Configuring Linux VPNs using OpenSwan

The intent of this article is to walk through the installation, configuration, and general debugging of OpenSwan based IPSec Tunnels.

Linux and Open Swan Versions used:
Linux Version: Linux TC3 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
Open Swan Version: openswan.x86_64 0:2.6.32-3.el5

Installation & Initial Configuration:
1. We install using yum install

yum install openswan nss-tools

2. The ipsec.conf file:
There are two main sections to the ipsec configuration file. The configuration setup section & the connection section.

Configuration Setup:
The basic configuration can be started by issuing config setup. The configuration file would look like

# basic configuration
config setup

The configuration file would look like

# Debug-logging controls: “none” for (almost) none, “all” for lots.
# klipsdebug=none
# plutodebug=”control parsing”
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see “failed to find any available worker”
nhelpers=0

The ‘virtual_private ‘option declares which subnets should be allowed through the tunnel and which should be excluded. Typically, you’ll wish to exclude any networks that overlap with your private LAN. If either end of the tunnel is being nat’d, it may be necessary to add the nat_traversal work around to the config setup section.

Connection Setup:

Capture

The connection configuration section begins with the declaration of the ‘conn’ keyword followed by an arbitrary connection label.

Important info about /etc/ipsec.conf file:
BE SURE TO MAINTAIN THE INDENTATION BEFORE EACH PARAMETER. THE CORRECT ARRANGEMENT IS.

conn net-to-net
left=x.x.x.x
leftsubnet=y.y.y.y/24

Do not use

conn net-to-net
left=x.x.x.x
leftsubnet=y.y.y.y/24

An example configuration might look like :

conn net-to-net
authby=secret # Key exchange method
left=10.2.50.31 # Public Internet IP address of the LEFT VPN device.
leftsubnet=10.2.40.0/24 # Subnet protected by the LEFT VPN device
leftnexthop=10.2.50.23 # correct in many situations
right=10.2.50.23 # Public Internet IP address of the RIGHT VPN device.
rightsubnet=10.2.60.0/24 # Subnet protected by the RIGHT VPN device
rightnexthop=10.2.50.31 # correct in many situations
ike=aes128-sha1;modp1024
ikelifetime=86400s
salifetime=3600s
#phase2=esp
#phase2alg=aes128-sha1;modp1024
esp=aes128-sha1
aggrmode=yes
pfs=no
auto=start # authorizes and starts this connection
# on booting


Note:If your VPN subsection in the /etc/ipsec.conf file contains the line auto=add, then IPSec only authorizes but doesn’t establish the connection at startup. You’ll have to use the ipsec auto –up command to start it manually.You must change this to auto=start for Openswan to start the VPN automatically when IPSec restarts or when the system reboots.

As we are using authentication type to be secret we need to specify the pre-shared key under ipsec.secrets

[root@TC3 ~]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.2.50.23 10.2.50.31 : PSK “linux@123″

This completes the configuration part of the Open Swan.

Initialize the new tunnel:
To initialize the new tunnel you can use the ipsec command to start the tunnel net-to-net

[root@TC3 ~]#sudo ipsec auto –up net-to-net
000 initiating all conns with alias= net-to-net
003 ” net-to-net/0x1″: pluto_do_crypto: helper (-1) is exiting
117 ” net-to-net/0x1″ #23: STATE_QUICK_I1: initiate
004 ” net-to-net/0x1″ #23: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x01382128 <0x0ea00a58 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

The IPSec SA established message signifies that the IPSec tunnel to Checkpoint to be UP.

You can also verify by

[root@TC3 ~]# setkey -D
10.2.50.31 10.2.50.23
esp mode=tunnel spi=95165114(0x05ac1aba) reqid=16385(0x00004001)
E: aes-cbc 7e9669e8 377bc3e5 ebaac089 cbee9a5c
A: hmac-sha1 f9ff112a 35b44ed5 29244bdc 243e23c9 28ed3547
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Sep 25 12:03:57 2012 current: Sep 25 12:06:59 2012
diff: 182(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=5890 refcnt=0
10.2.50.23 10.2.50.31
esp mode=tunnel spi=858388882(0x3329f992) reqid=16385(0x00004001)
E: aes-cbc 7d9407e2 2d13dfc5 e63a49f5 5ebcd9d2
A: hmac-sha1 c3ed653d a87b3610 247fbd83 1ad884fd 97ff921d
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Sep 25 12:03:57 2012 current: Sep 25 12:06:59 2012
diff: 182(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=5890 refcnt=0

Note:
– You can see the logs under /var/log/secure
– Remember to restart the ipsec process every time you make a change to the ipsec.conf file for the changes to take effect on the running process.

[root@TC3]# service ipsec start
[root@TC3]# service ipsec stop
[root@TC3]# service ipsec restart

Tagged , , . Bookmark the permalink.

Leave a Reply