[ Pobierz całość w formacie PDF ]

52
Manual connection keying
First we ll set up a link using manual keying (for simplicity), you will need to edit ipsec.conf,
and your firewall rules. Most of the defaults in the ipsec.conf file are fine but you will need to
change the following:
conn sample
type=tunnel
left=
leftnexthop=
leftsubnet=
right=
rightnexthop=
rightsubnet=
spibase=0x200
esp=3des-md5-96
espenckey=
espauthkey=
replace the espenckey and espauthkey with new keys (using ranbits to generate a number,
remember to leave the leading 0x that specifies it is a hex number) so that it looks like:
conn my-tunnel
type=tunnel
left=1.2.3.4
leftnexthop=1.2.3.1
leftsubnet=10.0.0.0/24
right=5.6.7.8
rightnexthop=5.6.7.1
rightsubnet=192.168.0.0/24
spibase=0x200
esp=3des-md5-96
espenckey=some_auth_key_here (ranbits 192)
espauthkey=some_other_key_here (ranbits 128)
Once you have done this copy the files ipsec.conf and ipsec.secrets from the machine you
edited them on to the other server in a secure manner. Now all that remains to be done is the
addition of some firewall rules so that packets do not get masqueraded (instead we simply
want them forwarded).
53
On Server 1.2.3.4 you should add the following rules:
ipchains -A forward -p all -j ACCEPT -s 10.0.0.0/24 -d 192.168.0.0/24
ipchains -A forward -p all -j ACCEPT -s 192.168.0.0/24 -d 10.0.0.0/24
make sure these rules appear before the masquerading rule, it should look like this:
#
# FORWARD RULES
#
ipchains -P forward DENY
#
ipchains -A forward -p all -j ACCEPT -s 10.0.0.0/24 -d 192.168.0.0/24
ipchains -A forward -p all -j ACCEPT -s 192.168.0.0/24 -d 10.0.0.0/24
ipchains -A forward -p all -j MASQ -s 10.0.0.0/24 -d 0.0.0.0/0
And on server 5.6.7.8 you basically repeat the process:
ipchains -A forward -p all -j ACCEPT -s 192.168.0.0/24 -d 10.0.0.0/24
ipchains -A forward -p all -j ACCEPT -s 10.0.0.0/24 -d 192.168.0.0/24
make sure these rules appear before the masquerading rule, it should look like this:
#
# FORWARD RULES
#
ipchains -P forward DENY
#
ipchains -A forward -p all -j ACCEPT -s 192.168.0.0/24 -d 10.0.0.0/24
ipchains -A forward -p all -j ACCEPT -s 10.0.0.0/24 -d 192.168.0.0/24
ipchains -A forward -p all -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
Now you should be able to bring up the ipsec tunnel on both machines manually and the
machines on Network A should be able to talk to the machines on Network B with no
problems.
ipsec manual  up my-tunnel
and it should produce output similar to:
/usr/local/lib/ipsec/spi: message size is 36
/usr/local/lib/ipsec/spi: message size is 132
/usr/local/lib/ipsec/spi: message size is 132
To test it try pinging 192.168.0.2 from the 10.0.0.2 client. If this works then you have set it up
correctly. If it does not work check your network to make sure 1.2.3.4 can reach 5.6.7.8, and
that TCP-IP forwarding is enabled, and make sure that no firewall rules are blocking the
packets, or trying to masquerade them. Once you have established a connection and tested it
successfully you should move to automatic keying (especially if it s in a production
environment).
54
Automatic connect keying
If you intend to use IPSec in a production environment, manual keying is a bad idea generally
speaking. With automatic keying you have a 256 bit shared secret you copy to both ends of
the tunnel, which is then used during the key exchanges to make sure a man in the middle
attack does not occur. With automatic keying the default lifetime of a key is 8 hours, which
you can set to anything you like, and if someone manages to brute force the key, it is only
good for that 8 hour chunk of traffic. The following example builds on the previous one:
ipsec.secrets contains the shared secret. This file must be kept secure at all costs. For a
connection between the 1.2.3.4 and 5.6.7.8 servers you would need a line like:
1.2.3.4 5.6.7.8
 0xa3afb7e6_20f10d66_03760ef1_9019c643_a73c7ce0_91e46e84_ef6281b9_812392bf
This line needs to be in the ipsec.secrets file of both computers. You would then need to edit
the tunnel configuration in ipsec.conf to the following:
conn my-tunnel
type=tunnel
left=1.2.3.4
leftnexthop=1.2.3.1
leftsubnet=10.0.0.0/24
right=5.6.7.8
rightnexthop=5.6.7.1
rightsubnet=192.168.0.0/24
keyexchange=ike
keylife=8h
keyingtries=0
The pluto daemon will then startup, try to connect to the Pluto daemon at the other end of the
tunnel, and establish a connection. One caveat, Pluto runs on port 500, udp, so chances are
you will have to poke a hole in your firewall to allow it through:
ipchains -A input -p udp -j ACCEPT -s 0.0.0.0/0 -i eth0 -d 0.0.0.0/0 500
I find it convenient to use the  %search keyword instead of listing the tunnel to bring up, by
adding:
auto=start
to each tunnel configuration and editing ipsec.secrets:
plutoload=%search
plutostart=%search
This will make your life generally easier in the long run. If all goes well you should see
something like this in /var/log/messages:
55
Jun 26 02:10:41 server ipsec_setup: Starting FreeS/WAN IPSEC...
Jun 26 02:10:41 server ipsec_setup: /usr/local/lib/ipsec/spi: message size is 28.
Jun 26 02:10:41 server ipsec_setup: KLIPS debug `none'
Jun 26 02:10:41 server ipsec_setup: KLIPS ipsec0 on eth0 1.2.3.4/255.255.255.0 broadcast
24.108.11.255
Jun 26 02:10:42 server ipsec_setup: Disabling core dumps:
Jun 26 02:10:42 server ipsec_setup: Starting Pluto (debug `none'):
Jun 26 02:10:43 server ipsec_setup: Loading Pluto database `my-tunnel':
Jun 26 02:10:44 server ipsec_setup: Enabling Pluto negotiation:
Jun 26 02:10:44 server ipsec_setup: Routing for Pluto conns `my-tunnel':
Jun 26 02:10:45 server ipsec_setup: Initiating Pluto tunnel `my-tunnel':
Jun 26 02:10:45 server ipsec_setup: 102 "my-tunnel" #1: STATE_MAIN_I1: initiate
Jun 26 02:10:45 server ipsec_setup: 104 "my-tunnel" #1: STATE_MAIN_I2: from STATE_MAIN_I1;
sent MI2, expecting MR2
Jun 26 02:10:45 server ipsec_setup: 106 "my-tunnel" #1: STATE_MAIN_I3: from STATE_MAIN_I2;
sent MI3, expecting MR3
Jun 26 02:10:45 server ipsec_setup: 003 "my-tunnel" #1: STATE_MAIN_I4: SA established
Jun 26 02:10:45 server ipsec_setup: 110 "my-tunnel" #2: STATE_QUICK_I1: initiate
Jun 26 02:10:45 server ipsec_setup: 003 "my-tunnel" #2: STATE_QUICK_I2: SA established
Jun 26 02:10:46 server ipsec_setup: ...FreeS/WAN IPSEC started
And in the /var/log/secure file you should see something like:
Jun 26 02:10:42 server Pluto[25157]: Starting Pluto (FreeS/WAN Version snap1999Jun14b)
Jun 26 02:10:44 server Pluto[25157]: added connection description "my-tunnel"
Jun 26 02:10:44 server Pluto[25157]: listening for IKE messages
Jun 26 02:10:44 server Pluto[25157]: adding interface ipsec0/eth0 1.2.3.4
Jun 26 02:10:44 server Pluto[25157]: loading secrets from "/etc/ipsec.secrets" [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • girl1.opx.pl
  •