IPSecHowTo
IPSecHowTo
IPSecHowTo
[mailto:matt@mattcaron.net Matthew Caron]
This HowTo is primarily taken from [http://www.ipsec-howto.org/x282.html IPSec - Linux Kernel 2.6 using KAME-tools]; the native IPSec stack in the 2.6 kernel series.
This covers using manually-keyed connections, and is geared toward very small or primarily star toplogy networks (an NIS server and all it's clients, for example). Larger networks (if all the NIS clients want to talk to each other in an encrypted fashion) would benefit from the use of an automated keying agent, such as racoon. Discussion of such agents is outside the scope of this draft of this document (maybe later).
1. Install the tools
sudo apt-get install ipsec-tools
2. Create an /etc/ipsec.conf file. This file should be of the general form:
# Configuration for 192.168.1.100
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
esp/transport//require
ah/transport//require;It is important to understand this, so let me break it down:
# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;This section lists the 128 bit keys for the 192.168.2.100 and 192.168.1.100 connection. Each IP pair has 2 keys - one for each direction (in and out). Each pair of machines needs to know the this information. So, this means that, for each pair of IP's, you need to generate a new key (hence why this works for small networks, but anything major probably wants a daemon to handle this. Maybe if I feel ambitious, I'll set mine up to use it and update this with that info).
Also, note the number right after the 'ah' for each of these keys. This number needs to be unique for each 'add' statement. These keys are generated as follows:
dd if=/dev/random count=16 bs=1| xxd -ps
Don't forget to add the 0x in front of it.
Similarly, this section:
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;This works just like the AH keys, except that they are longer. Again, the number after 'esp' must be unique. These keys are generated as follows:
dd if=/dev/random count=24 bs=1| xxd -ps
Again, don't forget to add the 0x in front of it.
So, these top two sections should list keys for all the IP addresses that the machine cares about. These sections do not change when moving the file amongst machines on either side of a connection. That brings us to the next section:
# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
esp/transport//require
ah/transport//require;This sets up the policies for in and out communications. So, the above version will work for 192.168.1.100, because all outgoing communication to 192.168.2.100 and all incoming communication from 192.168.2.100 will be encrypted. To use this on the other machine (192.168.2.100), flip the in and out directives, as follows:
# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.2.100 192.168.1.100 any -P out ipsec
esp/transport//require
ah/transport//require;Okay, do both sides of the connection have an ipsec.conf? Everyone set? Good, now it gets easy.
2. Get [http://www.mattcaron.net/linux/scripts/ipsec my ipsec startup script]. It shouldn't suck too badly. I've filed [https://bugzilla.ubuntu.com/show_bug.cgi?id=7491 a bug] about adding it to the main package. Anyway, put it into /etc/init.d/. It is reproduced below if you don't feel like downloading random bits:
#
# start/stop ipsec stuff
test -f /usr/sbin/setkey || exit 0
test -f /etc/ipsec.conf || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_begin_msg "Loading ipsec policy entries..."
/usr/sbin/setkey -f /etc/ipsec.conf
log_end_msg $?
;;
stop)
log_begin_msg "Flusing ipsec policy entries..."
/usr/sbin/setkey -F
/usr/sbin/setkey -FP
log_end_msg $?
;;
force-reload)
$0 restart
;;
restart)
$0 stop
$0 start
;;
*)
log_success_msg "Usage: /etc/init.d/ipsec {start|stop|force-reload|restart}"
exit 1
;;
esac
exit 03. Okay, now it needs to be added to the default runlevel, and it wants to start after networking.
update-rc.d ipsec start 41 S .
4. Starting it wouldn't hurt either (make sure to do this on both sides of the connection before trying to have them talk to each other).
/etc/init.d/ipsec start
From MatthewCaron Mon May 23 13:16:20 +0100 2005 From: Matthew Caron Date: Mon, 23 May 2005 13:16:20 +0100 Subject: Re: Tony's Changes Message-ID: <20050523131620+0100@https://www.ubuntulinux.org>
Tony,
I tried to email you, but you didn't use a valid email address when you made the changes. Your change of:
dd if=/dev/random count=16 bs=1| (echo -n '0x' ; xxd -ps)
doesn't always work. It's a race condition where the output depends on whether the stdout gets interleaved with the stderr or not, as in:
0x16+0 records in 16+0 records out 16 bytes transferred in 0.000589 seconds (27160 bytes/sec) f25e8aee0c949b5a909cc986f5888e81