Continued from IPSec Linux & Solaris...
A working IPSec configuration between Solaris 9 and Fedora.
Solaris Machine <> 172.50.20.100 (bge0)
Tunnel IP <> 198.168.1.100 (tun0)
Linux Machine <> 172.50.20.200 (eth0)
Tunnel IP <> 198.168.1.200 (tun0)
Like I've already mentioned, keying can be done manually or auto. Here we will use auto keying i.e. with the help of the IKE daemons.
Linux Configuration
IPSec tools needs to downloaded and installed.
IPSec Installation
Installation of IPSec is fairly simple, just like installing any other application. You need to be root for installation or make sure your admin has given you sudo privileges.
Here, I will provide some info on installing the ipsec-tools on Fedora 16.
The command is ofcourse "yum install ipsec-tools" for Fedora, "apt-get install ipsec-tools" on Ubuntu etc
Code:
root > yum install ipsec-tools
Loaded plugins: langpacks, presto, refresh-packagekit
fedora/group_gz | 431 kB 00:01
fedora-cinnamon | 2.9 kB 00:00
updates/metalink | 3.3 kB 00:00
updates | 4.5 kB 00:00
updates/primary_db | 4.0 MB 00:59
updates/group_gz | 431 kB 00:08
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ipsec-tools.i686 0:0.8.0-2.fc16 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================
Installing:
ipsec-tools i686 0.8.0-2.fc16 fedora 364 k
Transaction Summary
===========================================================================================================================================
Install 1 Package
Total download size: 364 k
Installed size: 364 k
Is this ok [y/N]: y
Downloading Packages:
ipsec-tools-0.8.0-2.fc16.i686.rpm | 364 kB 00:01
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : ipsec-tools-0.8.0-2.fc16.i686 1/1
Installed:
ipsec-tools.i686 0:0.8.0-2.fc16
Complete!
root >
Just do a verification if you have all these in your machine
Code:
root > which racoon
/usr/sbin/racoon
root > which setkey
/sbin/setkey
root > ls -lrtd /etc/racoon/
drwxr-xr-x. 4 root root 4096 Feb 26 13:22 /etc/racoon/
Note : Older versions of IPSec will have the /etc/ipsec-tools folder instead of /etc/racoon. It doesn't matter really!
All the configuration in Linux is present at /etc/racoon folder.
We will do 2 levels of configuration.
1. Setting up the raccoon
2. Setting up the policies.
Raccoon Configuration
We will need to add/modify the /etc/racoon/racoon.conf file to suit our requirements which is read by the racoon daemon.
/etc/racoon/racoon.conf
Code:
#Racoon will use this file for pre_shared_key autentication#
path pre_shared_key "/etc/racoon/psk.txt";
remote 172.50.20.100 {
exchange_mode main;
lifetime time 360 min;
nonce_size 20;
proposal {
dh_group 5;
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
}
}
#sainfo any
sainfo address 198.168.1.100 any address 198.168.1.200 any
{
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
As you can see the pre-shared key is present at /etc/racoon/psk.txt
/etc/racoon/psk.txt
Code:
172.50.20.100 0x1234567890
That completes the phase 1.
Let us set-up some policies here and then go to the Solaris box.
Policies
Now we set up the required policies that needs to matched for the traffic. The command used is "setkey". Let us put all the configuration in /etc/racoon/setkey.conf
/etc/racoon/setkey.conf
Code:
spdadd 172.50.20.200 172.50.20.100 any -P out ipsec
esp/tunnel/198.168.1.200-198.168.1.100/require;
spdadd 172.50.20.100 172.50.20.200 any -P in ipsec
esp/tunnel/198.168.1.100-198.168.1.200/require;
Use the setkey command to setup the policies as shown.
Code:
root > setkey -f /etc/racoon/setkey.conf
Verify if your policies are properly loaded using -PD option.
Code:
root > setkey -PD
172.50.20.100[any] 172.50.20.200[any] 255
fwd prio def ipsec
esp/tunnel/198.168.1.100-198.168.1.200/require
created: Feb 26 17:26:14 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=18 seq=1 pid=9246
refcnt=1
172.50.20.100[any] 172.50.20.200[any] 255
in prio def ipsec
esp/tunnel/198.168.1.100-198.168.1.200/require
created: Feb 26 17:26:14 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=8 seq=2 pid=9246
refcnt=1
172.50.20.200[any] 172.50.20.100[any] 255
out prio def ipsec
esp/tunnel/198.168.1.200-198.168.1.100/require
created: Feb 26 17:26:14 2012 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1 seq=0 pid=9246
refcnt=1
As you can see the kernel adds a default forward policy. In older versions, we had to add it manually.
There is a hell lot of information I want to add along with this regarding the setkey command, the parameters in racoon configuration, the algorithms used etc. May be in another post!
Before going to the Solaris box, let us start the racoon daemon.
Code:
root > /etc/init.d/racoon start
Starting racoon (via systemctl): [ OK ]
Just confirm it using pgrep
Code:
root > pgrep racoon
9278
So far everything looks fine! Let us move onto the Solaris Box.
Solaris
In Solaris, ike is the daemon responsible for what racoon does in Linux. ipseckey and ipsecconf is responsible for what setkey does.
So, like racoon.conf here we have the ike configuration which is present at
/etc/inet/ike/config
Code:
#Phase 1 p1_lifetime_secs 21600 p1_nonce_len 20 p1_xform {auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des } #Phase 2 p2_pfs 5 { label "172.50.20.100 - 172.50.20.200" local_id_type IP local_addr 172.50.20.100 remote_addr 172.50.20.200 }
The preshared key needs to added at /etc/inet/secret/ike.preshared
/etc/inet/secret/ike.preshared
Code:
172.50.20.200 1234567890
Now we need to set up the policy like we did in Linux. Let us have the policy in /etc/inet/ike/ipsecconf.conf
/etc/inet/ike/ipsecconf.conf
Code:
{ tunnel tun0 negotiate tunnel laddr 198.168.1.100/32 raddr 198.168.1.200/32 dir out } ipsec { encr_algs aes-cbc(128..256) encr_auth_algs hmac-md5(128) sa shared }
Unlike the Linux policy, we need only one in this case, basically because it supports "both" in direction.
Load the policy using the following command
Code:
root > ipsecconf -f /etc/inet/ike/ipsecconf.conf
Verify if your policies are properly loaded.
Code:
root > ipsecconf -ln #INDEX tun0,1{ tunnel tun0 negotiate tunnel laddr 198.168.1.100/32 raddr 198.168.1.200/32 dir out } ipsec { encr_algs aes-cbc(128..256) encr_auth_algs hmac-md5(128) sa shared }
Now start the ike daemon and verify it.
Code:
root > /usr/lib/inet/in.iked
Try pinging the tunnels from either boxes.
Use the command "setkey -D" to see if the associations are created on the Linux box and "ipseckey dump" on Solaris box.
Will add more information later!
Have a good day!
you posted this so recent... why sol 9?? i'm trying to get this to work, and just cant.. this is too outdated
ReplyDeleteYeah it is kind of old, I posted it at the time I was working on this for a porting project.
Deletenice,but you forget the building of the tunnels for both machines with ipconfig.
ReplyDeleteOops, I will add that as well. Thanks.
Delete