Configuring IPsec
To make it easier to maintain, you can use include statements in the configuration files, which may contain wildcards. This can help you organize your VPN connections, for instance by grouping them in directories per region:
include /etc/ipsec.d/canada/*.conf include /etc/ipsec.d/netherlands/*.conf include /etc/ipsec.d/ussa/*.conf
Host-to-Host Tunnel
Now let us make an example ipsec.conf configuration for a VPN tunnel from East to West. This ipsec.conf configuration file needs to be created on both ends.
version 2
config setup interfaces=%defaultroute
#klipsdebug=all
#plutodebug=control
conn %default authby=rsasig
conn west-east left=193.110.157.131 right=205.150.200.209 type=tunnel
leftrsasigkey=0sAQOkF1Ggd4iFfI2nQxJYbN9HGD...
rightrsasigkey=0sAQPEAl+N52EIRrIAA5cxl8U...
auto=start
And that is all you need to define an IPsec tunnel with Openswan. It can't be easier! Though most options should be self explanatory, let's review all of them so we will fully understand their usage.
Left and Right
Most network administrators are used to the concepts of source and destination addresses, and they expect an IPsec configuration to have a source and a destination. But this doesn't really apply to IPsec, bearing in mind that an IPsec connection actually contains two halves, one for incoming and one for outgoing packets. It would be confusing, and not to mention extremely annoying, if after transferring a file to the other IPsec endpoint you had to then swap source and destination parameters. And the terms client and server won't help either, since IPsec really is a peer-to-peer protocol. Not all IPsec peers are either clearly the client or the server. They could even be considered a client for one tunnel, and a server for another.
For these reasons, the concepts of left and right are used. These terms are dependent on your point of view (look in a mirror, or teach in front of a group of people to see how left and right can become exchanged). So the choice of which end to call left or right is completely up to you. You might look at your draft network sketch and call the one you drew on the left "left".
The good thing is that when Openswan loads a new connection, it will look at both left and right entries, and it will try to figure out which end it is. It does so by comparing the specified IP address (or resolved hostnames) to the list of currently active IP addresses on the host. In our
82
Chapter 4
example, West will figure out it is left because it can see that its network configuration has the IP address 193.110.157.89, which matches the left= option. East will figure out it is right, because the right= option matches one of its IP addresses. If Openswan cannot determine whether it is left or right, the connection will fail to load, and a warning will be logged.
Because of Openswan's automatic left/right detection, simple connection definitions can be used on both IPsec endpoints without editing them. The exception is when you are using roadwarrior connections.
The type Options
The type= option sets the IPsec mode to use. When left out, it defaults to tunnel mode, which should be correct for most cases, with the exception of Microsoft L2TP connections.
IPsec mode |
Description |
|
|
type=tunnel (default) |
Use tunnel modes |
type=transport |
Use transport modes |
type=passthrough |
Do not process packets, just pass them through to the kernel |
|
|
The auto Option
The auto=start option tells Openswan to immediately start this connection on startup. The auto option can have the following values:
Start-up option |
Description |
|
|
auto=start |
Load, route, and initiate the connection |
auto=add |
Load the connection and respond to an incoming request |
auto=ignore (default) |
Ignore this connection completely |
auto=manual |
This connection will be keyed manually (not recommended) |
auto=route |
Load and route the connection (used for special routing cases) |
|
|
The first two are the most common. auto=start is used for static IPsec tunnels, whereas auto=add is used mostly when the connection defined cannot initiate, but only respond. This is for instance the case with roadwarriors, where the server end does not know where or when the roadwarrior will appear, because it is a roaming user that pops in at various dynamic ISP-dependent IP addresses assigned through DHCP.
83
Configuring IPsec
The rsasigkey Options
The last remaining question in our example is that of where the RSA key entries come from. These entries correspond to the public RSA keys of the RSA key-pairs that were generated when we first started Openswan. It is unique for every host.
Both these private and public RSA keys are stored in ipsec.secrets; you could cut and paste the public key from there, but it is usually easier to use the following command, which will do the formatting for you. For example, to create a leftrsasig= statement on West, we simply run the following command on West:
#ipsec showhostkey --left
#RSA 2192 bits west.testbed.xelerance.net Sun Jan 5 16:21:41 2005
leftrsasigkey=0sAQPEAl+N52EIRrIAA5cxl8UanVSr2mCVPWmzgLK62G1jeKrZ6OxM9kdY1jm
9Fv/7HOmLWzYJZSYdPnh9DIHY15ipfZkXDapewaFvSH0yX3V7GUrVF9N8dZSAkPg/nOc+A
VjJfWHHxT4/e4AA6syOYFGQCyRt4BXZ5xY0U/10QRL/Ra2xtF4aV1GdNCfcFT4/VeUbrfMB0e
RI++hTUx4MriX2zO5VwRxRSoMpMcSqv7QbICiKw+gRu/63HroR0n1Wmp8VQzWd3SMpUCw
QhoBSkeP5Ib8jXg+sNrb7LDC7fSNHbAzgg8vGSwcotBisUiES/8JXkI9PQAPrRaxrY2fP8sWky0 tsySlJytweSWLdfjPwcoOZ
The first # line is a comment, which you can also keep in your connection definition if you like. Be careful when copying and pasting such a line from one window to another. It is one big line and some desktop environments, or email programs, may automatically wrap this line for you.
You must not break up the line!
Note that in the rest of this chapter, to save space and improve clarity, we won't show these long rsasigkey= lines in full, and they will instead appear thus:
leftrsasigkey=0sAQPEAl+N52EIRrIAA5cxl8UanV.....
When you see such a line, be aware that you should put in your key, which might be several lines long.
Bringing Up the IPsec Tunnels
Once we have copied our ipsec.conf file from West to East, and restarted Openswan on both ends, we will see something in the logs that looks like this:
Sep 15 20:05:05 west pluto[20362]: "west-east" #365: initiating Main Mode Sep 15 20:05:05 west pluto[20362]: "west-east" #365: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 15 20:05:05 west pluto[20362]: "west-east" #365: I did not send a certificate because I do not have one.
Sep 15 20:05:06 west pluto[20362]: "west-east" #365: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 15 20:05:06 west pluto[20362]: "west-east" #365: Peer ID is ID_IPV4_ADDR: '205.150.200.209'
Sep 15 20:05:06 west pluto[20362]: "west-east" #365: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 15 20:05:06 west pluto[20362]: "west-east" #365: ISAKMP SA established Sep 15 20:05:06 west pluto[20362]: "west-east" #366: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#365}
Sep 15 20:05:06 west pluto[20362]: "west-east" #366: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 15 20:05:06 west pluto[20362]: "west-east" #366: sent QI2, IPsec SA established {ESP=>0xe5f72aaa <0xc51033f4}
84
Chapter 4
In the last line, you'll note the message IPsec SA established, meaning we've successfully set up an IPsec VPN tunnel between West and East. The ESP in curly braces tells us that we are using Encapsulated Secure Payload, which means tunnel mode with full encryption, commonly called VPN.
The log file locations differ from distribution to distribution. Red Hat and Fedora Core log this information in /var/log/secure, while Debian logs it in /var/log/auth.log. If in doubt, check /etc/syslog.conf and look where the authpriv.* priority is logged to.
Listing IPsec Connections
The eroutes are the kernel's internal encrypted routes and reflect the internal SPD policies. It is easy to think of eroutes as encryption routes—all active IPsec connections correspond with one eroute entry. Since the eroutes are displayed as one line per IPsec connection, they provide a condensed and clear view of the IPsec connections for a machine.
# ipsec eroute
5 193.110.157.131/32 -> 205.150.200.209/32 => tun0x109a@205.150.200.209
The eroute output tells us that five packets have been sent or received over the IPsec tunnel between our local machine (West, 193.110.157.131) and the remote endpoint (East, 205.150.200.209), and that the tunnel policy says that only packets between 193.110.157.131 and 205.150.200.209 are allowed to be sent through this tunnel.
If you need more details on the connections, use the following command:
# ipsec auto --status
This will produce an enormous amount of output, but it will contain all the details you might want to know. When using NETKEY, you can also use setkey -D and setkey -P -D directly, which also give a few screens of information.
Testing the IPsec Tunnel
To actually confirm your VPN connection works, you can run a traceroute. Running one on West to East will show us:
# traceroute 205.150.200.209
traceroute to east.testbed.xelerance.net (205.150.200.209) from 193.110.157.131, 30 hops max, 38 byte packets
1 east.testbed.xelerance.net (205.150.200.209) 136.378 ms 137.755 ms 136.478 ms
West is in Canada, and East is in Amsterdam, but instead of the many hops across the Atlantic such a packet would travel without IPsec, we now see it travels only one hop, since the packet is traveling through the tunnel. Note that the hop takes about 136ms, which is roughly the time it takes to cross the Atlantic.
You can run tcpdump to check that traffic actually got encrypted. First, let us show an example using KLIPS, which is the easiest to read because it separates traffic on the physical and virtual interfaces:
# tcpdump -n -i eth0
20:20:50.322743 193.110.157.131 > 205.150.200.209: ESP(spi=0xe5f72aaa,seq=0x19) 20:20:50.370512 205.150.200.209 > 193.110.157.131: ESP(spi=0xc51033f4,seq=0x19)
85