[Openswan Users] setting up IPSEC communication between linux gateway and linux host

Amit Saxena saxena at students.iiit.net
Fri Mar 12 15:32:20 CET 2004


Hello everybody,

I am having problems in setting up IPSEC communication between a linux 
gateway (172.16.3.3) and a linux host (172.16.3.7) in my lab. 

I was using freeswan 2.04 earlier but now somebody has suggested me to go 
for openswan. I have not tried that so far , but whenever i will download 
the rpms for redhat 9.0 i will install them and try the same.

I have attached my ipsec.conf and ipsec.secrets file with this email as an 
attchement.

I am configuring host to host ipsec setup between the 2 systems in the 
same lab. The ip of the switch in our lab is 172.16.3.1.

I have used the url http://mia.ece.uic.edu/~papers/volans/ipsec.html and 
the natecarlson url http://www.natecarlson.com/linux/ipsec-x509.php in 
setting up the keys and the certificates.

I have used following commands for generation and configuration of the 
file

a) ipsec newhostkey --output /etc/ipsec.secrets
b) I edited the file /etc/ipsec.secrets and made appropriate changes.
c) for ipsec.conf and the certificated generation, I used the natecarlson 
tutorial completely.

Though I am getting the ipsec communication between the two systems but i 
am not sure whether it is encrypting using the default keys in the 
ipsec.secrets or the certificates which i have created. Also the output of 
the command "ipsec --showhostkey --key" gives the default public key as 
the public key output and not the public key used in the certificates.

Also please let me know is there a way through which i can sniff on the 
ipsec packet and the related transformation going on so that i will get an 
idea which key is being used by the ipsec for encryption of the packet. 
Ethereal and Tcpdump here and not helping much.

Please help me !

thanx in advance

**************** ipsec.secrets **********************

: RSA 172.16.3.3.pem

: RSA	{
	# RSA 2192 bits   WIZARD   Fri Feb 27 17:52:25 2004
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQOHAq95mRZYj8WYYMZd4nZwR+3Lv5mVZTS9W1PwxplyAVR8d2qtXLgrKCEF4TwQeDdzcEaKjRor8SmY8tlzxlNPTafTOZB1WZs1iIFnabvfFpH65j9GSTMWIKWQR0n7zfu+A0HY/pVoNs+CSf5l48Bsp1eOThggV0U17nvy1BemSbL0AanqhkOclcRNnhHhXI337h/3YApKpmv6Lq/pWtHQwNN0J80Iq96GkuDMwqozafDBhQpqz1x2rgqihZbC+6hQ8ESuicYv5fxlfHqUcbmzrR9QDAz/bvMh+oWROJQCS74yR6tarCY4FnbFPpcF3Z/JOkBsTj33fSUeLSIt6yc5C8rccZkp9zh5ZCEkvzO6LGGz
	Modulus: 0x8702af799916588fc59860c65de2767047edcbbf99956534bd5b53f0c6997201547c776aad5cb82b282105e13c1078377370468a8d1a2bf12998f2d973c6534f4da7d3399075599b3588816769bbdf1691fae63f4649331620a5904749fbcdfbbe0341d8fe956836cf8249fe65e3c06ca7578e4e1820574535ee7bf2d417a649b2f401a9ea86439c95c44d9e11e15c8df7ee1ff7600a4aa66bfa2eafe95ad1d0c0d37427cd08abde8692e0ccc2aa3369f0c1850a6acf5c76ae0aa28596c2fba850f044ae89c62fe5fc657c7a9471b9b3ad1f500c0cff6ef321fa85913894024bbe3247ab5aac26381676c53e9705dd9fc93a406c4e3df77d251e2d222deb27390bcadc719929f73879642124bf33ba2c61b3
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 0x16807294442e6417f64410210fa5be680bfcf74a9998e63374e48dfd766ee8558e14be91c78f7407315ad65034ad695e933d611717845ca831997dcee8a10de28cf14ddeed68e44488ec15913c49fa83c2ff265fe10c332e5ac642b68c54a2549fab35a42a6e3c092295b6ffbba5f56771394262595ab93633a7bf53235946619dd3559c51c10b44c36240c2673d4e3b229fc417d247b3a0646f699901f699678f5733bf3d5540d75cf542f13a181338c799bb5ca45e1e3234197a16a9c71bdadabaeebb5d80a151ec3729e9371cb14d72cfe83b9b446237f478d78e4430166494df092f250c3a36ca3abf6d964d485e1771d0f43f5f03add6f4b17db3300e7797a0fd7336db587be7ed1715a58381db00ab
	Prime1: 0xd2ea73a96080eee9e94f8b9a9d02d70e242d506a5c4ae4a03391c388a8fb9eedd23b96b744fbf271d5c50ac7bb9a410c8763a330ccb23537e15680f63f06569915f10c466856ef961e192f9854e899340c0e1934ceecd1d66615988be8dffbe6896c9e86773e632b54254661fe26fff364a93eec7dfe6a71691c592b0796d8eecffe37e51dd0bc8bb3
	Prime2: 0xa3de9bfd11063c3e4637dcd7bf120d033987c97336ee7ec494abe8d4602b336b01138eaed4c422d1515bd3c8df0d0868ea625a6b4ba251f8ad55c9628361a3da048ff7035d3af36621c576d110390a33196a226aa48f1e6a91faf7f079e8f3728cdc0e8abeed08113b356c7005ba6a27fd5af10e4cd2010c9bcf6524fe4d781b05986af900de4dd201
	Exponent1: 0x8c9c4d1b95ab49f1463507bc68ac8f5ec2c8e046e831edc022612d05c5fd149e8c27b9cf8352a1a1392e072fd266d6085a426ccb332178cfeb8f00a42a0439bb63f6082ef039f50ebebb7510389b10cd5d5ebb7889f3368eeeb9105d45eaa7ef064869aefa2997723818d996a96f554cedc629f2fea99c4b9b683b72050f3b49dffecfee13e07db277
	Exponent2: 0x6d3f12a8b604282984253de52a0c08acd10530f779f454830dc7f08d95722247560d09c9e32d6c8b8b928d3094b35af09c41919cdd16e150738e8641acebc291585ffa023e274ceec12e4f360ad0b1776646c19c6db4bef1b6a74ff5a69b4cf70892b45c7f48b00b7cce484aae7c46c55391f609888c00b3128a436dfede501203baf1fb55e98936ab
	Coefficient: 0x065ed3df8bad1b86dc50c208507db8783672e09ca538da0dc5c31f62fa513546f0bc522b77a6461445a82b87b47e03418bc1463e09daf239bc2b2d8cbcff18e73f3dd310410992d2bff36ed3309ce1bf986d3f05dcb7deaa88abed517f7217aba75952f752bb67310534917dc939e26a39d448da3710243de7d0bd23bb78871aefeeac27ced5efdcf5
	}
# do not change the indenting of that "}"


************************** ipsec.conf *********************************


# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# This file:  /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help: 
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/examples   


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	interfaces="ipsec0=eth0"
	uniqueids=yes


# Add connections here.

# sample VPN connection
#sample#	conn sample
#sample#		# Left security gateway, subnet behind it, next hop toward right.
#sample#		left=10.0.0.1
#sample#		leftsubnet=172.16.0.0/24
#sample#		leftnexthop=10.22.33.44
#sample#		# Right security gateway, subnet behind it, next hop toward left.
#sample#		right=10.12.12.1
#sample#		rightsubnet=192.168.0.0/24
#sample#		rightnexthop=10.101.102.103
#sample#		# To authorize this connection, but not actually start it, at startup,
#sample#		# uncomment this.
#sample#		#auto=start

conn myconnection
		left=172.16.3.7
		leftnexthop=172.16.3.1
		#leftid=%default
		leftrsasigkey=0sAQOHAq95mRZYj8WYYMZd4nZwR+3Lv5mVZTS9W1PwxplyAVR8d2qtXLgrKCEF4TwQeDdzcEaKjRor8SmY8tlzxlNPTafTOZB1WZs1iIFnabvfFpH65j9GSTMWIKWQR0n7zfu+A0HY/pVoNs+CSf5l48Bsp1eOThggV0U17nvy1BemSbL0AanqhkOclcRNnhHhXI337h/3YApKpmv6Lq/pWtHQwNN0J80Iq96GkuDMwqozafDBhQpqz1x2rgqihZbC+6hQ8ESuicYv5fxlfHqUcbmzrR9QDAz/bvMh+oWROJQCS74yR6tarCY4FnbFPpcF3Z/JOkBsTj33fSUeLSIt6yc5C8rccZkp9zh5ZCEkvzO6LGGz
		right=172.16.3.3
		rightnexthop=172.16.3.1
		#rightid=%default
		rightrsasigkey=0sAQOHAq95mRZYj8WYYMZd4nZwR+3Lv5mVZTS9W1PwxplyAVR8d2qtXLgrKCEF4TwQeDdzcEaKjRor8SmY8tlzxlNPTafTOZB1WZs1iIFnabvfFpH65j9GSTMWIKWQR0n7zfu+A0HY/pVoNs+CSf5l48Bsp1eOThggV0U17nvy1BemSbL0AanqhkOclcRNnhHhXI337h/3YApKpmv6Lq/pWtHQwNN0J80Iq96GkuDMwqozafDBhQpqz1x2rgqihZbC+6hQ8ESuicYv5fxlfHqUcbmzrR9QDAz/bvMh+oWROJQCS74yR6tarCY4FnbFPpcF3Z/JOkBsTj33fSUeLSIt6yc5C8rccZkp9zh5ZCEkvzO6LGGz
		auth=esp
		authby=rsasig
		auto=ignore
		type=tunnel 

************************************************************************************8		



-- 
Have a nice day

from 
Amit Saxena
M.Tech CS 2nd year

It takes , 
a minute to find a special person 
an hour to appreciate 
a day to love 

but an entire life to forget them





More information about the Users mailing list