Questo contenuto non è disponibile nella lingua selezionata.
48.7.7.2. Manual IPsec Network-to-Network Configuration
Suppose LAN A (lana.example.com) and LAN B (lanb.example.com) want to connect to each other through an IPsec tunnel. The network address for LAN A is in the 192.168.1.0/24 range, while LAN B uses the 192.168.2.0/24 range. The gateway IP address is 192.168.1.254 for LAN A and 192.168.2.254 for LAN B. The IPsec routers are separate from each LAN gateway and use two network devices: eth0 is assigned to an externally-accessible static IP address which accesses the Internet, while eth1 acts as a routing point to process and transmit LAN packets from one network node to the remote network nodes.
The IPsec connection between each network uses a pre-shared key with the value of
r3dh4tl1nux
, and the administrators of A and B agree to let racoon
automatically generate and share an authentication key between each IPsec router. The administrator of LAN A decides to name the IPsec connection ipsec0
, while the administrator of LAN B names the IPsec connection ipsec1
.
The following example shows the contents of the
ifcfg
file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is ipsec0, so the resulting file is called /etc/sysconfig/network-scripts/ifcfg-ipsec0
.
TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK SRCGW=192.168.1.254 DSTGW=192.168.2.254 SRCNET=192.168.1.0/24 DSTNET=192.168.2.0/24 DST=X.X.X.X
The following list describes the contents of this file:
- TYPE=IPSEC
- Specifies the type of connection.
- ONBOOT=yes
- Specifies that the connection should initiate on boot-up.
- IKE_METHOD=PSK
- Specifies that the connection uses the pre-shared key method of authentication.
- SRCGW=192.168.1.254
- The IP address of the source gateway. For LAN A, this is the LAN A gateway, and for LAN B, the LAN B gateway.
- DSTGW=192.168.2.254
- The IP address of the destination gateway. For LAN A, this is the LAN B gateway, and for LAN B, the LAN A gateway.
- SRCNET=192.168.1.0/24
- Specifies the source network for the IPsec connection, which in this example is the network range for LAN A.
- DSTNET=192.168.2.0/24
- Specifies the destination network for the IPsec connection, which in this example is the network range for LAN B.
- DST=X.X.X.X
- The externally-accessible IP address of LAN B.
The following example is the content of the pre-shared key file called
/etc/sysconfig/network-scripts/keys-ipsecX
(where X is 0 for LAN A and 1 for LAN B) that both networks use to authenticate each other. The contents of this file should be identical and only the root user should be able to read or write this file.
IKE_PSK=r3dh4tl1nux
Important
To change the
keys-ipsecX
file so that only the root user can read or edit the file, use the following command after creating the file:
chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1
To change the authentication key at any time, edit the
keys-ipsecX
file on both IPsec routers. Both keys must be identical for proper connectivity.
The following example is the contents of the
/etc/racoon/racoon.conf
configuration file for the IPsec connection. Note that the include
line at the bottom of the file is automatically generated and only appears if the IPsec tunnel is running.
# Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; sainfo anonymous { pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des, blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } include "/etc/racoon/X.X.X.X.conf"
The following is the specific configuration for the connection to the remote network. The file is called
X.X.X.X.conf
(where X.X.X.X is the IP address of the remote IPsec router). Note that this file is automatically generated when the IPsec tunnel is activated and should not be edited directly.
remote X.X.X.X { exchange_mode aggressive, main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2 ; } }
Prior to starting the IPsec connection, IP forwarding should be enabled in the kernel. To enable IP forwarding:
- Edit
/etc/sysctl.conf
and setnet.ipv4.ip_forward
to1
. - Use the following command to enable the change:
sysctl -p /etc/sysctl.conf
To start the IPsec connection, use the following command on each router:
ifup ipsec0
The connections are activated, and both LAN A and LAN B are able to communicate with each other. The routes are created automatically via the initialization script called by running
ifup
on the IPsec connection. To show a list of routes for the network, use the following command:
ip route list
To test the IPsec connection, run the
tcpdump
utility on the externally-routable device (eth0 in this example) to view the network packets being transferred between the hosts (or networks), and verify that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, use the following command:
tcpdump -n -i eth0 host lana.example.com
The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example (back slashes denote a continuation of one line):
12:24:26.155529 lanb.example.com > lana.example.com: AH(spi=0x021c9834,seq=0x358): \ lanb.example.com > lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \ (ipip-proto-4)