记录日常工作关于系统运维,虚拟化云计算,数据库,网络安全等各方面问题。

6.3. IPsec Installation

Implementing IPsec requires that the ipsec-tools RPM package be installed on all IPsec hosts (if using a host-to-host configuration) or routers (if using a network-to-network configuration). The RPM package contains essential libraries, daemons, and configuration files to aid in setup of the IPsec connection, including:
  • /sbin/setkey — manipulates the key management and security attributes of IPsec in the kernel. This executable is controlled by the racoon key management daemon. For more information on setkey, refer to the setkey(8) man page.
  • /sbin/racoon — the IKE key management daemon, used to manage and control security associations and key sharing between IPsec-connected systems. This daemon can be configured by editing the /etc/racoon/racoon.conf file. For more information about racoon, refer to the racoon(8) man page.
  • /etc/racoon/racoon.conf — the racoon daemon configuration file used to configure various aspects of the IPsec connection, including authentication methods and encryption algorithms used in the connection. For a complete listing of directives available, refer to the racoon.conf(5) man page.
Configuring IPsec on Red Hat Enterprise Linux can be done via the Network Administration Tool or by manually editing networking and IPsec configuration files. For more information about using the Network Administration Tool, refer to the System Administrators Guide.
To connect two network-connected hosts via IPsec, refer to Section 6.4, “IPsec Host-to-Host Configuration”. To connect one LAN/WAN to another via IPsec, refer to Section 6.5, “IPsec Network-to-Network configuration”.


IPsec Host-to-Host Configuration

IPsec can be configured to connect one desktop or workstation to another by way of a host-to-host connection. This type of connection uses the network to which each host is connected to create the secure tunnel to each other. The requirements of a host-to-host connection are minimal, as is the configuration of IPsec on each host. The hosts need only a dedicated connection to a carrier network (such as the Internet) and Red Hat Enterprise Linux to create the IPsec connection.
The first step in creating a connection is to gather system and network information from each workstation. For a host-to-host connection, you need the following information:
  • The IP address for both hosts
  • A unique name to identify the IPsec connection and distinguish it from other devices or connections (for example, ipsec0)
  • A fixed encryption key or one automatically generated by racoon
  • A pre-shared authentication key that is used to initiate the connection and exchange encryption keys during the session
For example, suppose Workstation A and Workstation B want to connect to each other through an IPsec tunnel. They want to connect using a pre-shared key with the value of foobarbaz and the users agree to let racoon automatically generate and share an authentication key between each host. Both host users decide to name their connections ipsec0.
The following is the ifcfg file for Workstation A for a host-to-host IPsec connection with Workstation B (the unique name to identify the connection in this example is ipsec0, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec0):
DST=X.X.X.X
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
Workstation A would replace X.X.X.X with the IP address of Workstation B, while Workstation B replaces X.X.X.X with the IP address of Workstation A. The connection is set to initiate upon boot-up (ONBOOT=yes) and uses the pre-shared key method of authentication (IKE_METHOD=PSK).
The following is the content of the pre-shared key file (called /etc/sysconfig/network-scripts/keys-ipsec0) that both workstations need to authenticate each other. The contents of this file should be identical on both workstations and only the root user should be able to read or write this file.
IKE_PSK=foobarbaz

Important

To change the keys-ipsec0 file so that only the root user can read or edit the file, perform the following command after creating the file:
 chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0 
To change the authentication key at any time, edit the keys-ipsec0 file on both workstations. Both keys must be identical for proper connectivity.
The next example shows the specific configuration for the phase 1 connection to the remote host. The file is named X.X.X.X.conf (X.X.X.X is replaced with the IP address of the remote IPsec router). Note that this file is automatically generated once the IPsec tunnel is activated and should not be edited directly.
;
remote X.X.X.X
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}
The default phase 1 configuration file created when an IPsec connection is initialized contains the following statements used by the Red Hat Enterprise Linux implementation of IPsec:
remote X.X.X.X
Specifies that the subsequent stanzas of this configuration file applies only to the remote node identified by the X.X.X.X IP address.
exchange_mode aggressive
The default configuration for IPsec on Red Hat Enterprise Linux uses an aggressive authentication mode, which lowers the connection overhead while allowing configuration of several IPsec connections with multiple hosts.
my_identifier address
Defines the identification method to be used when authenticating nodes. Red Hat Enterprise Linux uses IP addresses to identify nodes.
encryption_algorithm 3des
Defines the encryption cipher used during authentication. By default, Triple Data Encryption Standard (3DES) is used.
hash_algorithm sha1;
Specifies the hash algorithm used during phase 1 negotiation between nodes. By default, Secure Hash Algorithm version 1 is used.
authentication_method pre_shared_key
Defines the authentication method used during node negotiation. Red Hat Enterprise Linux by default uses pre-shared keys for authentication.
dh_group 2
Specifies the Diffie-Hellman group number for establishing dynamically-generated session keys. By default, the 1024-bit group is used.
The /etc/racoon/racoon.conf files should be identical on all IPsec nodes except for the include "/etc/racoon/X.X.X.X.conf" statement. This statement (and the file it references) is generated when the IPsec tunnel is activated. For Workstation A, the X.X.X.X in the include statement is Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical racoon.conf file when IPsec connection is activated.
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
	pfs_group 2;
	lifetime time 1 hour ;
	encryption_algorithm 3des, blowfish 448, rijndael ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"
This default racoon.conf file includes defined paths for IPsec configuration, pre-shared key files, and certificates. The fields in sainfo anonymous describe the phase 2 SA between the IPsec nodes — the nature of the IPsec connection (including the supported encryption algorithms used) and the method of exchanging keys. The following list defines the fields of phase 2:
sainfo anonymous
Denotes that SA can anonymously initialize with any peer insofar as the IPsec credentials match.
pfs_group 2
Defines the Diffie-Hellman key exchange protocol, which determines the method in which the IPsec nodes establish a mutual temporary session key for the second phase of IPsec connectivity. By default, the Red Hat Enterprise Linux implementation of IPsec uses group 2 (or modp1024) of the Diffie-Hellman cryptographic key exchange groups. Group 2 uses a 1024-bit modular exponentiation that prevents attackers from decrypting previous IPsec transmissions even if a private key is compromised.
lifetime time 1 hour
This parameter specifies the life cycle of an SA and can be quantified either by time or by bytes of data. The Red Hat Enterprise Linux implementation of IPsec specifies a one hour lifetime.
encryption_algorithm 3des, blowfish 448, rijndael
Specifies the supported encryption ciphers for phase 2. Red Hat Enterprise Linux supports 3DES, 448-bit Blowfish, and Rijndael (the cipher used in the Advanced Encryption Standard, or AES).
authentication_algorithm hmac_sha1, hmac_md5
Lists the supported hash algorithms for authentication. Supported modes are sha1 and md5 hashed message authentication codes (HMAC).
compression_algorithm deflate
Defines the Deflate compression algorithm for IP Payload Compression (IPCOMP) support, which allows for potentially faster transmission of IP datagrams over slow connections.
To start the connection, either reboot the workstation or execute the following command as root on each host:
/sbin/ifup ipsec0
To test the IPsec connection, run the tcpdump utility to view the network packets being transfered between the hosts (or networks) and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example:
17:13:20.617872 pinky.example.com > ijin.example.com: \
	    AH(spi=0x0aaa749f,seq=0x335): ESP(spi=0x0ec0441e,seq=0x335) (DF)



6.5. IPsec Network-to-Network configuration

IPsec can also be configured to connect an entire network (such as a LAN or WAN) to a remote network by way of a network-to-network connection. A network-to-network connection requires the setup of IPsec routers on each side of the connecting networks to transparently process and route information from one node on a LAN to a node on a remote LAN. Figure 6.1, “A Network-to-network IPsec tunneled connection” shows a network-to-network IPsec tunneled connection.
A Network-to-network IPsec tunneled connection

Figure 6.1. A Network-to-network IPsec tunneled connection


This diagram shows two separate LANs separated by the Internet. These LANs use IPsec routers to authenticate and initiate a connection using a secure tunnel through the Internet. Packets that are intercepted in transit would require brute-force decryption in order to crack the cipher protecting the packets between these LANs. The process of communicating from one node on the 192.168.1.0/24 IP range to another on 192.168.2.0/24 is completely transparent to the nodes as the processing, encryption/decryption, and routing of the IPsec packets are completely handled by the IPsec router.
The information needed for a network-to-network connection include:
  • The externally-accessible IP addresses of the dedicated IPsec routers
  • The network address ranges of the LAN/WAN served by the IPsec routers (such as 192.168.0.0/24 or 10.0.1.0/24)
  • The IP addresses of the gateway devices that route the data from the network nodes to the Internet
  • A unique name to identify the IPsec connection and distinguish it from other devices or connections (for example, ipsec0)
  • A fixed encryption key or one automatically generated by racoon
  • A pre-shared authentication key that initiates the connection and exchange encryption keys during the session
For example, suppose LAN A (lana.example.com) and LAN B (lanb.example.com) want to connect to each other through an IPsec tunnel. The network address for LAN A is in the 192.168.1.0/24 range, while LAN B uses the 192.168.2.0/24 range. The gateway IP address is 192.168.1.254 for LAN A and 192.168.2.254 for LAN B. The IPsec routers are separate from each LAN gateway and uses two network devices: eth0 is assigned to an externally-accessible static IP address which accesses the Internet, while eth1 acts as a routing point to process and transmit LAN packets from one network node to the remote network nodes.
The IPsec connection between each network uses a pre-shared key with the value of r3dh4tl1nux, and the administrators of A and B agree to let racoon automatically generate and share an authentication key between each IPsec router. The administrator of LAN A decides to name the IPsec connection ipsec0, while the administrator of LAN B names the IPsec connection ipsec1..
The following example are the contents the ifcfg file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is ipsec0, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec0.
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.1.254
DSTGW=192.168.2.254
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X
The connection is set to initiate upon boot-up (ONBOOT=yes) and uses the pre-shared key method of authentication (IKE_METHOD=PSK). The administrator for LAN A enters the destination gateway, which is the gateway for LAN B (DSTGW=192.168.2.254) as well as the source gateway, which is the gateway IP address for LAN A (SRCGW=192.168.1.254). The administrator then enters the destination network, which is the network range for LAN B (DSTNET=192.168.2.0/24) as well as the source network (SRCNET=192.168.1.0/24). Finally, the administrator enters the destination IP address, which is the externally-accessible IP address for LAN B (X.X.X.X).
The following example is the content of the pre-shared key file called /etc/sysconfig/network-scripts/keys-ipsecX (where X is 0 for LAN A and 1 for LAN B) that both networks use to authenticate each other. The contents of this file should be identical and only the root user should be able to read or write this file.
IKE_PSK=r3dh4tl1nux

Important

To change the keys-ipsecX file so that only the root user can read or edit the file, perform the following command after creating the file:
 chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1 
To change the authentication key at any time, edit the keys-ipsecX file on both IPsec routers. Both keys must be identical for proper connectivity.
The following example is the contents of the /etc/racoon/racoon.conf configuration file for the IPsec connection. Note that the include line at the bottom of the file is automatically generated and only appears if the IPsec tunnel is running.
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
	pfs_group 2;
	lifetime time 1 hour ;
	encryption_algorithm 3des, blowfish 448, rijndael ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"
The following is the specific configuration for the connection to the remote network. The file is named X.X.X.X.conf (replace X.X.X.X with the IP address of the remote IPsec router). Note that this file is automatically generated once the IPsec tunnel is activated and should not be edited directly.
;
remote X.X.X.X
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}
Prior to starting the IPsec connection, IP forwarding should be enabled in the kernel. As root at a shell prompt, enable IP forwarding:
  1. Edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1.
  2. Execute the following command to enable the change:
    sysctl -p /etc/sysctl.conf
To start the IPsec connection, either reboot the IPsec routers or execute the following command as root on each router:
/sbin/ifup ipsec0
The connections are activated, and both LAN A and B are able to communicate with each other. The routes are created automatically via the initialization script called by running ifup on the IPsec connection. To show a list of routes for the network, run the following command:
/sbin/ip route list
To test the IPsec connection, run the tcpdump utility on the externally-routable device (eth0 in this example) to view the network packets being transfered between the hosts (or networks) and verify that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, type the following:
 tcpdump -n -i eth0 host lana.example.com
The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example (back slashes denote a continuation of one line):
12:24:26.155529 lanb.example.com > lana.example.com: AH(spi=0x021c9834,seq=0x358): \
	  lanb.example.com > lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \
	  (ipip-proto-4)
 


转载请标明出处【Centos/RHEL 配置ipsec 点到点与站到站VPN连接】。

《www.92cto.com》 虚拟化云计算,系统运维,安全技术服务.

网站已经关闭评论