Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

IPsec

9,856 bytes added, 02:50, 4 September 2014
no edit summary
<!==Network-to- The rest Network==For purposes of this page uses tutorial, we are setting up two endpoints, '''vpn1''' and '''vpn2''', both using IPv6 with the subnets '''2001:db8:1::/64''' and '''2001:db8:2::/64''', respectively. ===Linux with OpenSWAN===Tested with OpenSWAN 2.6.28 on Debian Squeeze (updated on 2012-02-25). * Generate a new host key on both endpoints: sudo ipsec newhostkey --output /etc/ipsec.secrets * Configure '''/etc/ipsec.conf''' on '''vpn1''': config setup protostack=netkey nat_traversal=off conn vpn2 authby=rsasig connaddrfamily=ipv6 type=tunnel left=vpn1.example.com leftid=@vpn1.example.com leftsubnet=2001:db8:1::/64 leftrsasigkey=0s... right=vpn2.example.com rightid=@vpn2.example.com rightsubnet=2001:db8:2::/64 rightrsasigkey=0s... ike=aes256-sha1-modp2048 forceencaps=yes auto=startMake sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. * Configure '''/etc/ipsec.conf''' on '''vpn2''': config setup protostack=netkey nat_traversal=off conn vpn1 authby=rsasig connaddrfamily=ipv6 type=tunnel left=vpn2.example.com leftid=@vpn2.example.com leftsubnet=2001:db8:2::/64 leftrsasigkey=0s... right=vpn1.example.com rightid=@vpn1.example.com rightsubnet=2001:db8:1::/64 rightrsasigkey=0s... ike=aes256-sha1-modp2048 forceencaps=yes auto=startMake sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. * After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two. ===OpenBSD===Tested on [[OpenBSD]] 5.0 (updated on 2012-02-25). * Setting up IPsec on OpenBSD is a template fairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc.conf''':<pre>isakmpd_flags="-K"ipsec=YES</pre> * Configure '''/etc/ipsec.conf''' on '''vpn1''': ike esp from 2001:db8:1::/64 to 2001:db8:2::/64 \ peer vpn2.example.com \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid vpn1.example.com tag ipsec-vpn1 * Configure '''/etc/ipsec.conf''' on '''vpn2''': ike esp from 2001:db8:2::/64 to 2001:db8:1::/64 \ peer vpn1.example.com \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid vpn2.example.com tag ipsec-vpn1 * We will be using RSA public key authentication, similar to what is commonly done with SSH, here. When you installed OpenBSD, the Uniluug project; please see httpsfile '''/etc/isakmpd/local.pub''' was generated. This file will need to be copied to the other endpoint and vice versa. To set this up on vpn1, simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this process in reverse for '''vpn2'''. * After you make the necessary changes, starting IPsec is simply a matter of running the following command on each endpoint to start your tunnels: sudo /etc/rc.d/isakmpd start sudo ipsecctl -f /etc/ipsec.conf The changes we made to rc.conf above ensure that your IPsec tunnels will be reestablished on boot. ==Roadwarrior=====Linux with OpenSWAN===Tested with OpenSWAN 2.6.37 on Arch Linux (updated on 2012-06-27). * Generate a new host key on both endpoints: sudo ipsec newhostkey --output /etc/ipsec.secrets * Configure '''/etc/uniluugipsec.orgconf''' on your VPN server: config setup protostack=netkey nat_traversal=on conn myvpn authby=rsasig connaddrfamily=ipv6 type=tunnel left=vpn1.example.com leftid=@vpn1.example.com leftsubnet=2001:db8:1::/64 leftrsasigkey=0s... right=%any rightid=@vpn2.example.com rightsubnet=2001:db8:2::/64 rightrsasigkey=0s... ike=aes256-sha1-modp2048 forceencaps=yes auto=startMake sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. * Configure '''/etc/wikiipsec.conf''' on the machine that will connect to your VPN: config setup protostack=netkey nat_traversal=on conn vpn1 authby=rsasig connaddrfamily=ipv6 type=tunnel left=%defaultroute leftid=@vpn2.example.com leftsubnet=2001:db8:2::1/Template128 leftsourceip=2001:db8:2::1 leftrsasigkey=0s... right=vpn1.example.com rightid=@vpn1.example.com rightsubnet=2001:db8:1::/64 rightrsasigkey=0s... ike=aes256-sha1-modp2048 forceencaps=yes auto=startMake sure to change '''leftrsasigkey''' to the public key of the RSA key that was generated in the above command, which can be found in '''/etc/ipsec.secrets'''. Replace '''rightrsasigkey''' with the RSA generated by the above command on the other endpoint, which can be found in the same location. * After configuring OpenSWAN, restart the daemon on each endpoint and your tunnels should be established after a minute or two. ===OpenBSD===Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27). * Setting up IPsec if you wish on OpenBSD is a fairly straightforward task due to edit improvements in recent releases. Enabling itis as simple as changing the following in your '''/etc/rc. conf''':<pre>isakmpd_flags="-K"ipsec=YES</pre> * Configure '''/etc/ipsec.conf''' on your VPN server: ike esp from 2001:db8:1::/64 to 2001:db8:2::1 \ peer any \ main auth hmac-sha2-256 enc aes->256 group modp2048 \<! quick auth hmac-sha2-256 enc aes- Note 256 group modp2048 \ srcid vpn1.example.com tag ipsec-vpn1 * Configure '''/etc/ipsec.conf''' on the machine that the curl extension must will connect to your VPN: ike esp from 2001:db8:2::1 to 2001:db8:1::/64 \ peer vpn1.example.com \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid vpn2.example.com tag ipsec-vpn1 * We will be installed for this using RSA public key authentication, similar to work properlywhat is commonly done with SSH, here. AlsoWhen you installed OpenBSD, raw must the file '''/etc/isakmpd/local.pub''' was generated. This file will need to be used for template variables copied to workthe other endpoint and vice versa. To set this up on vpn1, but simply copy '''/etc/isakmpd/local.pub''' on '''vpn1''' to '''/etc/isakmpd/pubkeys/fqdn/vpn1.example.com''' on '''vpn2'''. Next do this breaks imagesprocess in reverse for '''vpn2'''. * After you make the necessary changes, so starting IPsec is simply a matter of running the wiki must following command on each endpoint to start your tunnels: sudo /etc/rc.d/isakmpd start sudo ipsecctl -f /etc/ipsec.conf The changes we made to rc.conf above ensure that your IPsec tunnels will be configured reestablished on boot. ===Linux with OpenSWAN (laptop) to OpenBSD (router)===Tested on [[OpenBSD]] 5.1 (updated on 2012-06-27). Assume router has an IPv4 only hostname of home.example.org and you want to route the IPv6 subnet 2001:420:1:9A8::/64Assume the laptop is called laptop.example.org (does not have to use be an actuall DNS entry) and will round the org-local subnet fd20:50::1/128 (which is actually just 1 ip) * Setting up IPsec on OpenBSD is a shared image repositoryfairly straightforward task due to improvements in recent releases. Enabling it is as simple as changing the following in your '''/etc/rc. conf''':<pre>isakmpd_flags="-K"ipsec=YES</pre> * Configure '''/etc/ipsec.conf''' on '''home.example.org''': ike esp from 2001:420:1:9A8::/64 to fd20:50::1/128 \ peer any \ main auth hmac-sha1 enc aes-256 group modp2048 \ quick auth hmac-sha1 enc aes-256 group modp2048 \ srcid home.example.org tag ipsec-vpn1 * Generate a new host key on '''laptop.example.org''': sudo ipsec newhostkey --output /etc/ipsec.secrets * Configure '''/etc/ipsec.conf''' on '''laptop.example.org''': config setup protostack=netkey nat_traversal=off conn vpn2 authby=rsasig connaddrfamily=ipv6 type=tunnel left=%defaultroute leftid=@laptop.example.org leftsubnet=fd20:50::1/128 leftsourceip=fd20:50::1 leftrsasigkey=<laptop_pubkey># from /etc/ipsec.secrets on '''laptop.example.org'''{{raw right=home.example.org rightid=@home.example.org rightsubnet=2001:420:1:9A8::u/64 rightrsasigkey=<server_pubkey> # converted later from key on '''home.example.org''' ike=aes256-sha1-modp2048 forceencaps=yes auto=start The trickiest part (and its not actually *that* tricky) is to convert the the pubkey on Linux to the format OpenBSD uses, and vice versa. There is a handy perl script found [http://pastebin.com/THUf4Dsg here] that takes in a Linux or OpenBSD formated pubkey in stdin and outputs a OpenBSD or Linux formated pubkey. On OpenBSD the pubkey is found in '''/etc/isakmpd/local.pub''' and in Linux it is found in /etc/ipsec.secrets. In ipsec.secrets, you will find a public key like: #pubkey=0s... * To convert this to OpenBSD format, run  echo ": PUB 0s..." | ./ipsec.pl where 0s... is your full public key. * For the OpenBSD key, it is possible to pipe in local.pub like: cat local.pub | ./ipsec.pl * Place the output from the OpenBSD pubkey into '''/etc/ipsec.conf''' on '''laptop.example.org''' here:  rightrsasigkey=<server_pubkey> and put the output for the Linux pubkey into '''/etc/isakmpd/pubkeys/fqdn/laptop.example.org''' * After you make the necessary changes, starting IPsec}}is simply a matter of running the following command on '''home.example.org''': sudo /etc/rc.d/isakmpd start sudo ipsecctl -f /etc/ipsec.conf and on '''laptop.example.org''' restart openswan (generally under the rc script name ipsec) in whatever manner perscribed by your favorite distro.
== External links ==