RVL IPsec HOWTO
The following steps show how to add another host to the
IPsec compartmentalized LAN.
Install the needed software on the new host
If the new host does not yet have the ipsec-tools
package installed, install it.
Generate an X.509v3 digital certificate for the new host
(if one is not yet available)
-
Note that you may not need to do this!
Look in /etc/ssl on copacabana to see if
the digital certificate has already been created.
-
Become root on copacabana, as that's where all the PKI
work has been done so far:
$ ssh copacabana
# su -
-
Generate a new certificate signing request.
At the prompt Common Name
put the new hostname, otherwise the defaults
should be fine:
# cd /etc/ssl
# /usr/lib/ssl/misc/CA.pl -newreq
-
Sign the new certificate:
# /usr/lib/ssl/misc/CA.pl -sign
-
Convert the private key to unencrypted form,
as the IPsec racoon daemon can't
very well decrypt it on its own:
# openssl rsa -in newkey.pem -out newkey.pem
# chmod 400 newkey.pem
-
Rename the files:
# mv newkey.pem newhostname_key.pem
# mv newcert.pem newhostname_cert.pem
# mv newreq.pem newhostname_req.pem
Install the digital certificate on the new host
-
Become root on the new host:
$ ssh newhostname
# su -
-
Copy the certificate files into place:
# cd /etc/racoon
# scp copacabana:/etc/ssl/newhostname\* certs
# scp copacabana:/etc/ssl/cacert.pem certs
Ensure that the Linux kernel includes the IPsec AH and ESP
kernel modules
-
Do you have /etc/modules instead of
/etc/modprobe.preload?
If so, you are using an older version of the kernel
and modules tools, and you should upgrade things.
-
Do you have BOTH /etc/modules AND
/etc/modprobe.preload?
If so, append everything in /etc/modules
to the file /etc/modprobe.preload,
and delete /etc/modules before proceeding.
-
Add these two lines to /etc/modprobe.preload:
ah4
esp4
That will guarantee they are loaded at boot time the
next time around.
-
For now, load them manually:
# modprobe ah4
# modprobe esp4
Create a policy in /etc/setkey.conf
-
Put something like this in /etc/setkey.conf,
changing the IP addresses appropriately.
Note that you will need one block
(with two spdadd lines) per other
host on the compartmentalized network:
# Security policies for some host on the 128.46.144.0/24 LAN
# eth0 to/from 128.46.144.193 (copacabana)
spdadd 128.46.144.0/24 128.46.144.193/32 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 128.46.144.193/32 128.46.144.0/24 any -P in ipsec
esp/transport//require
ah/transport//require;
-
Also modify /etc/setkey.conf on all the
other hosts on the compartmentalized network,
to add a similar block for this new host.
Configure the racoon daemon
(this runs IKE and thus is needed for IPsec activity):
-
Modify /etc/racoon/racoon.conf
to include a pair of stanzas like this:
sainfo anonymous
{
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael, aes ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
remote anonymous
{
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "ipanema_cert.pem" "ipanema_key.pem";
verify_cert off;
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
-
Start racoon:
# /etc/init.d/racoon start
-
Make racoon start in the future:
# chkconfig --add racoon
Try it!
On the new host, start watching its log file:
# tail -f /var/log/messages | grep racoon
Try to ping from the new host to another host with which
it should be encrypting its data.
You should see the new security association being negotiated
in the log file.
Note that it may take a few seconds to establish the
security association and negotiate shared session keys.
The ping will likely fail -- give it a couple of seconds
and try again.
