IPsec can be configured to connect one desktop or workstation to
another by way of a host-to-host connection. This type of connection
uses the network to which each host is connected to create the secure
tunnel to each other. The requirements of a host-to-host connection are
minimal, as is the configuration of IPsec on each host. The hosts need
only a dedicated connection to a carrier network (such as the Internet)
and Red Hat Enterprise Linux to create the IPsec connection.
The first step in creating a connection is to gather system and
network information from each workstation. For a host-to-host connection,
you need the following information:
The IP address for both hosts
A unique name to identify the IPsec connection and distinguish
it from other devices or connections (for example,
ipsec0)
A fixed encryption key or one automatically generated by
racoon
A pre-shared authentication key that is used to initiate the
connection and exchange encryption keys during the session
For example, suppose Workstation A and Workstation B want to connect
to each other through an IPsec tunnel. They want to connect using a
pre-shared key with the value of
foobarbaz and the users agree to let
racoon automatically generate and share an
authentication key between each host. Both host users decide to name their
connections ipsec0.
The following is the ifcfg file for Workstation
A for a host-to-host IPsec connection with Workstation B (the unique name
to identify the connection in this example is
ipsec0, so the resulting file is named
/etc/sysconfig/network-scripts/ifcfg-ipsec0):
DST=X.X.X.X
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK |
Workstation A would replace X.X.X.X with
the IP address of Workstation B, while Workstation B replaces
X.X.X.X with the IP address of Workstation A.
The connection is set to initiate upon boot-up
(ONBOOT=yes) and uses the pre-shared
key method of authentication
(IKE_METHOD=PSK).
The following is the content of the pre-shared key file (called
/etc/sysconfig/network-scripts/keys-ipsec0) that
both workstations need to authenticate each other. The contents of this
file should be identical on both workstations and only the root user
should be able to read or write this file.
 | Important |
|---|
| | To change the keys-ipsec0 file so that only
the root user can read or edit the file, perform the following command
after creating the file: chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0 |
|
To change the authentication key at any time, edit the
keys-ipsec0 file on both
workstations. Both keys must be identical for proper
connectivity.
The next example shows the specific configuration for the phase 1
connection to the remote host. The file is named
X.X.X.X.conf
(X.X.X.X is replaced with the IP address of
the remote IPsec router). Note that this file is automatically generated
once the IPsec tunnel is activated and should not be edited directly.
;
remote X.X.X.X
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
} |
The default phase 1 configuration file created when an IPsec
connection is initialized contains the following statements used by the
Red Hat Enterprise Linux implementation of IPsec:
- remote
X.X.X.X
Specifies that the subsequent stanzas of this configuration
file applies only to the remote node identified by the
X.X.X.X IP address.
- exchange_mode aggressive
The default configuration for IPsec on Red Hat Enterprise Linux uses an aggressive
authentication mode, which lowers the connection overhead while allowing
configuration of several IPsec connections with multiple hosts.
- my_identifier address
Defines the identification method to be used when
authenticating nodes. Red Hat Enterprise Linux uses IP addresses to identify nodes.
- encryption_algorithm 3des
Defines the encryption cipher used during authentication. By
default, Triple Data Encryption Standard
(3DES) is used.
- hash_algorithm sha1;
Specifies the hash algorithm used during phase 1 negotiation
between nodes. By default, Secure Hash Algorithm version 1 is
used.
- authentication_method
pre_shared_key
Defines the authentication method used during node
negotiation. Red Hat Enterprise Linux by default uses pre-shared keys for
authentication.
- dh_group 2
Specifies the Diffie-Hellman group number for establishing
dynamically-generated session keys. By default, the 1024-bit group
is used.
The /etc/racoon/racoon.conf files should be
identical on all IPsec nodes except for the
include
"/etc/racoon/X.X.X.X.conf"
statement. This statement (and the file it references) is generated when
the IPsec tunnel is activated. For Workstation A, the
X.X.X.X in the include
statement is Workstation B's IP address. The opposite is true of
Workstation B. The following shows a typical
racoon.conf file when IPsec connection is
activated.
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf" |
This default racoon.conf file includes defined
paths for IPsec configuration, pre-shard key files, and certificates.
The fields in sainfo anonymous describe
the phase 2 SA between the IPsec nodes — the nature of the IPsec
connection (including the supported encryption algorithms used) and the
method of exchanging keys. The following list defines the fields of
phase 2:
- sainfo anonymous
Denotes that SA can anonymously initialize with any peer
insofar as the IPsec credentials match.
- pfs_group 2
Defines the Diffie-Hellman key exchange protocol, which
determines the method in which the IPsec nodes establish a mutual
temporary session key for the second phase of IPsec
connectivity. By default, the Red Hat Enterprise Linux implementation of IPsec uses
group 2 (or modp1024) of the
Diffie-Hellman cryptographic key exchange groups. Group 2 uses a
1024-bit modular exponentiation that prevents attackers from
decrypting previous IPsec transmissions even if a private key is
compromised.
- lifetime time 1 hour
This parameter specifies the life cycle of an SA and can be
quantified either by time or by bytes of data. The Red Hat Enterprise Linux
implementation of IPsec specifies a one hour lifetime.
- encryption_algorithm 3des, blowfish 448,
rijndael
Specifies the supported encryption ciphers for phase 2. Red Hat Enterprise Linux
supports 3DES, 448-bit Blowfish, and Rijndael (the cipher used in
the Advanced Encryption Standard, or
AES).
- authentication_algorithm hmac_sha1,
hmac_md5
Lists the supported hash algorithms for
authentication. Supported modes are sha1 and md5 hashed message
authentication codes (HMAC).
- compression_algorithm deflate
Defines the Deflate compression algorithm for IP Payload
Compression (IPCOMP) support, which allows for potentially faster
transmission of IP datagrams over slow connections.
To start the connection, either reboot the workstation or execute
the following command as root on each host:
To test the IPsec connection, run the tcpdump
utility to view the network packets being transfered between the hosts
(or networks) and verify that they are encrypted via IPsec. The packet
should include an AH header and should be shown as ESP packets. ESP
means it is encrypted. For example:
17:13:20.617872 pinky.example.com > ijin.example.com: \
AH(spi=0x0aaa749f,seq=0x335): ESP(spi=0x0ec0441e,seq=0x335) (DF) |
