Configuration - Left
= First, install openswan and the ipsec-tools
yum -y intsall openswan ipsec-tools
= then run the script 'ip_sec.sh' below
----------------------------------------------
[root@NesEeeF10 ~]# cat ip_sec.sh
#ip_sec.sh
#
# fix forward error in ipsec verify
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
#
# make sure network have the newly edited file
service network restart
#
# assign the external address, of course, it's fake in this case
ifconfig eth0 222.222.222.222/24
#
# run the firewall also script if you need
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.110.0/24 -d \! 192.168.102.0/24 -j MASQUERADE
----------------------------------------------
= now, generaate the key, this may take a while, if you're genenerating from ur VM
ipsec rsasigkey --verbose 2048 > /etc/ipsec.d/neseeef10.secrets
= make sure that secrets key is in value format, it has to be in this format
@llll.lll: rsa { # llll.lll should be you left side's host name
Modulus:
...
...
} # and end with this at the end of the file
= now, filter the key for left side
ipsec showhostkey --left
= copy the entry of the out put and use it in /etc/ipsec.conf, 'leftrsasigkey=' entry
= do the same for right side,
ipsec showhostkey --right
= copy the entry of the out put and use it in /etc/ipsec.conf, 'rightrsasigkey=' entry
= follow the ipsec.conf sample below to make ur own conf file
= now, restart ipsec,
service ipsec restart
= check if ipsec is really running
service ipsec status
netstat -anu | grep 500
Captures aNd Sample Files
========================================================
CAPTURES AND SAMPLE FILES
========================================================
[root@NesEeeF10 ~]# netstat -anu | grep 500
udp 0 0 127.0.0.1:500 0.0.0.0:*
udp 0 0 222.222.222.222:500 0.0.0.0:*
udp 0 0 10.0.2.5:500 0.0.0.0:*
udp 0 0 192.168.110.1:500 0.0.0.0:*
udp 0 0 ::1:500 :::*
============================
[root@NesEeeF10 ~]# cat /etc/ipsec.d/neseeef10.secrets
# RSA 2048 bits NesEeeF10 Sun Apr 12 13:54:58 2009
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
@NesEeeF10: rsa {
Modulus: 0xb9713cf4639cd341cec05942566973924836f169cd2d8fb17502a799309f82aef652669b8baf36b3769564b81fb40e76505520a022510ac0a9e5a610bb0f0401bd6a578ac87db23a79fade8547c09c6ee6d6675d74610292af5dcb4978780b533603ae7d53f6a7e5a8afe80f956eef965bec2afe20d94d44236e2547d51d5e8a1487918bb50c7c664ca2a55c28eaecd704f30b71e67eef1de5309d473aeb2d4c87227daee911f5707f311ac2ff27600b27a524852e795e95db5d02764d8d56097358ecc9251238ad4b124975cdfb0c5f4a409c712abf6fdcd1838c72ceb162b71deea278883d14e95e770943b631b13b8a3e426a81b139d64874d1ab69c43a29
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x07ba0d34d97bde22bdf2ae62c399ba2618579f64688c90a764e01c510cb1501c9f98c4467b274cf224f0e43256a7809a4358e15c016e0b1d5c69919607cb4ad567e46e5073053cc26fbfc9458da806849ef399a3e4d9601b71f93dcdba5a55ce2240274538d4f1a991b1ff00a639f4a643d481ca96b3b88d8179ec38538be3f0592274feb90a45ea3775a006935462fe84bcaa71279ec915425318f83e80fbeec1f2d99a91fa5a2b17469b9844e48938686196098d350611072ae12a88ba0cbda56bcfca797ad717f6abf1c9ef74051acbc4ee36061f74fa0add0267f5b5df2fc684b045b7e858218fc8cb5b7594c1d4edc370a69d1420b94ccd1c618d58a3fb
Prime1: 0xff7a59f35caf611e9881fc332653c859943a5c91bc04abe8cfcf50529aee10a4f72013df040bb9cb724b0b2d539fd8b667b3dd0f5162855b9cd1f05c96e85bebb2ec3bfe7454730ed79cf52c74d5d98aad92319d16e206e5f53b7208a29f43cc228741455595bbd94474ab970fd94b42045a6d3627533dce2135466b28848dd9
Prime2: 0xb9d23fb6ff668d528119a88b32addca0ff08b44473976936dd96f5aec3e57e45613e0352358dc79ade47794f361aaa0af6cb3690a01e47a19285f61ce533c8563e5135cf4d399b5f5356a95ae644b851823815c380ea7185d78fe0ab230532705ef6daa9f4df15ea9f2f4d19a0663a033b914595a07aeaa8f404e21b00f04cd1
Exponent1: 0xaa51914ce874eb69bb0152ccc437dae662d1930bd2adc7f08a8a358c6749606dfa156294ad5d2687a1875cc8e26a90799a77e8b4e0ec58e7bde14ae8649ae7f2774827fef8384cb48fbdf8c84de3e65c73b6cbbe0f4159eea37cf6b06c6a2d32c1af80d8e3b927e62da31d0f5fe6322c02e6f3796f8cd3dec0ce2ef21b03093b
Exponent2: 0x7be17fcf54ef08e1ab66705ccc73e86b54b0782da264f0cf3e64a3c9d7ee542e40d40236ce5e8511e984fb8a2411c6b1f9dccf0b1569851661aea4134377dae4298b7934de266794e239c63c9983258bac2563d7ab46f6593a5feb1cc20376f594a491c6a33f63f1bf74de1115997c0227b62e63c051f1c5f803416755f5888b
Coefficient: 0xb3df512616fea4066574a461ca25a88cc2ebb84846fd36f4d700f882dabc830768e1ef0e15479433cbbe0d9f58e941c11f99e256028449e4cbd5107b75f9e503c8559e486896702f99276469a319007db223c317f731d3f2edf586e0a229f1a78c0aa5c20d538714ce11ae4485f4554181c4770ef222512213f216991761c225
}
================================
[root@NesEeeF10 ~]# cat /etc/ipsec.conf
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=all
# plutoload=%search
# plutostart=%search
# sample connection
conn nesvpn # replace 'nesvpn' to your connection name
left=222.222.222.222
leftsubnet=192.168.110.0/24
leftnexthop=%defaultroute
leftrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
# leftid=@__hostname.com
right=111.111.111.111
rightsubnet=192.168.102.0/24
rightnexthop=%defaultroute
rightrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
keyingtries=0
# auth=ah
auto=start
# auto=add
=================================
Configuration - Right
copy the exactly same configuration file from left. and Make sure all character look the same, especially the key. Start up VPN and try to connect. You should be connected in no time.