In one chance we required to establish a VPN connection, the first idea was OpenVPN but it's no based in IPSEC, so I decided googlear a little more and found OpenSwan. The connection that we need was establish among a CISCO device (Check Point R77.30) but I don't have another chance that test it for to know if it can was a option with free software.
Like sometimes happend, the other side that use CISCO give us the connection parameters, we have to use them.
Phase 1
- Encryption Scheme defined: IKEv1
- Encryption Algorithm IKE: 3DES
- Hashing Algorithm IKE: SHA-1
- Support Diffie-Hellman groups for IKE SA: Group 2
- Support Diffie-Hellman groups for IKE SA: 1440 min
Phase 2
- Encryption Schemes defined: IPSEC
- Encryption Algorithm: 3DES
- Hashing Algorithm IPSEC: SHA-1
- Hashing Algorithm IPSEC: none
- Aggressive Mode Support: none
- Renegotiate IPSEC SA every: 3600 s
- Use Perfect Forward Secrecy: No PFS
Installing package and preparing the scenary
The first step was install OpenSwan:
apt-get install openswan
Deactivate the redirections VPN with this commands:
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
Later, modify the kernel parameters for allow forward IP and deactivate redirections forever.
# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
Reloading /etc/sysctl.conf:
sysctl -p
We should allow the necesary ports in the firewall
Please, you should be sure that this ports don't create conflicts with another existing rules in the firewall
iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p tcp --dport 4500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT
Finally, we created rules for NAT in our firewall
iptables -t nat -A POSTROUTING -s site-A-private-subnet -d site-B-private-subnet -j SNAT --to site-A-Public-IP
Por favor asegurarse que estas reglas son permanentes en nuestro firewall.
Preparing settings files
Already installed the package OpenVPN, we continue to make some changes inside the settings file /etc/ipsec.conf
We go to focus in the section about create connections.
conn myvpn
authby=secret
auto=start
## -------------------- phase 1 --------------------------- ##
ike=3des-sha1
keyexchange=ike
ikelifetime=1800s
ikev2=no
##--------------------- phase 2 --------------------------- ##
phase2=esp
#phase2alg=3des-md5
phase2alg=3des-sha1
compress=no
#pfs=yes
pfs=no
type=tunnel
keylife=3600s
left=190.219.19.230
leftid=190.219.19.230
leftsourceip=190.219.19.230
leftsubnet=192.168.1.14/32 # Conectando solo un host
leftnexthop=%defaultroute
right=210.16.96.2
rightid=210.16.96.2
rightsubnet=210.16.96.2/32
Next we need to modify /etc/ipsec.secrets file, right here to write a key that share with the other side connection
190.219.19.230 172.2526.1: PSK "MiClaveSecreta"
Finally restart the service with /etc/init.d/ipsec restart for takes effect the new configuration in ipsec.conf y ipsec.secrets files.
After do that, we received a successful message
Setear el archivo ipsec.secrets con el PSK y las direcciones de cada extremo, en algunos casos el problema al establecer la phase2 es que el ip del lado derecho en el archivo ipsec.secrets es diferente, esto se lo puede verificar revisando el archivo /var/log/pluto.log
Useful commands
- ipsec auto --status
- ipsec verify
Para activar el nat-t se debe habilitar en el archivo de configuración ipsec.conf la variable trasnversal-nat = yes
Cabe indicar que al levantar el tunel deben comprobarse con service ipsec status donde nos mostrará que el tunel esta UP
También podemos comprobar que se ha superado las dos fases, a través del comando ipsec auto --status
donde poderemos visualizar dos líneas específicas
#2: "myvpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2355s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #1: "myvpn":500 STATE_MAIN_I4 (ISAKMP SA established); none in -1s; newest ISAKMP; nodpd; idle; import:admin initiate
I hope this post will be useful for establish a VPN connection
Secciones
