Installation Manual

by: Gohar Ahmed

 INSTALLATION
#yum upgrade Get the latest Kernel
#yum install openswan ipsec-tool Install the tools

Openswan to start at boot time

#chkconfig ipsec on

Disable ICMP send/accept redirects

Note: Look at *, this is your NIC names.

Disable /proc/sys/net/ipv4/conf/*/send_redirects

#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects
#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding

#nano /etc/sysctl.conf

Set:
net/ipv4/ip_forward = 1

Check if IPSec package is happy with your settings. Mine are copied after IpSec is established.

[root@localhost ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects

or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects

or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets) [OK]

Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain [MISSING]
Does the machine have at least one non-private address? [FAILED]

Ignore Opportunistic Encryption DNS Checks Failures

IPSEC CONFIGURATIONS

#nano /etc/ipsec.conf

config setup
interfaces=%defaultroute
klipsdebug=all #enable debugging
plutodebug=all
protostack=netkey

conn net2
type=tunnel #tunnel mode ipsec
left=10.100.100.6 #the IP address of your OpenSWAN endpoint
leftnexthop=%defaultroute #default gateway
leftsubnet=10.100.100.0/24 # network behind your endpoint
right=119.yy.yXz.134 # Your IP, or %any for a road-warrior setup
rightnexthop=%defaultroute #defaultroute for road warrior unknown
rightsubnet=192.168.150.0/24 #network behind the PIX
auth=esp
esp=3des-sha1 #esp: 3des, hmac: sha1
keyexchange=ike #use regular ike
authby=secret #pre-shared secret, you can also use rsa nounces
pfs=no #use perfect forward secrecy
auto=start #don't initiate tunnel, but allow incoming

Format of ipsec.secrets
<IP of VPN Server{left}><SPACE><IP of CISCO Router{right}> : "<PreShared Key>"

#nano /etc/ipsec.secrets
10.100.100.6 119.yy.yXz.134 : PSK "$#@$@%$$FDSF#$@#$@#"

Enabling NAT-ting on VPN Server

#iptables --append FORWARD --in-interface eth1 -j ACCEPT

#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE

CISCO Configurations
ip access-list extended VPN-LHR-KHI
permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255
permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255
crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address 210.x.yyy.231 no-xauth
crypto ipsec transform-set VPN-LHR-KHI-set esp-3des esp-md5-hmac
crypto map i2cPakLhr 13 ipsec-isakmp
set peer 210.x.yyy.231
set transform-set VPN-LHR-KHI-set
match address VPN-LHR-KHI-set

NETWORK DESIGN

IPSec Commands
Restart Service

This command will RESTART ALL tunnels defined in ipsec.conf:

# service ipsec restart

Only used to reload the VPN server from scratch-To be used nly in worst cases.

WARNING:DO NOT USE untill you know the consequences

 Status Check

# ipsec auto –status

Will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up
VPNs.
See the end lines corresponding to net2

000 #2: "net2":500 STATE_QUICK_I2 (sent QI2, IPsec SA

established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute
owner; isakmp#1; idle; import:admin initiate
000 #2: "net2" esp.3b80b0ab@119.yy.yXz.134
esp.140f56a9@10.100.100.6 tun.0@119.yy.yXz.134 tun.0@10.100.100.6
ref=0 refhim=4294901761
000 #1: "net2":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate

NOTE: There are no state lines for the disconnected tunnels.

Start/up a tunnel

# ipsec auto –up <Connection Name>

This command will start an Ipsec tunnel defined by the name in ipsec.conf

[root@localhost ~]# ipsec auto --up KHI-LHR-VoIP

117 "KHI-LHR-VoIP" #3: STATE_QUICK_I1: initiate
003 "KHI-LHR-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 "KHI-LHR-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
[root@localhost ~]#

last line (STATE QI2) is important for successful VPN establishment.

Disconnect/down a tunnel

Similarly to disconnect a tunnel use the following.

# ipsec auto –down <Connection Name>

Restart only one tunnel

[root@localhost ~]# ipsec auto --down KHI-LHR-VoIP

[root@localhost ~]# ipsec auto --up KHI-LHR-VoIP
117 "KHI-LHR-VoIP" #3: STATE_QUICK_I1: initiate
003 "KHI-LHR-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 "KHI-LHR-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
[root@localhost ~]#
 REFERENCES
http://linux.die.net/man/8/ipsec_spi
http://www.daemon.be/maarten/openswanpix.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://www.diverdown.cc/vpn/freeswanciscorouter.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://howtoforums.net/viewtopic.php?t=92
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Li
nux_VPNs

THE END