widgeo.net

Saturday, 31 August 2013

Configuring Linux based VPN using Openswan

Introduction:
The intent of this article is to walk through the installation, configuration, and general debugging of OpenSwan based IPSec tunnels.
Linux and Open Swan Versions used:
Linux Version: Linux TC3 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

Open Swan Version: openswan.x86_64 0:2.6.32-3.el5
Installation & Initial Configuration:
We install using yum install
yum install openswan nss-tools
The ipsec.conf file:
There are two main sections to the ipsec configuration file. The configuration setup section & the connection section.
Configuration Setup:
The basic configuration can be started by issuing
config setup
The configuration file would look like
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0

The 'virtual_private 'option declares which subnets should be allowed through the tunnel and which should be excluded. Typically, you'll wish to exclude any networks that overlap with your private LAN.
If either end of the tunnel is being nat'd, it may be necessary to add the nat_traversal work around to the config setup section.
Connection Setup:
Capture
The connection configuration section begins with the declaration of the 'conn' keyword followed by an arbitrary connection label. 
Important info about /etc/ipsec.conf file:
BE SURE TO MAINTAIN THE INDENTATION BEFORE EACH PARAMETER.
THE CORRECT ARRANGEMENT IS.


conn net-to-net
     left=x.x.x.x
     leftsubnet=y.y.y.y/24

Do not use
conn net-to-net
left=x.x.x.x
leftsubnet=y.y.y.y/24

An example configuration might look like :
conn net-to-net
    authby=secret                # Key exchange method
    left=10.2.50.31              # Public Internet IP address of the LEFT VPN device. 
    leftsubnet=10.2.40.0/24      # Subnet protected by the LEFT VPN device
    leftnexthop=10.2.50.23       # correct in many situations
    right=10.2.50.23             # Public Internet IP address of the RIGHT VPN device. 
    rightsubnet=10.2.60.0/24     # Subnet protected by the RIGHT VPN device
    rightnexthop=10.2.50.31      # correct in many situations
    ike=aes128-sha1;modp1024
    ikelifetime=86400s
    salifetime=3600s
    #phase2=esp
    #phase2alg=aes128-sha1;modp1024
    esp=aes128-sha1
    aggrmode=yes
    pfs=no
    auto=start                   # authorizes and starts this connection
                                 # on booting

Note:If your VPN subsection in the /etc/ipsec.conf file contains the line auto=add, then IPSec only authorizes but doesn't establish the connection at startup. You'll have to use the ipsec auto --up <vpn-name> command to start it manually.You must change this to auto=start for Openswan to start the VPN automatically when IPSec restarts or when the system reboots.
As we are using authentication type to be secret we need to specify the pre-shared key under ipsec.secrets
[root@TC3 ~]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.2.50.23 10.2.50.31 :      PSK "linux@123"

This completes the configuration part of the Open Swan.
 Initialize the new tunnel:
To initialize the new tunnel you can use the ipsec command to start the tunnel net-to-net

[root@TC3 ~]#sudo ipsec auto --up net-to-net
000 initiating all conns with alias= net-to-net
003 " net-to-net/0x1": pluto_do_crypto: helper (-1) is  exiting
117 " net-to-net/0x1" #23: STATE_QUICK_I1: initiate
004 "  net-to-net/0x1" #23: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x01382128 <0x0ea00a58 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
The IPSec SA established message signifies that the IPSec tunnel to Checkpoint to be UP.
You can also verify by 

[root@TC3 ~]# setkey -D
10.2.50.31 10.2.50.23
        esp mode=tunnel spi=95165114(0x05ac1aba) reqid=16385(0x00004001)
        E: aes-cbc  7e9669e8 377bc3e5 ebaac089 cbee9a5c
        A: hmac-sha1  f9ff112a 35b44ed5 29244bdc 243e23c9 28ed3547
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Sep 25 12:03:57 2012   current: Sep 25 12:06:59 2012
        diff: 182(s)    hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=5890 refcnt=0
10.2.50.23 10.2.50.31
        esp mode=tunnel spi=858388882(0x3329f992) reqid=16385(0x00004001)
        E: aes-cbc  7d9407e2 2d13dfc5 e63a49f5 5ebcd9d2
        A: hmac-sha1  c3ed653d a87b3610 247fbd83 1ad884fd 97ff921d
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Sep 25 12:03:57 2012   current: Sep 25 12:06:59 2012
        diff: 182(s)    hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=5890 refcnt=0

Note:
  • You can see the logs under  /var/log/secure
  • Remember to restart the ipsec process every time you make a change to the ipsec.conf file for the changes to take effect on the running process.
[root@TC3]# service ipsec start
[root@TC3]# service ipsec stop
[root@TC3]# service ipsec restart