[Openswan Users] IPsec configuration
Ana
kentdavies at gmail.com
Sun Nov 17 14:23:43 UTC 2013
Hello Eliezer.
The 10.1.1.0/24 and 10.1.2.0/24 are just "imaginary" networks. The only
thing that exists is the interface on machine A and machine B that were to
connect to those networks if they exists. At the end, since my environment,
is a virtual one, I just need to create another virtual machine and plug to
either end.
For testing, Wireshark is listening at machine B interface (10.1.2.254)
that connects to the "imaginary" internal network.
On the first try, using ipsec with preshared secrets, with the help of this
list I got it to work and see that the data was being encrypted.
Now I'm trying to accomplish the same thing but using x509 certificates.
And this is where I'm getting in trouble.
After ipsec auto --up cert nothing happens. Probably have some
misconfiguration at ipsec.conf or even at the CA or the certs generated but
I can't seem to find where the problem lies.
Thanks for your reply,
Kent Davies
On Sun, Nov 17, 2013 at 2:05 PM, Eliezer Croitoru <eliezer at ngtech.co.il>wrote:
> Hey,
>
> I was reading the thread and didn't got it yet.
> Wanted to understand:
> On the machine that is the "END" either A or B you are trying to use
> wireshark\tcpdump?
>
> In this case it is reasonable that all IP stack level should be
> transparent to the OS since for example it should recognize in some level
> that there an IP level to respond to.
> If it's 100% encrypted and the OS will not be able to read it's own
> encryption it will be weird.
>
> To make sure this is indeed encrypted session you need to "tap" the cable
> between that machine and there do wireshark\tcpdump.
> For this case you can use for example Tinycore(CorePlus) linux that has
> two interfaces and acts as a bridge.
> This way you can see what is the traffic on the wire level of encryption.
>
> Eliezer
>
>
> On 16/11/13 13:26, Ana wrote:
>
>> Hi everybody.
>>
>>
>> I’m starting to learn *IPsec* and I'm having some problems.
>>
>>
>>
>> I’m running two virtual machines with CentOS that simulates the network
>> depicted in the bellow picture.
>>
>> Inline image 1
>>
>>
>> I want to create an IPsec tunnel between machine A and machine B. The
>> keys should be negotiated using IKE and the tunnel should enable total
>> connectivity between the two machines.
>>
>>
>>
>> My *ipsec.conf* file on both machines is this:
>>
>>
>>
>> config setup
>>
>> protostack=netkey
>>
>> dumpdir=/var/run/pluto/
>>
>> nat_traversal=yes
>>
>> virtual_private=%v4:10.1.1.0/24,%v4:10.1.2.0/24
>> <http://10.1.1.0/24,%v4:10.1.2.0/24>
>>
>> conn gw-to-gw
>>
>> authby=secret
>>
>> left=192.168.1.1
>>
>> leftsubnet=10.1.1.0/24 <http://10.1.1.0/24>
>>
>> leftnexthop=192.168.1.2
>>
>> right=192.168.1.2
>>
>> rightsubnet=10.1.2.0/24 <http://10.1.2.0/24>
>>
>> rightnexthop=192.168.1.1
>>
>> auto=start
>>
>> type=tunnel
>>
>>
>> And *ipsec.secrets* on both machines is this:
>>
>>
>> 192.168.1.1 192.168.1.2 : PSK "test"
>>
>> I then do*service ipsec start* on machine A followed by the same command
>> on machine B. Then, again on machine A, I do *ipsec auto –up gw-to-gw*
>>
>> followed by the exact same command on machine B.
>>
>> Machine A output:
>>
>> [root at mainmachine etc]# service ipsec start
>>
>> ipsec_setup: Starting Openswan IPsec
>> U2.6.32/K2.6.32-358.23.2.el6.i686...
>>
>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>>
>> [root at mainmachine etc]# ipsec auto --up gw-to-gw
>>
>> 117 "gw-to-gw" #5: STATE_QUICK_I1: initiate
>>
>> 004 "gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
>> tunnel mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1
>> NATOA=none NATD=none DPD=none}
>>
>> [root at mainmachine etc]#
>>
>>
>> Machine B output:
>>
>> [root at mainmachine etc]# service ipsec start
>>
>> ipsec_setup: Starting Openswan IPsec
>> U2.6.32/K2.6.32-358.23.2.el6.i686...
>>
>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>>
>> [root at mainmachine etc]# ipsec auto --up gw-to-gw
>>
>> 117 "gw-to-gw" #6: STATE_QUICK_I1: initiate
>>
>> 004 "gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established
>> tunnel mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1
>> NATOA=none NATD=none DPD=none}
>>
>> [root at mainmachine etc]#
>>
>> I’m now using Wireshark to see how the traffic goes through the network
>> from machine A to machine B.
>>
>>
>> Listening on interface *eth5 *of machine B and pinging*10.1.2.254* or
>> *10.1.2.2* from machine A, Wireshark does not capture any packet. If I
>> do the exact same procedure but not listening on interface *eth6*
>>
>> Wireshark captures the following image.
>>
>> Inline image 2
>>
>> I believe that the packet should somehow be encrypted but Wireshark is
>> telling me that it is not, so probably I have some kind of error on my
>> *ipsec.conf* configuration.
>>
>>
>> Can someone point me in some direction?
>>
>> Thanks,
>>
>> Kent Davies
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131117/579890ce/attachment.html>
More information about the Users
mailing list