1
edit
Changes
Created page with '=VPN/IPSec for Dumpling= == Tut(incompleted)== <pre> = First, install openswan and the ipsec-tools yum -y intsall openswan ipsec-tools = then run the script 'ip_sec.sh' below -...'
=VPN/IPSec for Dumpling=
== Tut(incompleted)==
<pre>
= First, install openswan and the ipsec-tools
yum -y intsall openswan ipsec-tools
= then run the script 'ip_sec.sh' below
----------------------------------------------
[root@NesEeeF10 ~]# cat ip_sec.sh
#ip_sec.sh
#
# fix forward error in ipsec verify
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
#
# make sure network have the newly edited file
service network restart
#
# assign the external address, of course, it's fake in this case
ifconfig eth0 222.222.222.222/24
#
# run the firewall also script if you need
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.110.0/24 -d \! 192.168.102.0/24 -j MASQUERADE
----------------------------------------------
= now, generaate the key, this may take a while, if you're genenerating from ur VM
ipsec rsasigkey --verbose 2048 > /etc/ipsec.d/neseeef10.secrets
= make sure that secrets key is in value format, it has to be in this format
@llll.lll: rsa { # llll.lll should be you left side's host name
Modulus:
...
...
} # and end with this at the end of the file
= now, filter the key for left side
ipsec showhostkey --left
= copy the entry of the out put and use it in /etc/ipsec.conf, 'leftrsasigkey=' entry
= do the same for right side,
ipsec showhostkey --right
= copy the entry of the out put and use it in /etc/ipsec.conf, 'rightrsasigkey=' entry
= follow the ipsec.conf sample below to make ur own conf file
= now, restart ipsec,
service ipsec restart
= check if ipsec is really running
service ipsec status
netstat -anu | grep 500
</pre>
==CAPTURES AND SAMPLES FILES==
<pre>
========================================================
CAPTURES AND SAMPLES FILES
========================================================
[root@NesEeeF10 ~]# netstat -anu | grep 500
udp 0 0 127.0.0.1:500 0.0.0.0:*
udp 0 0 222.222.222.222:500 0.0.0.0:*
udp 0 0 10.0.2.5:500 0.0.0.0:*
udp 0 0 192.168.110.1:500 0.0.0.0:*
udp 0 0 ::1:500 :::*
============================
[root@NesEeeF10 ~]# cat /etc/ipsec.d/neseeef10.secrets
# RSA 2048 bits NesEeeF10 Sun Apr 12 13:54:58 2009
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
@NesEeeF10: rsa {
Modulus: 0xb9713cf4639cd341cec05942566973924836f169cd2d8fb17502a799309f82aef652669b8baf36b3769564b81fb40e76505520a022510ac0a9e5a610bb0f0401bd6a578ac87db23a79fade8547c09c6ee6d6675d74610292af5dcb4978780b533603ae7d53f6a7e5a8afe80f956eef965bec2afe20d94d44236e2547d51d5e8a1487918bb50c7c664ca2a55c28eaecd704f30b71e67eef1de5309d473aeb2d4c87227daee911f5707f311ac2ff27600b27a524852e795e95db5d02764d8d56097358ecc9251238ad4b124975cdfb0c5f4a409c712abf6fdcd1838c72ceb162b71deea278883d14e95e770943b631b13b8a3e426a81b139d64874d1ab69c43a29
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x07ba0d34d97bde22bdf2ae62c399ba2618579f64688c90a764e01c510cb1501c9f98c4467b274cf224f0e43256a7809a4358e15c016e0b1d5c69919607cb4ad567e46e5073053cc26fbfc9458da806849ef399a3e4d9601b71f93dcdba5a55ce2240274538d4f1a991b1ff00a639f4a643d481ca96b3b88d8179ec38538be3f0592274feb90a45ea3775a006935462fe84bcaa71279ec915425318f83e80fbeec1f2d99a91fa5a2b17469b9844e48938686196098d350611072ae12a88ba0cbda56bcfca797ad717f6abf1c9ef74051acbc4ee36061f74fa0add0267f5b5df2fc684b045b7e858218fc8cb5b7594c1d4edc370a69d1420b94ccd1c618d58a3fb
Prime1: 0xff7a59f35caf611e9881fc332653c859943a5c91bc04abe8cfcf50529aee10a4f72013df040bb9cb724b0b2d539fd8b667b3dd0f5162855b9cd1f05c96e85bebb2ec3bfe7454730ed79cf52c74d5d98aad92319d16e206e5f53b7208a29f43cc228741455595bbd94474ab970fd94b42045a6d3627533dce2135466b28848dd9
Prime2: 0xb9d23fb6ff668d528119a88b32addca0ff08b44473976936dd96f5aec3e57e45613e0352358dc79ade47794f361aaa0af6cb3690a01e47a19285f61ce533c8563e5135cf4d399b5f5356a95ae644b851823815c380ea7185d78fe0ab230532705ef6daa9f4df15ea9f2f4d19a0663a033b914595a07aeaa8f404e21b00f04cd1
Exponent1: 0xaa51914ce874eb69bb0152ccc437dae662d1930bd2adc7f08a8a358c6749606dfa156294ad5d2687a1875cc8e26a90799a77e8b4e0ec58e7bde14ae8649ae7f2774827fef8384cb48fbdf8c84de3e65c73b6cbbe0f4159eea37cf6b06c6a2d32c1af80d8e3b927e62da31d0f5fe6322c02e6f3796f8cd3dec0ce2ef21b03093b
Exponent2: 0x7be17fcf54ef08e1ab66705ccc73e86b54b0782da264f0cf3e64a3c9d7ee542e40d40236ce5e8511e984fb8a2411c6b1f9dccf0b1569851661aea4134377dae4298b7934de266794e239c63c9983258bac2563d7ab46f6593a5feb1cc20376f594a491c6a33f63f1bf74de1115997c0227b62e63c051f1c5f803416755f5888b
Coefficient: 0xb3df512616fea4066574a461ca25a88cc2ebb84846fd36f4d700f882dabc830768e1ef0e15479433cbbe0d9f58e941c11f99e256028449e4cbd5107b75f9e503c8559e486896702f99276469a319007db223c317f731d3f2edf586e0a229f1a78c0aa5c20d538714ce11ae4485f4554181c4770ef222512213f216991761c225
}
================================
[root@NesEeeF10 ~]# cat /etc/ipsec.conf
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=all
# plutoload=%search
# plutostart=%search
# sample connection
conn nesvpn # replace 'nesvpn' to your connection name
left=222.222.222.222
leftsubnet=192.168.110.0/24
leftnexthop=%defaultroute
leftrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
# leftid=@__hostname.com
right=111.111.111.111
rightsubnet=192.168.102.0/24
rightnexthop=%defaultroute
rightrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
keyingtries=0
# auth=ah
auto=start
# auto=add
=================================
</pre>
== Tut(incompleted)==
<pre>
= First, install openswan and the ipsec-tools
yum -y intsall openswan ipsec-tools
= then run the script 'ip_sec.sh' below
----------------------------------------------
[root@NesEeeF10 ~]# cat ip_sec.sh
#ip_sec.sh
#
# fix forward error in ipsec verify
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
#
# make sure network have the newly edited file
service network restart
#
# assign the external address, of course, it's fake in this case
ifconfig eth0 222.222.222.222/24
#
# run the firewall also script if you need
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.110.0/24 -d \! 192.168.102.0/24 -j MASQUERADE
----------------------------------------------
= now, generaate the key, this may take a while, if you're genenerating from ur VM
ipsec rsasigkey --verbose 2048 > /etc/ipsec.d/neseeef10.secrets
= make sure that secrets key is in value format, it has to be in this format
@llll.lll: rsa { # llll.lll should be you left side's host name
Modulus:
...
...
} # and end with this at the end of the file
= now, filter the key for left side
ipsec showhostkey --left
= copy the entry of the out put and use it in /etc/ipsec.conf, 'leftrsasigkey=' entry
= do the same for right side,
ipsec showhostkey --right
= copy the entry of the out put and use it in /etc/ipsec.conf, 'rightrsasigkey=' entry
= follow the ipsec.conf sample below to make ur own conf file
= now, restart ipsec,
service ipsec restart
= check if ipsec is really running
service ipsec status
netstat -anu | grep 500
</pre>
==CAPTURES AND SAMPLES FILES==
<pre>
========================================================
CAPTURES AND SAMPLES FILES
========================================================
[root@NesEeeF10 ~]# netstat -anu | grep 500
udp 0 0 127.0.0.1:500 0.0.0.0:*
udp 0 0 222.222.222.222:500 0.0.0.0:*
udp 0 0 10.0.2.5:500 0.0.0.0:*
udp 0 0 192.168.110.1:500 0.0.0.0:*
udp 0 0 ::1:500 :::*
============================
[root@NesEeeF10 ~]# cat /etc/ipsec.d/neseeef10.secrets
# RSA 2048 bits NesEeeF10 Sun Apr 12 13:54:58 2009
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
@NesEeeF10: rsa {
Modulus: 0xb9713cf4639cd341cec05942566973924836f169cd2d8fb17502a799309f82aef652669b8baf36b3769564b81fb40e76505520a022510ac0a9e5a610bb0f0401bd6a578ac87db23a79fade8547c09c6ee6d6675d74610292af5dcb4978780b533603ae7d53f6a7e5a8afe80f956eef965bec2afe20d94d44236e2547d51d5e8a1487918bb50c7c664ca2a55c28eaecd704f30b71e67eef1de5309d473aeb2d4c87227daee911f5707f311ac2ff27600b27a524852e795e95db5d02764d8d56097358ecc9251238ad4b124975cdfb0c5f4a409c712abf6fdcd1838c72ceb162b71deea278883d14e95e770943b631b13b8a3e426a81b139d64874d1ab69c43a29
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x07ba0d34d97bde22bdf2ae62c399ba2618579f64688c90a764e01c510cb1501c9f98c4467b274cf224f0e43256a7809a4358e15c016e0b1d5c69919607cb4ad567e46e5073053cc26fbfc9458da806849ef399a3e4d9601b71f93dcdba5a55ce2240274538d4f1a991b1ff00a639f4a643d481ca96b3b88d8179ec38538be3f0592274feb90a45ea3775a006935462fe84bcaa71279ec915425318f83e80fbeec1f2d99a91fa5a2b17469b9844e48938686196098d350611072ae12a88ba0cbda56bcfca797ad717f6abf1c9ef74051acbc4ee36061f74fa0add0267f5b5df2fc684b045b7e858218fc8cb5b7594c1d4edc370a69d1420b94ccd1c618d58a3fb
Prime1: 0xff7a59f35caf611e9881fc332653c859943a5c91bc04abe8cfcf50529aee10a4f72013df040bb9cb724b0b2d539fd8b667b3dd0f5162855b9cd1f05c96e85bebb2ec3bfe7454730ed79cf52c74d5d98aad92319d16e206e5f53b7208a29f43cc228741455595bbd94474ab970fd94b42045a6d3627533dce2135466b28848dd9
Prime2: 0xb9d23fb6ff668d528119a88b32addca0ff08b44473976936dd96f5aec3e57e45613e0352358dc79ade47794f361aaa0af6cb3690a01e47a19285f61ce533c8563e5135cf4d399b5f5356a95ae644b851823815c380ea7185d78fe0ab230532705ef6daa9f4df15ea9f2f4d19a0663a033b914595a07aeaa8f404e21b00f04cd1
Exponent1: 0xaa51914ce874eb69bb0152ccc437dae662d1930bd2adc7f08a8a358c6749606dfa156294ad5d2687a1875cc8e26a90799a77e8b4e0ec58e7bde14ae8649ae7f2774827fef8384cb48fbdf8c84de3e65c73b6cbbe0f4159eea37cf6b06c6a2d32c1af80d8e3b927e62da31d0f5fe6322c02e6f3796f8cd3dec0ce2ef21b03093b
Exponent2: 0x7be17fcf54ef08e1ab66705ccc73e86b54b0782da264f0cf3e64a3c9d7ee542e40d40236ce5e8511e984fb8a2411c6b1f9dccf0b1569851661aea4134377dae4298b7934de266794e239c63c9983258bac2563d7ab46f6593a5feb1cc20376f594a491c6a33f63f1bf74de1115997c0227b62e63c051f1c5f803416755f5888b
Coefficient: 0xb3df512616fea4066574a461ca25a88cc2ebb84846fd36f4d700f882dabc830768e1ef0e15479433cbbe0d9f58e941c11f99e256028449e4cbd5107b75f9e503c8559e486896702f99276469a319007db223c317f731d3f2edf586e0a229f1a78c0aa5c20d538714ce11ae4485f4554181c4770ef222512213f216991761c225
}
================================
[root@NesEeeF10 ~]# cat /etc/ipsec.conf
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=all
# plutoload=%search
# plutostart=%search
# sample connection
conn nesvpn # replace 'nesvpn' to your connection name
left=222.222.222.222
leftsubnet=192.168.110.0/24
leftnexthop=%defaultroute
leftrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
# leftid=@__hostname.com
right=111.111.111.111
rightsubnet=192.168.102.0/24
rightnexthop=%defaultroute
rightrsasigkey=0sAQO5cTz0Y5zTQc7AWUJWaXOSSDbxac0tj7F1AqeZMJ+CrvZSZpuLrzazdpVkuB+0DnZQVSCgIlEKwKnlphC7DwQBvWpXish9sjp5+t6FR8CcbubWZ110YQKSr13LSXh4C1M2A659U/an5aiv6A+Vbu+WW+wq/iDZTUQjbiVH1R1eihSHkYu1DHxmTKKlXCjq7NcE8wtx5n7vHeUwnUc66y1MhyJ9rukR9XB/MRrC/ydgCyelJIUueV6V210Cdk2NVglzWOzJJRI4rUsSSXXN+wxfSkCccSq/b9zRg4xyzrFitx3uoniIPRTpXncJQ7YxsTuKPkJqgbE51kh00atpxDop
keyingtries=0
# auth=ah
auto=start
# auto=add
=================================
</pre>