Sohan Roh
June 10th, 2013, 00:28
IPSec in CentOS 5
This is how I implement a tunnel mode IPSec *** in linux using CentOS 5. No additional
software is needed just do a minimal install.
(PH) Network to (RO) Network IPsec Tunneled Diagram
================================================== =
10.0.10.0/24 10.0.20.0/24
| |
| eth1 eth0 eth0 eth1 |
|--------[GW-PH]--------------[Internet]--------------[GW-RO]--------|
| \ / \ / |
| \ / \ / |
LAN-PH \ / \ / LAN-RO
+------[IPSEC0]------+ +------[IPSEC1]------+
Test Network Lab
================
GW-PH connected to ISP1
eth0: X.X.X.X
eth1: 10.0.10.254/24
GW-RO connected to ISP2
eth0: Y.Y.Y.Y
eth1: 10.0.20.254/24
Configuration GW-PH
===================
/etc/sysconfig/network-scripts/ifcfg-ipsec0
-------------------------------------------
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=10.0.10.254
DSTGW=10.0.20.254
SRCNET=10.0.10.0/24
DSTNET=10.0.20.0/24
DST=Y.Y.Y.Y
/etc/sysconfig/network-scripts/keys-ipsec0 <- (Pre-Shared Key File)
------------------------------------------
IKE_PSK=xM45t1m3
# chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0
Configuration GW-RO
===================
/etc/sysconfig/network-scripts/ifcfg-ipsec1
-------------------------------------------
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=10.0.20.254
DSTGW=10.0.10.254
SRCNET=10.0.20.0/24
DSTNET=10.0.10.0/24
DST=X.X.X.X
/etc/sysconfig/network-scripts/keys-ipsec1 <- (Pre-Shared Key File)
------------------------------------------
IKE_PSK=xM45t1m3
# chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1
Test IPsec connection
=====================
Ping test from 10.0.10.1 (LAN-PH) to 10.0.20.1 (LAN-RO)
================================================== =====
# ping -c 5 10.0.20.1
PING 10.0.20.1 (10.0.20.1) 56(84) bytes of data.
64 bytes from 10.0.20.1: icmp_seq=1 ttl=62 time=323 ms
64 bytes from 10.0.20.1: icmp_seq=2 ttl=62 time=352 ms
64 bytes from 10.0.20.1: icmp_seq=3 ttl=62 time=303 ms
64 bytes from 10.0.20.1: icmp_seq=4 ttl=62 time=303 ms
64 bytes from 10.0.20.1: icmp_seq=5 ttl=62 time=287 ms
--- 10.0.20.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 287.301/314.007/352.577/22.485 ms
Ping test from 10.0.20.1 (LAN-RO) to 10.0.10.1 (LAN-PH)
================================================== =====
# ping -c 5 10.0.10.1
PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data.
64 bytes from 10.0.10.1: icmp_seq=1 ttl=62 time=280 ms
64 bytes from 10.0.10.1: icmp_seq=2 ttl=62 time=281 ms
64 bytes from 10.0.10.1: icmp_seq=3 ttl=62 time=301 ms
64 bytes from 10.0.10.1: icmp_seq=4 ttl=62 time=280 ms
64 bytes from 10.0.10.1: icmp_seq=5 ttl=62 time=301 ms
--- 10.0.10.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 280.531/289.254/301.588/10.074 ms
Tcpdump at GW-PH eth0 external interface
========================================
# tcpdump -ne -i eth0 | grep AH
20:01:34.220270 00:0f:ea:44:32:8f > 00:0c:30:12:69:ff, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x9e4): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x9e4), length 116 (ipip-proto-4)
20:01:34.519944 00:0c:30:12:69:ff > 00:0f:ea:44:32:8f, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x9e5): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x9e5), length 116 (ipip-proto-4)
20:01:34.520080 00:0f:ea:44:32:8f > 00:0c:30:12:69:ff, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x9e5): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x9e5), length 116 (ipip-proto-4)
20:01:34.529972 00:0c:30:12:69:ff > 00:0f:ea:44:32:8f, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x9e6): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x9e6), length 116 (ipip-proto-4)
Tcpdump at GW-RO eth0 external interface
========================================
# tcpdump -ne -i eth0 | grep AH
20:00:27.629763 00:14:85:73:95:1c > 00:18:b9:f4:97:ce, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x97d): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x97d), length 116 (ipip-proto-4)
20:00:27.633652 00:18:b9:f4:97:ce > 00:14:85:73:95:1c, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x97c): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x97c), length 116 (ipip-proto-4)
20:00:27.633777 00:14:85:73:95:1c > 00:18:b9:f4:97:ce, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x97e): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x97e), length 116 (ipip-proto-4)
20:00:27.908204 00:18:b9:f4:97:ce > 00:14:85:73:95:1c, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x97d): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x97d), length 116 (ipip-proto-4
This is how I implement a tunnel mode IPSec *** in linux using CentOS 5. No additional
software is needed just do a minimal install.
(PH) Network to (RO) Network IPsec Tunneled Diagram
================================================== =
10.0.10.0/24 10.0.20.0/24
| |
| eth1 eth0 eth0 eth1 |
|--------[GW-PH]--------------[Internet]--------------[GW-RO]--------|
| \ / \ / |
| \ / \ / |
LAN-PH \ / \ / LAN-RO
+------[IPSEC0]------+ +------[IPSEC1]------+
Test Network Lab
================
GW-PH connected to ISP1
eth0: X.X.X.X
eth1: 10.0.10.254/24
GW-RO connected to ISP2
eth0: Y.Y.Y.Y
eth1: 10.0.20.254/24
Configuration GW-PH
===================
/etc/sysconfig/network-scripts/ifcfg-ipsec0
-------------------------------------------
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=10.0.10.254
DSTGW=10.0.20.254
SRCNET=10.0.10.0/24
DSTNET=10.0.20.0/24
DST=Y.Y.Y.Y
/etc/sysconfig/network-scripts/keys-ipsec0 <- (Pre-Shared Key File)
------------------------------------------
IKE_PSK=xM45t1m3
# chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0
Configuration GW-RO
===================
/etc/sysconfig/network-scripts/ifcfg-ipsec1
-------------------------------------------
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=10.0.20.254
DSTGW=10.0.10.254
SRCNET=10.0.20.0/24
DSTNET=10.0.10.0/24
DST=X.X.X.X
/etc/sysconfig/network-scripts/keys-ipsec1 <- (Pre-Shared Key File)
------------------------------------------
IKE_PSK=xM45t1m3
# chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1
Test IPsec connection
=====================
Ping test from 10.0.10.1 (LAN-PH) to 10.0.20.1 (LAN-RO)
================================================== =====
# ping -c 5 10.0.20.1
PING 10.0.20.1 (10.0.20.1) 56(84) bytes of data.
64 bytes from 10.0.20.1: icmp_seq=1 ttl=62 time=323 ms
64 bytes from 10.0.20.1: icmp_seq=2 ttl=62 time=352 ms
64 bytes from 10.0.20.1: icmp_seq=3 ttl=62 time=303 ms
64 bytes from 10.0.20.1: icmp_seq=4 ttl=62 time=303 ms
64 bytes from 10.0.20.1: icmp_seq=5 ttl=62 time=287 ms
--- 10.0.20.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 287.301/314.007/352.577/22.485 ms
Ping test from 10.0.20.1 (LAN-RO) to 10.0.10.1 (LAN-PH)
================================================== =====
# ping -c 5 10.0.10.1
PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data.
64 bytes from 10.0.10.1: icmp_seq=1 ttl=62 time=280 ms
64 bytes from 10.0.10.1: icmp_seq=2 ttl=62 time=281 ms
64 bytes from 10.0.10.1: icmp_seq=3 ttl=62 time=301 ms
64 bytes from 10.0.10.1: icmp_seq=4 ttl=62 time=280 ms
64 bytes from 10.0.10.1: icmp_seq=5 ttl=62 time=301 ms
--- 10.0.10.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 280.531/289.254/301.588/10.074 ms
Tcpdump at GW-PH eth0 external interface
========================================
# tcpdump -ne -i eth0 | grep AH
20:01:34.220270 00:0f:ea:44:32:8f > 00:0c:30:12:69:ff, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x9e4): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x9e4), length 116 (ipip-proto-4)
20:01:34.519944 00:0c:30:12:69:ff > 00:0f:ea:44:32:8f, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x9e5): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x9e5), length 116 (ipip-proto-4)
20:01:34.520080 00:0f:ea:44:32:8f > 00:0c:30:12:69:ff, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x9e5): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x9e5), length 116 (ipip-proto-4)
20:01:34.529972 00:0c:30:12:69:ff > 00:0f:ea:44:32:8f, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x9e6): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x9e6), length 116 (ipip-proto-4)
Tcpdump at GW-RO eth0 external interface
========================================
# tcpdump -ne -i eth0 | grep AH
20:00:27.629763 00:14:85:73:95:1c > 00:18:b9:f4:97:ce, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x97d): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x97d), length 116 (ipip-proto-4)
20:00:27.633652 00:18:b9:f4:97:ce > 00:14:85:73:95:1c, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x97c): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x97c), length 116 (ipip-proto-4)
20:00:27.633777 00:14:85:73:95:1c > 00:18:b9:f4:97:ce, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x97e): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x97e), length 116 (ipip-proto-4)
20:00:27.908204 00:18:b9:f4:97:ce > 00:14:85:73:95:1c, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x97d): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x97d), length 116 (ipip-proto-4