Gregory Hildstrom Projects Publications Resume Links Contact About Google+ Facebook Youtube Donate




Openswan


Creating a host-to-host encrypted IPSec tunnel


I found the online documentation and the man pages to be of little help when I first set out to do this. I could not seem to find this example anywhere, so hopefully this will help someone. My systems were running Red Hat Enterprise Linux 5 (RHEL5), Openswan 2.4.9, and the stock kernel.

Below is my /etc/ipsec.conf file. I added one line to the config setup section: interfaces=...; this line associates an IPSec virtual network interface (ipsec0) with a real network interface (eth0). I added a connection called testconnection. This file is nearly identical on each machine. Left specifies the local IP address and right specifies the remote IP address. Authby=secret specifies that the encryption key is a shared secret key, not a PKI, public key, or anything else. Auto=add specifies that this connection must be manually started and that it will not automatically start when the ipsec service starts. Ide and esp are set to aes to use AES (rijndael) encryption, which is much faster than 3des and still secure. The IP addresses are reversed on each host.
##########################################################
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg: plutodebug="control parsing"
	#
	# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
	#
	# enable this if you see "failed to find any available worker"
	nhelpers=0
	interfaces="ipsec0=eth0"

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn testconnection
	left=192.168.2.151
	right=192.168.2.2
	authby=secret
	auto=add
	ike=aes
	esp=aes
##########################################################

The /etc/ipsec.secrets file specifies the encryption keys and other security information. Mine is just a single line set up for a pre-shared-key (PSK) or secret key. The IP addresses must be switched on each host. Obviously, you should change the text "secretkey" to your own strong shared secret key.
192.168.2.151 192.168.2.2 : PSK "secretkey"

The ipsec service must be started on each host using the command: service ipsec start or /etc/init.d/ipsed start. The connection can be activated from either side using the command: ipsec auto --up testconnection.

You should definitely make sure the session is actually encrypted before doing anything sensitive. Start with the connection disabled: ipsec auto --down testconnection. On one host, open two terminal windows. Run tcpdump in one of them. Ping the remote host in the other. The packets should be labeled as ICMP packets. Bring the ipsec connection back up: ipsec auto --up testconnection. Restart tcpdump. Ping the remote host again. The packets should be labeled as ESP packets this time, which means the traffic is encrypted.

All types of packets on all ports will be encrypted between the two hosts when the connection is active.