IPSEC Site-To-Site VPN on CENTOS LINUX

centos_image2

How To Setup IPSEC Site-To-Site VPN on Linux CentOS

Scenario

Linux Gateway Server with 2 Lan Cards on Each office Location. Lets Call them A and B.
A is Head Office Linux Server and B is Branch Office Linux Server.
A has CentOS 6.4 , Extenal IP Address 1.1.1.1 , Local Lan Subnet 192.168.100.0/24
B has CentOS 5.9, External IP Address 2.2.2.2, Local Lan Subnet 10.1.1.0/24
To Accomplish the task we will use OpenSwan.

Lets say we have:

(192.168.100.0/24) Server A 1.1.1.1<————> Internet<———>2.2.2.2 Server B (10.1.1.0/24)


Configuration on Server A.

[root@Server-A]# yum -y install openswan
 [root@Server-A]# vi /etc/ipsec.conf
 # /etc/ipsec.conf - Openswan IPsec configuration file
 # Manual:     ipsec.conf.5
 # Please place your own config files in /etc/ipsec.d/ ending in .conf
 version 2.0     # conforms to second version of ipsec.conf specification
 # basic configuration

config setup

# Debug-logging controls:  ""none"" for (almost) none, ""all"" for lots.
 # klipsdebug=none
 # plutodebug=""control parsing""
 # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
 protostack=netkey
 nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
 oe=off
 # Enable this if you see ""failed to find any available worker""
 # nhelpers=0
#You may put your configuration (.conf) file in the ""/etc/ipsec.d/"" and uncomment this.
 include /etc/ipsec.d/A.conf

In Above i have created a File A.conf and placed it in /etc/ipsec.d/ directory , Now lets take a l
ok at the file A.conf

[root@Server-A]# vi /etc/ipsec.d/A.conf
conn A-B
 authby=secret
 auto=start
 type=tunnel
 left=1.1.1.1
 leftsubnet=192.168.100.0/24
 right=2.2.2.2
 rightsubnet=10.1.1.0/24
 ike=aes256-sha1;modp2048
 phase2=esp
 phase2alg=aes256-sha1;modp2048

So Lets Expalin important things in above file:
authby Secret means a preshared key will be used instead of certificate.
Left means External IP address of Server A (Basically Local Server External Address)
Left Subnet means Server A Lan Subnet (Basically Local Server’s Internal IP Address)
Right means External IP address of Server B (Basically Remote Server External Address)
Right Subnet means Server B Lan Subnet (Basically Remote Server Internal IP Address)
IKE Intenet Key Exchange , What kind of Encryption , integrity and Authentication would be used.
ESP is Encapsulating Security Payload and is a suite of Protocols mainly used for encryption.
Now we add PRESHARED Key in ipsec.secret file

[root@Server-A]# vi /etc/ipsec.secret
#include /etc/ipsec.d/*.secrets
 %any %any : PSK ""password""
 Note: Make Sure password is same on both Servers A and B.
 Now in  /etc/sysctl.conf file add the lines as shown below:
[root@Server-A]# vi /etc/sysctl.conf
 # Kernel sysctl configuration file for Red Hat Linux
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
 # sysctl.conf(5) for more details.
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 1
 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 1
 # Do not accept source routing
 net.ipv4.conf.default.accept_source_route = 0
 # Added by Hyp3ri0n for OpenSwan
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0
 # Controls whether core dumps will append the PID to the core filename.
 # Useful for debugging multi-threaded applications.
 kernel.core_uses_pid = 1
 # Controls the use of TCP syncookies
 net.ipv4.tcp_syncookies = 1

 # Disable netfilter on bridges.
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 # Controls the default maxmimum size of a mesage queue
 kernel.msgmnb = 65536
 # Controls the maximum size of a message, in bytes
 kernel.msgmax = 65536
 # Controls the maximum shared segment size, in bytes
 kernel.shmmax = 4294967295
 # Controls the maximum number of shared memory segments, in pages
 kernel.shmall = 268435456

Note: In CentOS 6.4 we need to install lsof package in order to solve the error for IKE and NAT failure.
The error apprears while trying to verify ipsec.
such as below:

[root@Server-A]# ipsec verify
 Checking your system to see if IPsec got installed and started correctly:
 Version check and ipsec on-path                                 [OK]
 Linux Openswan U2.6.32/K2.6.32-358.el6.i686 (netkey)
 Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
 NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
 Checking that pluto is running                               [OK]
 Pluto listening for IKE on udp 500                         [OK]     [Error will apprea here as Failed]
 Pluto listening for NAT-T on udp 4500                 [OK] [Error will appear here as well as Failed]
 Two or more interfaces found, checking IP forwarding        [OK]
 Checking NAT and MASQUERADEing                   [OK]
 Checking for 'ip' command                                       [OK]
 Checking /bin/sh is not /bin/dash                         [OK]
 Checking for 'iptables' command                           [OK]
 Opportunistic Encryption Support                         [DISABLED]
[root@Server-A]#

Now we will Add route for remote Lan as below

[root@Server-A]# route add -net 10.1.1.0/24 gw 1.1.1.1

Also in order to reach Lan of Remote Server we need to add one more route, else the packet will not reach the Lan.

[root@Server-A]# route add -net 192.168.100.0/24 gw 1.1.1.1
 Lets Start IPSEC
 [root@Server-A]# service ipsec start
 Lets Verify
 [root@Server-A]# ipsec verify
 Lets see if the tunnel is up
 [root@Server-A]# service ipsec status
 IPsec running  - pluto pid: 5136
 pluto pid 5136
 1 tunnels up
 some eroutes exist

Configuration on Server B.

[root@Server-B]# yum -y install openswan
[root@Server-B]# vi /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# Manual:     ipsec.conf.5
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls:  ""none"" for (almost) none, ""all"" for lots.
# klipsdebug=none
# plutodebug=""control parsing""
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
oe=off
# Enable this if you see ""failed to find any available worker""
# nhelpers=0
#You may put your configuration (.conf) file in the ""/etc/ipsec.d/"" and uncomment this.
include /etc/ipsec.d/B.conf

In Above i have created a File B.conf and placed it in /etc/ipsec.d/ directory , Now lets take a look at the
ile B.conf

 

[root@Server-B]# vi /etc/ipsec.d/B.conf
 conn B-A
 authby=secret
 auto=start
 type=tunnel
 left=2.2.2.2
 leftsubnet=10.1.1.0/24
 right=1.1.1.1
 rightsubnet=192.168.100.0/24
 ike=aes256-sha1;modp2048
 phase2=esp
 phase2alg=aes256-sha1;modp2048

Now we add PRESHARED Key in ipsec.secret file

[root@Server-B]# vi /etc/ipsec.secret
 #include /etc/ipsec.d/*.secrets
 %any %any : PSK ""password""
 Note: Make Sure password is same on both Servers A and B.
 Now in  /etc/sysctl.conf file add the lines as shown below:
 [root@Server-B]# vi /etc/sysctl.conf
 # Kernel sysctl configuration file for Red Hat Linux
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
 # sysctl.conf(5) for more details.
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 1
 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 1
 # Do not accept source routing
 net.ipv4.conf.default.accept_source_route = 0
 # Added by Sal for OpenSwan
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0
 # Controls whether core dumps will append the PID to the core filename.
 # Useful for debugging multi-threaded applications.
 kernel.core_uses_pid = 1
 # Controls the use of TCP syncookies
 net.ipv4.tcp_syncookies = 1
 # Disable netfilter on bridges.
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 # Controls the default maxmimum size of a mesage queue
 kernel.msgmnb = 65536
 # Controls the maximum size of a message, in bytes
 kernel.msgmax = 65536
 # Controls the maximum shared segment size, in bytes
 kernel.shmmax = 4294967295
 # Controls the maximum number of shared memory segments, in pages
 kernel.shmall = 268435456

Now we will Add route for remote Lan as below

[root@Server-B]# route add -net 192.168.100.0/24 gw 2.2.2.2

Also in order to reach Lan of Remote Server we need to add one more route, else the packet will not reach the Lan.

[root@Server-A]# roue add -net 10.1.1.0/24 gw 2.2.2.2

Lets Start IPSEC

 [root@Server-A]# service ipsec start

Lets Verify

[root@Server-A]# ipsec verify

Lets see if the tunnel is up

[root@Server-B]# service ipsec status
 IPsec running  - pluto pid: 10575
 pluto pid 10575
 1 tunnels up
 some eroutes exist

To Test the Tunnel:
Ping Remote Lan from A and Vice Versa.

Note: In order to reach all the computers behind the Lan we need to issue the following command on both machines as per their respective gateways.

First try to ping with eth1 which is internal subnet e.g if we are pinging from Server A whose network is 192.168.100.0

ping -I eth1 10.1.1.1

and vice versa from Server B

Now we need to add routes in internal network to reach Server B , either on each machine or the gateway such as below

route add -net 10.1.1.0/24 gw 192.168.100.245

# iptables -A -t nat POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.245

Thanks & Please Comment
Salman Aftab
www.linuxworld.co & www.itpings.com