Sunday, February 26, 2012

Linux IPSec VPN SETUP


Linux IPSec VPN SETUP(CentOS)

Once I was required to deploy a VoIP infrastructure where we were required to have a VPN connectivity between its two offices located at London and Berlin. One of the office had CISCO PIX and the other office had nothing but our VoIP server for VPN. So, I had to setup an IPsec tunnel between Linux and CISCO. Here is a how-to for public reading and for future references.


UPDATE: A new scenario for Amazon based Linux VPN Server is published on this link.

NETWORK DESIGN

VPN network overview

IPsec SETUP ON CENTOS
On our CentOS server we require to install openswan application. This application will do the job.

Install OpenSWAN:
[root@localhost ~]#yum upgrade
[root@localhost ~]#yum install openswan ipsec-tool
Use this command to start Openswan at boot time
[root@localhost ~]#chkconfig ipsec on

At this point if all commands are successfully executed we've openswan installed. Now we need to configure it accordingly.

Disable ICMP send/accept redirects
Note: Look at *, this is your NIC name i.e eth0 or eth1 on which we are going to terminate the VPN.

Disable /proc/sys/net/ipv4/conf/*/send_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding
[root@localhost ~]#nano /etc/sysctl.conf
Set:
net/ipv4/ip_forward = 1
[root@localhost ~]#sysctl -p

Verify ipsec/openswan

Check if IPSec package is happy with your settings. Mine are copied after VPN was established.

[root@localhost ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey)
Checking for IPsec support in kernel                        [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
Two or more interfaces found, checking IP forwarding        [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain  [MISSING]
Does the machine have at least one non-private address?     [FAILED]
Ignore Opportunistic Encryption DNS Checks Failures


IPsec CONFIGURATIONS

Now we need to configure our linux-vpn, for this we need to edit the ipsec.conf file.

[root@localhost ~]#nano /etc/ipsec.conf

Insert the following lines in that file accordingly.

config setup
        interfaces=%defaultroute
        klipsdebug=all                 #enable debugging
        plutodebug=all
        protostack=netkey

conn BER-LON-VoIP
        type=tunnel          #tunnel mode ipsec
        left= 213.YX.XY.213     #the IP address of your OpenSWAN endpoint
        leftnexthop=%defaultroute      #default gateway
        leftsubnet=10.100.100.0/24     # network behind your endpoint
        right=  123.XX.YY.123            # Your IP, or %any for a road-warrior setup
        rightnexthop=%defaultroute     #defaultroute for road warrior unknown
        rightsubnet=192.168.150.0/24   #network behind the CISCO
        auth=esp
        esp=3des-sha1           #esp: 3des, hmac: sha1
        keyexchange=ike         #use regular ike
        authby=secret           #pre-shared secret, you can also use rsa nounces
        pfs=no                  #use perfect forward secrecy
        auto=start     #don't initiate tunnel, but allow incoming


CONFIGURE  Pre Shared Key

Syntax of ipsec.secrets
<IP of VPN Server{left}> <IP of CISCO Router{right}> : PSK  "<PreShared Key>"

[root@localhost ~]#nano /etc/ipsec.secrets
213.YX.XY.213 123.XX.YY.123 : PSK "$#@$@%$$FDSF#$@#$@#"


Enabling MASQUERADE NAT on VPN Server(Optional)
This will take all the traffic from interface eth1 and send the traffic out from interface eth2. We required this so that all the traffic that is required to go through VPN uses this server as its gateway.

[root@localhost ~]#iptables --append FORWARD --in-interface eth1 -j ACCEPT
[root@localhost ~]#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE


USEFUL IPsec COMMANDS
Check Status of Tunnels :
[root@localhost ~]# ipsec auto –-status

This will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up VPNs.See the end lines corresponding to BER-LON-VoIP


000 #2: "BER-LON-VoIP":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute
owner; isakmp#1; idle; import:admin initiate
000 #2: "BER-LON-VoIP" esp.3b80b0ab@213.YX.XY.213
esp.140f56a9@10.100.100.6 tun.0@ 213.YX.XY.213 tun.0@10.100.100.6
ref=0 refhim=4294901761
000 #1: "BER-LON-VoIP":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate

NOTE: There are no state lines for the disconnected tunnels.

Start-up a tunnel:
[root@localhost ~]# ipsec auto –up <Connection Name>
This command will start an Ipsec tunnel defined by the name in ipsec.conf
[root@localhost ~]#  ipsec auto --up BER-LON-VoIP
117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 "BER-LON-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 "BER-LON-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
last line (STATE QI2) is important for successful VPN establishment.


Shut-down a specific tunnel:
Similarly to disconnect a tunnel use the following.
[root@localhost ~]# ipsec auto –down <Connection Name>


Restart a specific tunnel
[root@localhost ~]# ipsec auto --down BER-LON-VoIP
[root@localhost ~]# ipsec auto --up BER-LON-VoIP

117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 " BER-LON -VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 " BER-LON -VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}


Restart All Tunnels:
[root@localhost ~]# service ipsec restart




CISCO IPsec VPN SETUP

These commands were issued on the CISCO equipment to setup a tunnel.

#ip access-list extended VPN-LON-BER
#permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255
#permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255
#crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address  213.YX.XY.213 no-xauth
#crypto ipsec transform-set VPN-LON-BER-set esp-3des esp-md5-hmac
#crypto map lonbermap 13 ipsec-isakmp
#set peer 213.YX.XY.213
#set transform-set VPN- LON-BER -set
#match address VPN- LON-BER -set



REFERENCES
http://linux.die.net/man/8/ipsec_spi
http://www.daemon.be/maarten/openswanpix.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://www.diverdown.cc/vpn/freeswanciscorouter.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://howtoforums.net/viewtopic.php?t=92
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs