Open main menu

CDOT Wiki β

Talk:Winter 2009 NAD810 Weekly Schedule

VPN/IPSec for Dumpling(In Progress)

Configuration - Left

= First, install openswan and the ipsec-tools
yum -y intsall openswan ipsec-tools

= then run the script 'ip_sec.sh' below

----------------------------------------------

[root@NesEeeF10 ~]# cat ip_sec.sh 
#ip_sec.sh
#
# fix forward error in ipsec verify
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
#
# make sure network have the newly edited file
service network restart
#
# assign the external address, of course, it's fake in this case
ifconfig eth0 222.222.222.222/24
#
# run the firewall also script if you need
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.110.0/24 -d \! 192.168.102.0/24 -j MASQUERADE

----------------------------------------------

= now, generaate the key, this may take a while, if you're genenerating from ur VM
ipsec rsasigkey --verbose 2048 > /etc/ipsec.d/neseeef10.secrets

= make sure that secrets key is in value format, it has to be in this format

@llll.lll: rsa {			# llll.lll should be you left side's host name
	Modulus:
		...
		...
	}				# and end with this at the end of the file


= now, filter the key for left side
ipsec showhostkey --left 
= copy the entry of the out put and use it in /etc/ipsec.conf, 'leftrsasigkey=' entry

= do the same for right side, 
ipsec showhostkey --right
= copy the entry of the out put and use it in /etc/ipsec.conf, 'rightrsasigkey=' entry

= follow the ipsec.conf sample below to make ur own conf file

= now, restart ipsec, 
service ipsec restart

= check if ipsec is really running
service ipsec status
netstat -anu | grep 500

Captures aNd Sample Files

========================================================
		CAPTURES AND SAMPLE FILES
========================================================

[root@NesEeeF10 ~]# netstat -anu | grep 500
udp        0      0 127.0.0.1:500               0.0.0.0:*                               
udp        0      0 222.222.222.222:500         0.0.0.0:*                               
udp        0      0 10.0.2.5:500                0.0.0.0:*                               
udp        0      0 192.168.110.1:500           0.0.0.0:*                               
udp        0      0 ::1:500                     :::*    

============================

[root@NesEeeF10 ~]# cat /etc/ipsec.d/neseeef10.secrets 
	# RSA 2048 bits   NesEeeF10   Sun Apr 12 13:54:58 2009
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop

@NesEeeF10: rsa {
	Modulus: 0xb9713cf4639cd341cec05942566973924836f169cd2d8fb17502a799309f82aef652669b8baf36b3769564b81fb40e76505520a022510ac0a9e5a610bb0f0401bd6a578ac87db23a79fade8547c09c6ee6d6675d74610292af5dcb4978780b533603ae7d53f6a7e5a8afe80f956eef965bec2afe20d94d44236e2547d51d5e8a1487918bb50c7c664ca2a55c28eaecd704f30b71e67eef1de5309d473aeb2d4c87227daee911f5707f311ac2ff27600b27a524852e795e95db5d02764d8d56097358ecc9251238ad4b124975cdfb0c5f4a409c712abf6fdcd1838c72ceb162b71deea278883d14e95e770943b631b13b8a3e426a81b139d64874d1ab69c43a29
	PublicExponent: 0x03
	# everything after this point is secret
	PrivateExponent: 0x07ba0d34d97bde22bdf2ae62c399ba2618579f64688c90a764e01c510cb1501c9f98c4467b274cf224f0e43256a7809a4358e15c016e0b1d5c69919607cb4ad567e46e5073053cc26fbfc9458da806849ef399a3e4d9601b71f93dcdba5a55ce2240274538d4f1a991b1ff00a639f4a643d481ca96b3b88d8179ec38538be3f0592274feb90a45ea3775a006935462fe84bcaa71279ec915425318f83e80fbeec1f2d99a91fa5a2b17469b9844e48938686196098d350611072ae12a88ba0cbda56bcfca797ad717f6abf1c9ef74051acbc4ee36061f74fa0add0267f5b5df2fc684b045b7e858218fc8cb5b7594c1d4edc370a69d1420b94ccd1c618d58a3fb
	Prime1: 0xff7a59f35caf611e9881fc332653c859943a5c91bc04abe8cfcf50529aee10a4f72013df040bb9cb724b0b2d539fd8b667b3dd0f5162855b9cd1f05c96e85bebb2ec3bfe7454730ed79cf52c74d5d98aad92319d16e206e5f53b7208a29f43cc228741455595bbd94474ab970fd94b42045a6d3627533dce2135466b28848dd9
	Prime2: 0xb9d23fb6ff668d528119a88b32addca0ff08b44473976936dd96f5aec3e57e45613e0352358dc79ade47794f361aaa0af6cb3690a01e47a19285f61ce533c8563e5135cf4d399b5f5356a95ae644b851823815c380ea7185d78fe0ab230532705ef6daa9f4df15ea9f2f4d19a0663a033b914595a07aeaa8f404e21b00f04cd1
	Exponent1: 0xaa51914ce874eb69bb0152ccc437dae662d1930bd2adc7f08a8a358c6749606dfa156294ad5d2687a1875cc8e26a90799a77e8b4e0ec58e7bde14ae8649ae7f2774827fef8384cb48fbdf8c84de3e65c73b6cbbe0f4159eea37cf6b06c6a2d32c1af80d8e3b927e62da31d0f5fe6322c02e6f3796f8cd3dec0ce2ef21b03093b
	Exponent2: 0x7be17fcf54ef08e1ab66705ccc73e86b54b0782da264f0cf3e64a3c9d7ee542e40d40236ce5e8511e984fb8a2411c6b1f9dccf0b1569851661aea4134377dae4298b7934de266794e239c63c9983258bac2563d7ab46f6593a5feb1cc20376f594a491c6a33f63f1bf74de1115997c0227b62e63c051f1c5f803416755f5888b
	Coefficient: 0xb3df512616fea4066574a461ca25a88cc2ebb84846fd36f4d700f882dabc830768e1ef0e15479433cbbe0d9f58e941c11f99e256028449e4cbd5107b75f9e503c8559e486896702f99276469a319007db223c317f731d3f2edf586e0a229f1a78c0aa5c20d538714ce11ae4485f4554181c4770ef222512213f216991761c225
	}

================================

[root@NesEeeF10 ~]# cat /etc/ipsec.conf
# basic configuration
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=all
        plutodebug=all
#        plutoload=%search
#        plutostart=%search

# sample connection
conn nesvpn		# replace 'nesvpn' to your connection name 
        left=222.222.222.222
        leftsubnet=192.168.110.0/24
        leftnexthop=%defaultroute
	leftrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
#	leftid=@__hostname.com

        right=111.111.111.111
        rightsubnet=192.168.102.0/24
        rightnexthop=%defaultroute
	rightrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop

        keyingtries=0
#        auth=ah
        auto=start
#	auto=add

=================================

Configuration - Right

copy the exactly same configuration file from left. and Make sure all character look the same, especially the key. Start up VPN and try to connect. You should be connected in no time.

Return to "Winter 2009 NAD810 Weekly Schedule" page.