[Linux] RedHat - Openswan을 이용한 IPSEC 설정

※ Red Hat Enterprise Linux Server release 6 version 이후 에서는 IPsec 설정이 Openswan 패키지를 이용해서 설정할 수 있다.

Configuration steps:

The two hosts will be referred to as "left" and "right" in the configuration. Picturing a tunnel with two endpoints,

ipsec1.example.com [192.168.10.12] -------- ipsec2.example.com [192.168.10.18]

The ipsec1.example.com host will be "left" and ipsec2.example.com will be "right".

 

1) Before starting with the configuration, clean up the pre-installed defaults and re-create the NSS database. On each host, run:

# rm -r /etc/ipsec.d/*.db

# rm /etc/ipsec.secrets

호스트 키를 생성하기 전에 NSS DB를 먼저 생성한다.

# certutil -N -d /etc/ipsec.d/

Note: It is not necessary to specify a password on this step.

=> 비번 설정(x) 그냥 Enter 치고 넘어간다.

그 후에 호스트 키 생성.

#ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/hostkeys.secrets --bits 2048

NSS DB를 이용하여 RSA키 생성

2) Generate RSA keys. On each host, run:

# ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.secrets

Note: Key generation may take some time to finish. If you are generating the keys on virtual machines you may need to provide keyboard or mouse activity on the system console in order to generate entropy needed by the key generation process.

3) Obtain the key values for each side. These will be the values for leftrsasigkey and rightrsasigkey respectively.

On the left host, run:

# ipsec showhostkey --left

On the right host, run:

# ipsec showhostkey --right

-> 양쪽의 hostkey 생성 복사

​

4) Allow ipsec.conf to use configuration files included in /etc/ipsec.d

On each host, run:

 

# echo "include /etc/ipsec.d/*.conf" >> /etc/ipsec.conf

5) Create your connection configuration file in /etc/ipsec.d/ - For this example we use /etc/ipsec.d/pluto-1-2.conf. This configuration will be the same on both hosts. The indentions after the first line are needed.

 

#vi /etc/ipsec.d/pluto-1-2.conf

 => 아래 내용 작성 ​

conn pluto-1-2

 left=192.168.10.12

 leftrsasigkey=[left host value from step 3]

 right=192.168.10.18

 rightrsasigkey=[right host value from step 3]

 auto=start

 authby=rsasig

 

6) Start the pluto daemon on both hosts:

# service ipsec start

 

 

7) In /var/log/secure, look for the following logs that indicate "IPsec SA established"

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #2: the peer proposed: 192.168.10.12/32:0/0 -> 192.168.10.18/32:0/0

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #3: responding to Quick Mode proposal {msgid:3d2e0940}

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #3:     us: 192.168.10.12<192.168.10.12>[+S=C]

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #3:   them: 192.168.10.18<192.168.10.18>[+S=C]

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Aug 12 18:28:43 ipsec2 pluto[1285]: "pluto-1-2" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x3d5459d4 <0x5c67587e xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none

 

8) Check the status of the tunnel:

The command "ip xfrm policy" lists the tunnel via kernel policies.

# ip xfrm policy

src 192.168.10.12/32 dst 192.168.10.18/32

         dir out priority 2080 ptype main

         tmpl src 192.168.10.12 dst 192.168.10.18

                 proto esp reqid 16385 mode tunnel

src 192.168.10.18/32 dst 192.168.10.12/32

         dir in priority 2080 ptype main

         tmpl src 0.0.0.0 dst 0.0.0.0

The command "service ipsec status" will also show you if a tunnel is up.

# service ipsec status

IPsec running - pluto pid: 25748

pluto pid 25748

1 tunnels up

some eroutes exist

 

For more detailed tunnel information, "ipsec auto --status" can be used as well.

Ping the other endpoint host. Examining ping traffic in tcpdump between the two endpoints will display packets with IP protocol 50/ESP.

Additional Notes:

 -The two endpoints must agree on the configuration and proposal. Openswan's normal logging in /var/log/secure often clearly indicates when peers disagree on configuration options, key values, ID values, etc.

 -See 'man ipsec.conf' for additional configuration options, including specifying the authentication algorithms to use for both phases.

·         ipsec rsasigkey: key pair generation failed: "-8037"

   <!--[endif]--> 

Environment

    ·         Red Hat Enterprise Linux 6.1

·         <!--[endif]-->openswan-2.6.32-4.el6_1.1.x86_64

Resolution

    ·         Generate the NSS db before generating the host key

·         <!--[endif]--># certutil -N -d /etc/ipsec.d

 

·         <!--[endif]-->Afterwards generate the host key

·         # ipsec newhostkey --configdir /etc/ipsec.d  --output /etc/ipsec.d/hostkeys.secrets --bits 2048

·         Generated RSA key pair using the NSS database