Sunday, June 8, 2014

IPSEC Tunnel creation for LINUX using OPENSWAN package


Install Openswan

sudo apt-get install openswan ( or directly running given openswan file)

Disable ICMP send/accept redirects
Note: Look at *, this is your NIC name i.e eth0 or eth1 on which we are going to terminate the VPN.

Disable /proc/sys/net/ipv4/conf/*/send_redirects




[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects

[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding
[root@localhost ~]#gedit /etc/sysctl.conf
Set: net/ipv4/ip_forward = 1

[root@localhost ~]#sysctl -p

Verify ipsec/openswan

Check if IPSec package is happy with your settings. Mine are copied after VPN was established.
[root@localhost ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey)
Checking for IPsec support in kernel                        [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
Two or more interfaces found, checking IP forwarding        [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain  [MISSING]
Does the machine have at least one non-private address?     [FAILED]
Ignore Opportunistic Encryption DNS Checks Failures

IPsec CONFIGURATIONS

Now we need to configure our linux-vpn, for this we need to edit the ipsec.conf file.

[root@localhost ~]#gedit /etc/ipsec.conf

Insert the following lines in that file accordingly.



config setup
conn connection
type=tunnel
authby=secret
auto=start
pfs=no
ike=aes256-sha1;modp1024!
phase2alg=aes256-sha1;modp1024
aggrmode=no
left=172.31.132.55
right=172.31.132.59
leftsubnet=172.31.128.0/17
rightsubnet=172.31.128.0/17
     

CONFIGURE  Pre Shared Key

ipsec.secrets
172.31.132.55 0.0.0.0: PSK "abcd1234"

Check Status of Tunnel :

[root@localhost ~]# ipsec auto –-status
Start-up a tunnel:
[root@localhost ~]# ipsec auto –up connection
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)