This document is only present the host-to-host IPSec

configurations and its implementations.

Lab Requirements:
Required Virtual Machine Linux Server IPSec Protocols IPSec Tools IPSec Dependencies tools Testing Tools IP Address IP Protocol Used VMware Workstation 9.0 Centos 6.3 Linux Distribution Openswan2.6.24, Racoon Nss-tools (Network Security Services) ppp iptables make gcc gmp-devel Tcpdump, wireshark 192.168.100.0/24 Static

Test Bed Setup:

The above figure shows the test bed setup which is going to be used in the whole tasks. There are two Centos 6.3 servers named as Cryptotest1 and Cryptotest2. Both the servers' eth1 interfaces connected each other by the way both the servers selected same LAN Crypto1 network adaptor in VMware Workstation 9.0 and having same subnet IP addresses. Centos would be also called as guest OS.

Test Bed Installation:

1. First download the VMware Workstations 9.0 from the following link; http://www.vmware.com/uk/support/product-support/fusion/faq/requirements.html and install it onto the Computer PC or Laptop 2. Copy the image of Centos 6.3 and place it into laptop hard drive. Open the VMware, click the create new virtual machine, click next then locate the image of centos 6.3 in laptop hard drive and follow the steps by clocking next. 3. Once new virtual machine created for Centos 6.3 image, follow the same step for another image of centos 6.3 and make sure two Centos 6.3 virtual machines are created in VMware workstation. To check the virtual machines in VMware, expand the My Computer in VMware workstation . 4. Open the both Centos virtual machines, click the "power on this virtual machine" on each Centos. It boots the Centos virtual machines. 5. Once booted, click VM tabs , choose Settings, underneath of Hardware click Network Adaptor, add new segment as LAN Crypt 1 under LAN Segment and choose this as network adaptor segment connection. Follow the same steps for another Centos virtual machine but instead of add new segment, choose LAN Crypt 1 from drop down of LAN Segment. 6. To establish internet connection in easier way, two network adaptor will be used on each centos in this test. The another network adaptor will be used with NAT or Bridged. 7. Change the host name for each machines as Cryptotest1 and Cryptotest2 as seen as in a below picture.

Establishing Internet Connection:

To download required IPSec protocols, IPSec tools and its dependencies guest OS must be connected with internet connection. Before downloading any service from internet, make sure that internet is working by using ping command. in each Centos eth0 is connected with internet and eth1 is connected in same subnet LAN segment. The below screen shot is shown that centos virtual machines are connected with internet and can able to ping without packet loss.

Static IP Configuration:
Before going to start with IPSec configuration, there are few configuration need to be done. LAN segment interfaces at both Centos box' eth1 need to be configured with static IP. Cryptotest1 box's eth1 is assigned with 192.168.10.1 and Cryptotest2 box's eth1 is assigned with 192.168.10.2 and both IP under same subnet ie., 255.255.255.0 or /24. The following figure2.4 and figure 2.5

shows the static IP assigned at both Centos box's eth1 interfaces. BOOTPROTO="none" indicates that it has been assigned with static protocol. IPADDR=192.168.10.1 indicates that IP address has been

assigned manually or statically.

Installation of Dependencies:
To support the IPSec service, there are dependencies must be installed. By using following command dependencies can be installed. This must be done at both centos virtual machines.

Installation of Openswan:
Openswan is a kernel level IPSec implementation available in Centos6.3 Linux distribution and it is also an open source. It implements Internet Key Exchange V1 and V2 as user level daemons[2]. To activate IPSec in Centos 6.3, openswan must be download and installed on Centos6.3 from repository sources. To check openswan rpm package has been installed in centos, use the following command at both Centos virtual machines to find out the installation of openswan package.

If not installed, then use following commands to download it from repository, download it into /root/Downloads directory. It has be done at either centos machines. As this is tar file, first un-tar the file into same location and change the directory to openswan-2.6.31

Once change the directory, use the following commands to install "openswan". "make" tool helps to install the executable file from its directory. Follow the same procedure to install openswan at Cryptotest2 centos virtual machine as well.

After installation of openswan, use the following command to check the status of ipsec at both the

Centos machine. IPSec must be in stopped status, as we just installed it not started. Then openswan Network Security Services tools must be installed in centos. The following command could be used to install openswan nss-tool

Openswan uses nss-tools for Network Security Services which has IPSec cryptographic library and it is compliance with FIPS security compliance. NSS cryptographic library is a user space IKE daemon and used with Pluto for its operation. It won't impact the KLIPS and NETKEY IPSec Kernel operation. It also supports IKEV1, IKEV2 and PSK[3].

Racoon Installation:
Racoon is a Internet Key Exchange Management daemon. It does speak to IKE (ISAKMP/Oakley) key management protocol to establish security associations with other hosts. The Security Policy Database (SPD) in the kernel usually triggers racoon[4]. Firstly, rpm package for IPSec tools must be download from internet repository. Find the below command and repository link to download IPSec tools rpm package. This rpm package contain
.

libraries, daemon and configuration files for building up the IPSec connection in which setkey,

racoon and racoon.conf are available. Then use the above command to install IPSec tools including racoon tools. Before go to configuration part, service status of IPSec and racoon must be checked by using Figure2.11 commands.

Configurations of IPSec:
Openswan has been introduced for IPSec implementation in Redhat 6 version and it does so in Centos6.0 as well. Because of openswan IPSec implementation, network-functions doesn't present IPSEC device by default. So first IPSEC device type must be created in network-functions file. Use the below command to edit the network-functions file to add IPSEC device type at both Centos virtual

machines. Type "i" for vim editing mode and write the highlighted script which is shown in below

figure2.15. Once written the script, press esc and then save the file and exit by entering ":wq" . Then , two new files are "ifcfg-ipsec0" and "keys-ipsec0" must be created under following directory by using touch command. This procedure must be followed at both Centos virtual machines are Cryptotest1 and Cryptotest2.

Till now, all the configuration are similar for both Centos machines. Now can be seen each centos machines will have different configuration. Open the new file of "ifcfg-eth0" in Cryptotest1 and write the script to let Cryptotest1 knows the destinations and type of Internet key Exchange method is going to be used for the IPSec connection establishment with Cryptotest2. The Figure2.18 shows the Crytpotest1's ifcfg-ipsec0 configuration.

The Figure2.19 shows the Cryptotest2's ifcfg-ipsec0 configuration. DST=192.168.10.1 is a destination

IP address which is Cryptotest1 IP address. Type of interface is IPSEC and ONBOOT=yes indicates that while booting Cryptotest2 will be automatically triggered ipsec interface up. IKE_METHOD=PSK indicates that method Internet Key Exchange and it has chosen Pre shared key method[6].

The above figure2.20 shows the pre shared key of Cryptotest1 which must be matched with destination host.

The above figure 2.21 shows the pre shared key of Cryptotest2 and it is using the same key of Cryptotest1. After completing above configurations, racoon configuration file must be edited. Open the racoon configuration file by using below command, .

In racoon configuration file(racoon.conf), write listen script and uncomment the pfs_group 2 as figure2.23 shown. This figure shows Cryptotest1 racoon configuration. "Listen" command will allow

racoon to listen those parameters between {}. The "isakmp" command makes racoon to listen to particular ip address and port. The "isakmp_natt" command does like "isakmp" command but it does allow UDP encapsulated ESP packets for NAT traversal to particular ip address and port. Here it is 192.168.10.1 and port 4500. The below figure2.24 shows the racoon configuration of Cryptotest2.

s In Cryptotest2 racoon configuration is similar to Cryptotest1 racoon configuration except the ip address of isakmp. The configurations of IPSec is completed and now will go for verification.

Keys to Note: After completing the required configurations of IPSec, make sure ipsec0 is up and all services are restarted including network. To restart all services before going into verification, use all the command one by one at both Centos virtual machines. 1. service network restart 2. service ipsec restart 3. service racoon restart 4. ifdown ipsec0 5. ifup ipsec0
7

Once started racoon service, it automatically creates files as /etc/racoon/192.168.10.1.conf at Cryptotest1 and /etc/racoon/192.168.10.2.conf at Cryptotest2. The scripts of the configuration file of Cryptotest1 and Cryptotest2 as shown below;

Testing Tools Installations:

There are two testing tools will be used in this task test, they are tcpdump and wireshark. It is very easy to install both tools. Use following commands to install both tcpdump and wireshark at both

Centos virtual machines.

Verification of IPSec:
To verify the IPSec connection use ping command from one host to another host. During ping process open the tcpdump or wireshark tools to capture the packets and its connections establishment. 8

TCPDUMP Test: For example at Cryptotest1, ping 192.168.10.2

Then open tcpdump in Crytpotest2 to capture ping packets from Cryptotest1. the figure2.27 clearly

shows the packet is between Cryptotest1 and Cryptotest2 authenticated and encapsulated by AH and ESP headers. Now ping 192.168.10.1 from Cryptotest2,

Then open tcpdump at Crytpotest1 to capture ping packets from Cryptotest2. The figure2.20 clearly

shows that packets transmission between Cryptotest2 and Cryptotest1 are authenticated and encapsulated by AH and ESP headers.

Wireshark Test:
Ping 192.168.10.2 from Cryptotest1 and open the Wireshark at Cryptotest2

The figure2.30 shows the wireshark report of Cryptotest2 for ping packets. This figure shows the protocols in frame IP, AH and ESP. It clearly shows that packets are encapsulted by IPSec Protocol. Th figure2.31 highlighed with Authentication header and Encapsulated packet. The squence number of AH header and ESP header are 486 and the total frame 158 byes. AH header value of length is 24 and ESP is 32 bits. Those are security protocols in the frame ensure that the packet are travelled with IPSec protocol .

10

By using setkey command shows the current established IPSec connection between 192.168.10.2

and 192.168.10.1 and it also shows the mode of communications is transport mode for AH and ESP. IPSec protocols hmac-sha1 is used for authentication and 3des-cbc is used for Encapsulation. The command used in figure2.33 also gives the same information about IPSec headers.

The figure2.34 shows the outcome of log message commands "tail -f /var/log/messages". This figure 11

shows how the connections established between 192.168.10.1 and 192.168.10.2, in other words Crytpotest1 and Cryptotes2. There are two phases must be gone through to make IPSec connection between two host. In pahse1, Crytpotest1 is initiating IPSec connection with Cryptotest2 and Cryptotest1 becoming aggressive mode. In phase1, main mode and aggressive mode are existed and in this case Cryptotest1 became aggressive mode, it means it does not protect the identity o the peers. ISAKMP management protocol established the phase1 connections by identifying the keys between two hosts. During the Phase2, the mode of communication between two hosts will be selected. There are transport mode and tunnel mode in IPSec communication, in this case Transport mode will be the part of AH and ESP processes.

12