Use openswan to build a LAN-to-lan VPN (klips)

1. Introduction to openswan

Openswan is the best way to implement IPSec in Linux. It is powerful and ensures the security and integrity of data transmission to the maximum extent.
Openswan supports 2.0, 2.2, 2.4, and 2.6 kernels and can run on different system platforms, including x86, x86_64, IA64, MIPS, and arm.
Openswan is a successor branch project of the open-source project FreeS/WAN after the development is stopped. It consists of three main components:
Configuration tool (IPSec Command Script)
Key management tool (Pluto)
Kernel Components (klips/26sec)

26sec uses the 2.6 kernel built-in module netkey to replace the klips module developed by openswan. The 2.4 and earlier kernel versions do not support the netkey module and can only use klips. If you are using a Kernel 2.6.9 or later, we recommend using 26sec. You do not need to apply a NAT-T patch to the kernel to use NAT. A bug exists in the netkey of a kernel earlier than 2.6.9, klips is recommended.

For more details, see the openswan project home page: http://www.openswan.org

Ii. System Environment

Operating System (server): centos 4.5
Kernel version: 2.6.9-55
Client (Windows XP)
Host network parameter settings: Unless otherwise specified, the subnet mask is 255.255.255.0.
Host Name Nic eth0 Nic eth1 Default Gateway usage
Lserver 192.168.1.10 172.16.1.1 192.168.1.1 left Gateway
Rserver 192.168.1.20 172.16.2.1 192.168.1.1 right Gateway
Lclient 172.16.1.2 172.16.1.1 left Client
Rclient 172.16.2.2 172.16.2.1 right client
3. Install and set the Operating System

Minimal installation: only development tools are installed.
Perform the following steps on lserver and rserver.
Run the following commands on lserver and rserver respectively:
Sysctl-A | egrep "2.164. * (accept | send) _ redirects "| awk-F" = "'{print $1" = 0 "}'>/etc/sysctl. conf edit/etc/sysctl. conf

VI/etc/sysctl. conf:
Net. ipv4.ip _ forward = 0
Net. ipv4.conf. Default. rp_filter = 1:
Net. ipv4.ip _ forward = 1
Net. ipv4.conf. Default. rp_filter = 0 execute the following command to make the settings take effect:
Sysctl-P
Run the following command on lserver to set NAT:
Iptables-T Nat-A postrouting-O eth0-s 172.16.1.0/24-D! 172.16.2.0/24-J Masquerade

Run the following command on rserver to set NAT:
Iptables-T Nat-A postrouting-O eth0-s 172.16.2.0/24-D! 172.16.1.0/24-J Masquerade

4. Install openswan

1. Download the source code package
CD
Wget http://www.openswan.org/download/openswan-2.4.7.tar.gz
2. decompress the source code package
Tar zxvf openswan-2.4.7.tar.gz
3. Install userland
CD openswan-2.4.7
Make programs
Make install
4. Install klips
Cd ~ Openswan-2.4.7
Make kernelsrc =/lib/modules/'uname-R'/build module minstall
Depmod-A Must uninstall the netkey module before loading the klips Module
Rmmod xfrmuser af_key esp4 AH4 ipcomp xfrm4_tunnel execute the following command to load klips
Modprobe IPSec
5. Verify Installation
Run the following command to verify that openswan is correctly installed.
IPSec -- version if the program is correctly installed, the command displays the following results:
If the loaded IPSec stack is klips, the following information is displayed:
Linux openswan 2.4.7 (klips)
See 'ipsec -- copyright' for copyright information.
If no IPSec stack is loaded, the following information is displayed:
Linux openswan u2.4.7/K (No kernel code presently loaded)
See 'ipsec -- copyright' for copyright information.

5. Configure openswan

1. Main openswan configuration file
/Etc/IPSec. Secrets is used to save private RSA keys and preshared secrets (psks)

/Etc/IPSec. conf configuration file (settings, options, ults, connections)

2. openswan main configuration directory
/Etc/IPSec. d/cacerts stores the X.509 Certificate (root certificate-"Root Certificates ")
/Etc/IPSec. d/certs store X.509 client certificates (X.509 client certificates)
/Etc/IPSec. d/private stores the X.509 Certificate private key (X.509 Certificate private keys)
/Etc/IPSec. d/crls stores the X.509 Certificate Revocation List (X.509 Certificate Revocation Lists)

/Etc/IPSec. d/ocspcerts store X.500 OCSP certificate (Online Certificate Status Protocol certificates)

/Etc/IPSec. d/passwd Xauth password file (XAUTH Password File)
/Etc/IPSec. d/policies stores opportunistic Encryption Policy Group (the opportunistic Encryption Policy Groups)

3. openswan connection method
Openswan has two Connection Methods:
1) network-to-Network Mode
As the name suggests, the network-to-network method is to connect two networks into a virtual private network. After the connection is established, each subnet host can transparently access the host of the remote subnet.

To achieve this connection method, the following two conditions must be met:
I. Each subnet has a host installed with openswan as its egress gateway;
II. The IP segments of each subnet cannot be overlapped.
2) Road Warrior
When network-to-network is used, the host that serves as the gateway of each subnet cannot transparently access the host of the remote subnet as the internal host of the subnet, that is:
If you are a mobile user who uses laptop and often travels or works in different locations, your laptop will not be connected to the company network using the network-to-network method.

The road warrior method is designed for this situation. After a connection is established, your laptop can be connected to a remote network.
4. openswan authentication method
Openswan supports many different authentication methods, including RSA keys, pre-shared keys, Xauth, And X.509 certificates.
5. Use RSA Digital Signature (rsasig) authentication to prepare openswan
1) generate a new hostkey on lserver and rserver
IPSec newhostkey -- output/etc/IPSec. Secrets
Follow these steps to configure the network-to-network connection between lserver and rserver:
2) execute the following command on the lserver to obtain the leftrsasigkey (that is, the Public Key pulic key of the lserver)
IPSec showhostkey -- left the output format of this command is as follows:
# RSA 2192 bits lserver. foxbb. Com Sat Mar 3 15:45:00 2007
Leftrsasigkey = 0saqobijfmj ......
3) execute the following command on rserver to obtain the rightrsasigkey (that is, the Public Key pulic key of rserver)
IPSec showhostkey -- right: the output format of this command is as follows:
# RSA 2192 bits rserver. foxbb. Com Sat Mar 3 15:51:56 2007
Rightrsasigkey = 0saqnzzzjj ......
4) edit/etc/IPSec. conf on lserver and rserver.
Add the following content at the end of VI/etc/IPSec. conf (replace the leftrsasigkey and rightrsasigkey rows with the values obtained in step 2 and 3)

Conn net-to-net
Left = 192.168.1.10 # Internet IP address of lserver
Leftsubnet = 172.16.1.0/24 # lserver Intranet IP segment

Leftid = @ lserver.uddtm.com # lserver ID
Leftrsasigkey = 0saqobijfmj... # public key of lserver
Leftnexthop = % defaultroute # specify the next hop of lserver as the default route address.
Right = 192.168.1.20 # Internet IP address of rserver
Rightsubnet = 172.16.2.0/24 # rserver Intranet IP segment

Rightid = @ rserver.uddtm.com # rserver ID
Rightrsasigkey = 0saqnzzzjj... # public key of rserver
Rightnexthop = % defaultroute # specify the next hop of rserver as the default route address.
Auto = add # Add this link, but it is not automatically connected when openswan starts.

5) execute the following commands on lserver and rserver to start openswan
Service IPSec start
6) execute the following command on lserver and rserver to verify that openswan runs properly.
IPSec verify
Checking your system to see if IPSec got installed and started correctly:
Version Check and IPSec on-path [OK]
Linux openswan u2.4.7/K2.6.9-55.EL (netkey)
Checking for IPSec support in kernel [OK]
Netkey detected, testing for disabled ICMP send_redirects [OK]
Netkey detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/IPSec. Secrets) [OK]
Checking that Pluto is running [OK]
Two or more interfaces found, checking IP Forwarding [OK]
Checking Nat and masqueradeing
Checking for 'IP' Command [OK]
Checking for 'iptable' Command [OK]
Opportunistic encryption support [disabled]
7) execute the following commands on the lserver or rserver to connect to the lserver-rserver network-to-network.
IPSec auto -- up net-to-net will get output similar to the following (if the IPSec SA established appears in the last output line, the connection is successful)

104 "net-to-net" #1: state_main_i1: Initiate
003 "net-to-net" #1: received vendor ID payload [openswan (this version) 2.4.7
Pluto_sends_vendorid pluto_uses_keyrr]
003 "net-to-net" #1: received vendor ID payload [dead peer detection]
003 "net-to-net" #1: provisioned ed vendor ID payload [RFC 3947] method set to = 110
106 "net-to-net" #1: state_main_i2: Sent mi2, expecting MR2
003 "net-to-net" #1: Nat-traversal: result using RFC 3947 (nat-traversal ):
No Nat Detected
108 "net-to-net" #1: state_main_i3: Sent MI3, expecting MR3
004 "net-to-net" #1: state_main_i4: isakmp sa established {auth = oakley_rsa_sig
Cipher = oakley_3des_cbc_192 PRF = oakley_md5 group = modp1536}
117 "net-to-net" #2: state_quick_i1: Initiate
004 "net-to-net" #2: state_quick_i2: Sent qi2, IPSec SA established {ESP => 0xa329d030


8) Test the IPsec connection
Run Ping 172.16.2.2 on the lclient.
Or Ping 172.16.1.2 on rclient.
During Ping Command Execution, execute tcpdump-I eth0-N host 192.168.1.10 and 192.168.1.20 on lserver or rserver.

If the lclient and rclient can ping each other, tcpdump has an output similar to the following, indicating that the network-to-network IPSec connection has been successful.
12:34:32. 478903 IP 192.168.1.10> 192.168.1.20: ESP (SPI = 0xf225b168, seq = 0x7f)
12:34:32. 480050 IP 192.168.1.20> 192.168.1.10: ESP (SPI = 0x8451_ca, seq = 0x7f)
12:34:33. 450660 IP 192.168.1.10> 192.168.1.20: ESP (SPI = 0xf225b168, seq = 0x80)
12:34:33. 450938 IP 192.168.1.20> 192.168.1.10: ESP (SPI = 0x8451_ca, seq = 0x80)
12:34:34. 449218 IP 192.168.1.10> 192.168.1.20: ESP (SPI = 0xf225b168, seq = 0x81)
12:34:34. 451034 IP 192.168.1.20> 192.168.1.10: ESP (SPI = 0x8451_ca, seq = 0x81)

9) set Automatic Connection
After the test is passed, you can configure the connection
Auto = add is changed:
Auto = start so that openswan can be automatically connected when it is started.