Milton-vpn-openswan
From Open Source@Seneca
The intention of this document is guide you step by step to install openswan on the Fedora Core 10.
Contents |
Hardware
Toshiba Laptop Core 2 Duo with 4 GB of ddr2 667.
Operational System
Fedora Core 10 x64
- Default configurations
- Updated
Installation Process
To install Openswan in both computers, follow the steps bellow:
Packages to Install
- openswan
- ipsec-tools
- curl
#yum -y install openswan ipsec-tools curl
Generate the keys
To generate the keys, type the command:
#ipsec newhostkey --output /etc/ipsec.d/keys.secrets --bits 2048 --hostname play2.milton.ca
Remember to do the same procedure in both computers with the proper information.
After that edit the key file and copy the part with the public key and past in the /etc/ipsec.conf, also go to computer B, take its public key and past it in the configuration file.
- Both computers must have the same configuration file
/etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup protostack=netkey # Debug-logging controls: "none" for none, "all" for lots. klipsdebug=all #plutodebug="control parsing" plutodebug=all # Certificate Revocation List handling #crlcheckinterval=600 #strictcrlpolicy=yes # Change rp_filter setting, default = 0 (switch off) #rp_filter=%unchanged # Switch on NAT-Traversal (if patch is installed) nat_traversal=no uniqueids=yes interfaces="ipsec0=eth0" # interface that connects the computers # VPN connections conn play2 type=tunnel # Left security gateway, subnet behind it, next hop toward right. left=200.199.1.1 # output ip of computer A leftsubnet=192.168.0.0/24 # subnet computer A # RSA 2048 bits leftrsasigkey=0sAQNj2pqKQARhlLkYakKhMJ0ovBacqR+6xh//2Bw2LFgbOzl+wE5JOlFMVdD8Q+hWnyuULTl9c8O5fkrBcdDGWggF leftnexthop=200.199.1.1 # gateway of computer A leftsourceip=192.168.0.1 # internal ip of computer A rightnexthop=200.199.1.2 # gateway of computer B # Right security gateway, subnet behind it, next hop toward left. right=200.199.1.2 # output ip of computer B rightsubnet=172.16.1.0/24 # subnet of computer B rightsourceip=172.16.1.1 # internal ip of computer B # RSA 2048 bits rightrsasigkey=0sAQOJBXgYPyV3nJ4vxExcYfQd6PfWsVA6ubzZSUDYKsp/TGyvDRcDD43FwmPqKAD+0SAOc/g8b1QdWPY5gB0SoMdB # To authorize this connection, but not actually start it, at startup, # uncomment this. authby=rsasig auto=add # former argumet = start include /etc/ipsec.d/*.conf
Configuring Additional Steps on the OS
Create the following shell script in the folder /etc/rc.d/ and named it vpn.sh
/etc/rc.d/vpn.sh
#!/bin/bash echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
Add a line in /etc/rc.d/rc.local
/etc/rc.d/vpn.sh
- Give the proper permissions in the file: #chmod +x /etc/rc.d/vpn.sh
Initializing openswan
#service ipsec start
Verifying the Status
#service ipsec status
or
#ipsec verify
Activate the service on boot time
#chkconfig --level 3 ipsec on
The configuration file of openswan is:
Final Steps
Conectivity Test
From computer A, try to ping computer B
If it was successfully you vpn is working fine.
Now Let's stop the vpn
# service ipsec stop
From computer A, try to ping computer B again.
At this moment you are not supposed to ping computer B.
Then start ipsec and try ping from both computers.
To make sure everything is working properly, reboot the computer and repeat all tests.
The tcpdump tool could capture some traffic, just to make sure the traffic is encrypted.
Logs
The Logs for the OpenSwan can be accessed at:
/var/log/secure
and
/var/log/messages
