CentOS Enterprise Linux Security Guide - IPsec Network-to-Network c... http://www.linuxtopia.org/online_books/centos_linux_guides/centos_li...

Contents
On-line Guides
All Guides
Linux for Beginners
Office Productivity
NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterpr
Linux Installation
Linux Security Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Linux Utilities Red Hat Enterprise Linux 4: Security Guide
Linux Virtualization Prev Chapter 6. Virtual Private Networks
Linux Kernel
System/Network
Admin
Programming
Scripting Languages
Development Tools 6.5. IPsec Network-to-Network configuration
Web Development
GUI Toolkits/Desktop IPsec can also be configured to connect an entire network (such as a LAN or WAN) to a remote network by way of a network-to-network
Databases connection. A network-to-network connection requires the setup of IPsec routers on each side of the connecting networks to transparently
Mail Systems process and route information from one node on a LAN to a node on a remote LAN. Figure 6-1 shows a network-to-network IPsec tunneled
Book Store
connection.
How To Guides
Virtualization
General System
Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions

Address
Not
Found
Firef
can'
find
the
serv
at
pixe Figure 6-1. A Network-to-network IPsec tunneled connection
The
browser This diagram shows two separate LANs separated by the Internet. These LANs use IPsec routers to authenticate and initiate a connection u
could
not
secure tunnel through the Internet. Packets that are intercepted in transit would require brute-force decryption in order to crack the cipher
find protecting the packets between these LANs. The process of communicating from one node on the 192.168.1.0/24 IP range to another on
the
host 192.168.2.0/24 is completely transparent to the nodes as the processing, encryption/decryption, and routing of the IPsec packets are com
server
for handled by the IPsec router.
the
provided
address. The information needed for a network-to-network connection include:
Did
you
make
The externally-accessible IP addresses of the dedicated IPsec routers
a
mistake
when The network address ranges of the LAN/WAN served by the IPsec routers (such as 192.168.0.0/24 or 10.0.1.0/24)
typing
the
domain? The IP addresses of the gateway devices that route the data from the network nodes to the Internet
(e.g.
“ww.mo
instead
of
A unique name to identify the IPsec connection and distinguish it from other devices or connections (for example, ipsec0)
“www.m
Are
you
A fixed encryption key or one automatically generated by racoon
certain
this
domain A pre-shared authentication key that initiates the connection and exchange encryption keys during the session
address
exists?
Its For example, suppose LAN A (lana.example.com) and LAN B (lanb.example.com) want to connect to each other through an IPsec tunnel. T
registrat
may network address for LAN A is in the 192.168.1.0/24 range, while LAN B uses the 192.168.2.0/24 range. The gateway IP address is 192.168
have
expired.
for LAN A and 192.168.2.254 for LAN B. The IPsec routers are separate from each LAN gateway and uses two network devices: eth0 is ass
Are to an externally-accessible static IP address which accesses the Internet, while eth1 acts as a routing point to process and transmit LAN pa
you
unable from one network node to the remote network nodes.

The IPsec connection between each network uses a pre-shared key with the value of r3dh4tl1nux, and the administrators of A and B agre
let racoon automatically generate and share an authentication key between each IPsec router. The administrator of LAN A decides to nam
IPsec connection ipsec0, while the administrator of LAN B names the IPsec connection ipsec1..

The following example are the contents the ifcfg file for a network-to-network IPsec connection for LAN A. The unique name to identify th
connection in this example is ipsec1, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec1.

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.1.254
DSTGW=192.168.2.254
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X

The connection is set to initiate upon boot-up (ONBOOT=yes) and uses the pre-shared key method of authentication (IKE_METHOD=PSK). Th
administrator for LAN A enters the destination gateway, which is the gateway for LAN B (DSTGW=192.168.2.254) as well as the source gat
which is the gateway IP address for LAN A (SRCGW=192.168.1.254). The administrator then enters the destination network, which is the n
range for LAN B (DSTNET=192.168.2.0/24) as well as the source network (SRCNET=192.168.1.0/24). Finally, the administrator enters th
destination IP address, which is the externally-accessible IP address for LAN B (X.X.X.X).

The following example is the content of the pre-shared key file called /etc/sysconfig/network-scripts/keys-ipsecX (where X is 0 for
and 1 for LAN B) that both networks use to authenticate each other. The contents of this file should be identical and only the root user shou
able to read or write this file.

IKE_PSK=r3dh4tl1nux

Important

2 of 3 12/1/2008 11:32 PM
CentOS Enterprise Linux Security Guide - IPsec Network-to-Network c... http://www.linuxtopia.org/online_books/centos_linux_guides/centos_li...

To change the keys-ipsecX file so that only the root user can read or edit the file, perform the following command after creating th
file:

chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1

To change the authentication key at any time, edit the keys-ipsecX file on both IPsec routers. Both keys must be identical for proper
connectivity.

The following example is the contents of the /etc/racoon/racoon.conf configuration file for the IPsec connection. Note that the include
at the bottom of the file is automatically generated and only appears if the IPsec tunnel is running.

# Racoon IKE daemon configuration file.

# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"

The following is the specific configuration for the connection to the remote network. The file is named X.X.X.X.conf (replace X.X.X.X with
address of the remote IPsec router). Note that this file is automatically generated once the IPsec tunnel is activated and should not be edit
directly.

;
remote X.X.X.X
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}

Prior to starting the IPsec connection, IP forwarding should be enabled in the kernel. As root at a shell prompt, enable IP forwarding:

1. Edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1.

2. Execute the following command to enable the change:

sysctl -p /etc/sysctl.conf

To start the IPsec connection, either reboot the IPsec routers or execute the following command as root on each router:

/sbin/ifup ipsec0

The connections are activated, and both LAN A and B are able to communicate with each other. The routes are created automatically via th
initialization script called by running ifup on the IPsec connection. To show a list of routes for the network, run the following command:

/sbin/ip route list

To test the IPsec connection, run the tcpdump utility on the externally-routable device (eth0 in this example) to view the network packets
transfered between the hosts (or networks) and verify that they are encrypted via IPsec. For example, to check the IPsec connectivity of LA
type the following:

tcpdump -n -i eth0 host lana.example.com

The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example (back slashes denot
continuation of one line):

12:24:26.155529 lanb.example.com > lana.example.com: AH(spi=0x021c9834,seq=0x358): \

lanb.example.com > lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \
(ipip-proto-4)

Prev Home
IPsec Host-to-Host Configuration Up Fi

Address Not Found

Firefox can't find the server at
pagead2.googlesyndication.com.

The browser could not find the host server

for the provided address.

Did you make a mistake when typing the

domain? (e.g. “ww.mozilla.org” instead
of “www.mozilla.org”)
Are you certain this domain address
exists? Its registration may have expired.
Are you unable to browse other sites?
Check your network connection and DNS
server settings.
Is your computer or network protected
by a firewall or proxy? Incorrect settings
can interfere with Web browsing.

Published under the terms of the GNU General Public License Design by Int

3 of 3 12/1/2008 11:32 PM