Archive for the tag 'IPsec'

SBDavid
Oct 10th, 2009

IPsec Host-to-Host Configuration

IPsec Host-to-Host Configuration

For a host-to-host connection, you need the following information:

The IP address for both hosts.
A unique name to identify the IPsec connection and distinguish it from other devices or connections (for example, ipsec0).

A fixed encryption key or one automatically generated by racoon.
A pre-shared authentication key that is used to initiate the connection and exchange encryption keys during the session.

For example, suppose Workstation A and Workstation B want to connect to each other through an IPsec tunnel. They want to connect using a pre-shared key with the value of ‘buddies’ and the users agree to let racoon automatically generate and share an authentication key between each host. Both host users decide to name their connections ipsec0.

The following is the ifcfg file for Workstation A for a host-to-host IPsec connection with Workstation B (the unique name to identify the connection in this example is ipsec0, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec0):

DST=X.X.X.X TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK

Workstation A would replace X.X.X.X with the IP address of Workstation B, while Workstation B replaces X.X.X.X with the IP address of Workstation A.

The connection is set to initiate upon boot-up (ONBOOT=yes) and uses the pre-shared key method of authentication (IKE_METHOD=PSK).

The following is the content of the pre-shared key file (called /etc/sysconfig/network-scripts/keys-ipsec0) that both workstations need to authenticate each other.

The contents of this file should be identical on both workstations and only the root user should be able to read or write this file.

IKE_PSK=buddies

For Security chmod to 600

chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0
SBDavid
Oct 10th, 2009

IPsec VPN on Red Hat Linux

IPsec VPN on Red Hat Linux

IPsec is the supported VPN implementation for Red Hat Enterprise Linux that sufficiently addresses the usability needs of organizations with branch offices or remote users.

IPsec can be implemented using a host-to-host (one computer workstation to another) or network-to-network (one LAN/WAN to another). The IPsec implementation in Red Hat Enterprise Linux uses Internet Key Exchange (IKE), which is a protocol implemented by the Internet Engineering Task Force (IETF) to be used for mutual authentication and secure associations between connecting systems.

On Red Hat Enterprise Linux systems, an IPsec connection uses the pre-shared key method of IPsec node authentication. In a pre-shared key IPsec connection, both hosts must use the same key in order to move to the second phase of the IPsec connection.

Implementing IPsec requires that the ipsec-tools RPM package be installed on all IPsec hosts (if using a host-to-host configuration) or routers (if using a network-to-network configuration).

/sbin/setkey
Manipulates the key management and security attributes of IPsec in the kernel.

/sbin/racoon
The IKE key management daemon, used to manage and control security associations and key sharing between IPsec-connected systems.

/etc/racoon/racoon.conf
The racoon daemon configuration file used to configure various aspects of the IPsec connection, including authentication methods and encryption algorithms used in the connection.