398
edits
Changes
Undo revision 3696 by [[Special:Contributions/imported>Pew|imported>Pew]] ([[User talk:imported>Pew|talk]])
''This Provides an overview of IPsec in general. For information on the vtluug IPsec tunnel, see [[Infrastructure:IPsec]]''
'''IPsec''' is a method of running an encrypted overlay network, so as to protect traffic originating
from an unencrypted and/or untrusted network, such as a coffee shop's open WAP. It is among a number of
other protocols which can be used. L2TP/IPsec is one of the most common methods, although OpenVPN and IKEv2
also are viable, faster, and arguably more secure methods. The latter is supported in openiked developed by
the [[OpenBSD]] project. Most of this article assumes the use of IPsec/IKEv1
==Network-to-Network==
For purposes of this tutorial, we are setting up two endpoints, '''vpn1''' and '''vpn2''', both using IPv6 with the subnets '''2001:db8:1::/64''' and '''2001:db8:2::/64''', respectively.
===Linux with OpenSWAN===
Tested with OpenSWAN 2.6.28 41 on Debian Squeeze Arch Linux (updated on 20122014-0209-2512).
* Generate a new host key on both endpoints:
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=vpn2.example.com
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=vpn2.example.com
leftid=@vpn2.example.com
leftsubnet=2001:db8:2::/64
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
==Roadwarrior==
===Linux with OpenSWAN===
Tested with OpenSWAN 2.6.37 41 on Arch Linux (updated on 20122014-0609-2712).
* Generate a new host key on both endpoints:
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=vpn1.example.com
leftid=@vpn1.example.com
leftsubnet=2001:db8:1::/64
leftrsasigkey=0s...
right=%any
rightid=@vpn2.example.com
rightsubnet=2001:db8:2::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=%defaultroute
leftid=@vpn2.example.com
leftsourceip=2001:db8:2::1
leftrsasigkey=0s...
right=vpn1.example.com
rightid=@vpn1.example.com
rightsubnet=2001:db8:1::/64
rightrsasigkey=0s...
auto=start
Make sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location.
ike esp from 2001:420:1:9A8::/64 to fd20:50::1/128 \
peer any \
main auth hmac-sha1 sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha1 sha2-256 enc aes-256 group modp2048 \
srcid home.example.org tag ipsec-vpn1
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha2_256;modp2048
phase2alg=aes256-sha2_256;modp2048
sha2_truncbug=yes
left=%defaultroute
leftid=@laptop.example.org
leftsourceip=fd20:50::1
leftrsasigkey=<laptop_pubkey> # from /etc/ipsec.secrets on '''laptop.example.org'''
right=home.example.org
rightid=@home.example.org
rightsubnet=2001:420:1:9A8::/64
rightrsasigkey=<server_pubkey> # converted later from key on '''home.example.org'''
auto=start
and on '''laptop.example.org''' restart openswan (generally under the rc script name ipsec) in whatever manner perscribed by your favorite distro.
===Linux with strongSwan (laptop) to OpenBSD (router)===
Tested on [[OpenBSD]] 5.5 and [[Arch Linux]] (updated on 2014-10-05).
Assume your router has the hostname home.example.org and you want to route the IPv6 subnet 2001:db8:1::/64 from your laptop, laptop.example.org. Note that DNS entries are not required for either of these. We will be using IKEv1 for key exchange, as IKEv2 support on OpenBSD was not complete at the time of writing.
* Setting up IPsec on OpenBSD is a fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':
<pre>isakmpd_flags="-K"
ipsec=YES</pre>
* Configure '''/etc/ipsec.conf''' on '''home.example.org''':
ike passive esp from 2001:db8:1::/64 to any \
peer any \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
quick auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid home.example.org tag ipsec-vpn1
* Generate a new host key on '''laptop.example.org''':
sudo openssl genrsa -out /etc/ipsec.d/private/laptop.example.org.pem 4096
* Add the path to that private key you generated to /etc/ipsec.secrets:
: RSA home.example.org.pem
* Extract the corresponding public key for your private key:
sudo openssl rsa -in /etc/ipsec.d/private/laptop.example.org.pem -pubout -out /etc/ipsec.d/certs/laptop.example.org.pem
* Configure '''/etc/ipsec.conf''' on '''laptop.example.org''':
config setup
conn home
keyexchange=ikev1
authby=pubkey
connaddrfamily=ipv6
type=tunnel
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
left=%defaultroute
leftid=@laptop.example.org
leftsubnet=fdf0:f00::1/128
leftrsasigkey=laptop.example.org.pem
# if you don't have home.example.org in DNS or don't want strongswan to do a DNS lookup when it starts, hardcode the right IP
right=home.example.org
rightid=@home.example.org
rightsubnet=2001:db8:1::/64
rightrsasigkey=home.example.org.pem
auto=add
Note that leftsubnet should correspond to the IPv6 source address you want to use. You will need to manually configure this address on your interface, and add a route for traffic to rightsubnet, if one does not exist already.
* Copy the /etc/ipsec.d/certs/home.example.org.pem from '''laptop.example.org''' and place it at /etc/isakmpd/pubkeys/fqdn/home.example.org on '''home.example.org'''.
* Download the /etc/isakmpd/local.pub file from '''home.example.org''' and place it at /etc/ipsec.d/certs/home.example.org.pem.
* After you make the necessary changes, starting IPsec is simply a matter of running the following command on '''home.example.org''':
sudo /etc/rc.d/isakmpd start
sudo ipsecctl -f /etc/ipsec.conf
and on '''laptop.example.org''', restart strongswan:
sudo systemctl restart strongswan.service
== External links ==
[[Category:Howtos]]
[[Category:Software]]