Putorius
Security

Creating IPsec Tunnel Between Two Hosts using openswan

This tutorial will aid you in creating a simple host to host IPsec tunnel that will provide end to end encryption of traffic between two hosts.  This is a basic configuration that uses a RSA key pair to establish ISAKMP Security Association.  Traffic will be encrypted using ESP.

Tested on Red Hat Enterprise 5, Red Hat Enterprise 6, and Fedora 17.

Install Openswan

First we need to install openswan:

yum -y install openswan

Let's clean up the installation defaults:
NOTE: Leave passwords blank

rm -r /etc/ipsec.d/*.db; rm -f /etc/ipsec.secrets; certutil -N -d /etc/ipsec.d/

Generate RSA Keys

Now generate RSA keys.  This must be done on each host (sometimes takes 4-6 minutes).

ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets

Gather Host Keys

Obtain keys from each host and place into a text file.  You will need this later.

ON HOST 1 RUN:

ipsec showhostkey --left

ON HOST 2 RUN:

ipsec showhostkey --right

Edit Configuration File

Uncomment the following line in /etc/ipsec.conf file.

Change:

#include /etc/ipsec.d/*.conf

to

include /etc/ipsec.d/*.conf

Create Connection Specific Configuration

Create a connection specific conf file in /etc/ipsec.d/ - For example /etc/ipsec.d/host1-2.conf.
You can use this same file on both hosts, the indentations after the first line are needed.

conn host1-2 
    left=10.0.0.1
    leftrsasigkey=[left host value from step 3] 
    right=10.0.0.40 
    rightrsasigkey=[right host value from step 3] 
    auto=start 
    authby=rsasig

NOTE: Don’t forget to copy this configuration file to /etc/ipsec.d/ on host2.

Start ipsec Services

Start the ipsec services (pluto) on each host:

service ipsec start

Confirm Connection

Check /var/log/secure and look for and established messages like “IPsec SA established”.

# tail -99 /var/log/secure | grep -i “ipsec sa established”
Aug  7 13:37:06 host2 pluto[25754]: “host1-host2” #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xfcfb638f <0x5c787237 dpd="none}<br" natd="none" natoa="none" xfrm="AES_128-HMAC_SHA1"> 
Aug  7 13:37:13 host2 pluto[25754]: “host1-host2” #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x2cb7bd96 <0xd47a1d6c dpd="none}</p" natd="none" natoa="none" xfrm="AES_128-HMAC_SHA1">
...OUTPUT TRUNCATED...

Check the tunnels status via kernel policies:

ip xfrm policy

src 10.0.0.40/32 dst 10.0.0.1/32 
    dir out priority 2080 ptype main 
    tmpl src 10.0.0.40 dst 10.0.0.1
        proto esp reqid 16385 mode tunnel
src 10.0.0.1/32 dst 10.0.0.40/32 
    dir fwd priority 2080 ptype main 
    tmpl src 10.0.0.1 dst 10.0.0.40
        proto esp reqid 16385 mode tunnel
src 10.0.0.1/32 dst 10.0.0.40/32 
    dir in priority 2080 ptype main 
    tmpl src 10.0.0.1 dst 10.0.0.40
        proto esp reqid 16385 mode tunnel

More information can be found with the “service ipsec status” and “ipsec auto --status” commands.

Exit mobile version