Sunteți pe pagina 1din 6
Installation Manual by: Gohar Ahmed

Installation Manual

by: Gohar Ahmed

INSTALLATION

#yum upgrade

Get the latest Kernel

#yum install openswan ipsec-tool

Install the tools

Openswan to start at boot time

#chkconfig ipsec on

Disable ICMP send/accept redirects

Note: Look at *, this is your NIC names. Disable /proc/sys/net/ipv4/conf/*/send_redirects

#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects #echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding

#nano /etc/sysctl.conf

Set:

net/ipv4/ip_forward = 1

Check if IPSec package is happy with your settings. Mine are copied after IpSec is established.

[root@localhost ~]# ipsec verify Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path

[OK]

Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey) Checking for IPsec support in kernel

[OK]

NETKEY detected, testing for disabled ICMP send_redirects

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects!

Checking

for RSA private key

(/etc/ipsec.secrets)

[OK]

Checking that pluto is running

[OK]

Two or more interfaces found, checking IP forwarding

[OK]

Checking NAT and MASQUERADEing Checking for 'ip' command

[OK]

Checking for 'iptables' command

[OK]

Opportunistic Encryption DNS checks:

Looking for TXT in forward dns zone: localhost.localdomain

[MISSING]

Does the machine have at least one non-private address?

[FAILED]

Ignore Opportunistic Encryption DNS Checks Failures

IPSEC CONFIGURATIONS

#nano /etc/ipsec.conf

config setup interfaces=%defaultroute klipsdebug=all #enable debugging plutodebug=all protostack=netkey

conn net2 type=tunnel

left=10.100.100.6

leftnexthop=%defaultroute

leftsubnet=10.100.100.0/24

right=119.yy.yXz.134

rightnexthop=%defaultroute

rightsubnet=192.168.150.0/24

#tunnel mode ipsec #the IP address of your OpenSWAN endpoint #default gateway # network behind your endpoint # Your IP, or %any for a road-warrior setup #defaultroute for road warrior unknown #network behind the PIX

auth=esp

esp=3des-sha1

#esp: 3des, hmac: sha1

keyexchange=ike

#use regular ike

authby=secret

#pre-shared secret, you can also use rsa nounces

pfs=no

#use perfect forward secrecy

auto=start

#don't initiate tunnel, but allow incoming

Format of ipsec.secrets <IP of VPN Server{left}><SPACE><IP of CISCO Router{right}> : "<PreShared Key>"

#nano /etc/ipsec.secrets 10.100.100.6 119.yy.yXz.134 : PSK "$#@$@%$$FDSF#$@#$@#"

Enabling NAT-ting on VPN Server

#iptables --append FORWARD --in-interface eth1 -j ACCEPT #iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE

CISCO Configurations

ip access-list extended VPN-LHR-KHI permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255 permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255 crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address 210.x.yyy.231 no-xauth crypto ipsec transform-set VPN-LHR-KHI-set esp-3des esp-md5-hmac crypto map i2cPakLhr 13 ipsec-isakmp

set peer 210.x.yyy.231 set transform-set VPN-LHR-KHI-set match address VPN-LHR-KHI-set

NETWORK DESIGN

VPN-LHR-KHI-set match address VPN-LHR-KHI-set NETWORK DESIGN IPSec Commands Restart Service This command will RESTART

IPSec Commands

Restart Service

This command will RESTART ALL tunnels defined in ipsec.conf:

# service ipsec restart Only used to reload the VPN server from scratch-To be used nly in worst cases.

WARNING:DO NOT USE untill you know the consequences

Status Check

# ipsec auto –status

Will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up VPNs. See the end lines corresponding to net2

000 #2: "net2":500 STATE_QUICK_I2 (sent QI2, IPsec SA

established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute

owner; isakmp#1; idle; import:admin initiate

000 #2: "net2" esp.3b80b0ab@119.yy.yXz.134

esp.140f56a9@10.100.100.6 tun.0@119.yy.yXz.134 tun.0@10.100.100.6 ref=0 refhim=4294901761

000 #1: "net2":500 STATE_MAIN_I4 (ISAKMP SA established);

EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

NOTE: There are no state lines for the disconnected tunnels.

Start/up a tunnel

# ipsec auto –up <Connection Name>

This command will start an Ipsec tunnel defined by the name in ipsec.conf

[root@localhost ~]# ipsec auto --up KHI-LHR-VoIP

117

"KHI-LHR-VoIP" #3: STATE_QUICK_I1: initiate

003

"KHI-LHR-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079

004

"KHI-LHR-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-

HMAC_SHA1 NATOA=none NATD=none DPD=none}

[root@localhost ~]#

last line (STATE QI2) is important for successful VPN establishment.

Disconnect/down a tunnel

Similarly to disconnect a tunnel use the following.

# ipsec auto –down <Connection Name>

Restart only one tunnel

[root@localhost ~]# ipsec auto --down KHI-LHR-VoIP [root@localhost ~]# ipsec auto --up KHI-LHR-VoIP

117

"KHI-LHR-VoIP" #3: STATE_QUICK_I1: initiate

003

"KHI-LHR-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079

004

"KHI-LHR-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-

HMAC_SHA1 NATOA=none NATD=none DPD=none}

[root@localhost ~]#