IPsec - is a network level protocol for strong pervasive Security.It can provide privacy and block variety of threats.
First decide the remote host and local host between which IPsec has to be enabled.
There are two types of authentication headers in IPsec
1)Authentication Header
2)Encryption Header
For both types key has to be generated to enable IPsec
For AH you can use 64 bit key
For EH you can use 96 bit key
You have to declare both SA(security association) and SP(Security Policy) to effectively establish a IPsec.
SA - to define the security needed to be associated between the IPs.
SP - to define when the SA is to be used
TO define SA:
1)add localIP remoteIP ah 15700 -A hmac-md5 "123456701234"
ah -to indicate it is defined for authentication header
15700 - Security Index
-A - authentication
hmac-md5 - authentication algorithm
"123456701234" -AH key
2)add localIP remoteIP esp 12222 -E desc-cbc "23123234324324324234234"
esp -to indicate it is defined for authentication header
12222 -Security Index
-E -encryption
3dec-cbc - encryption algoritm
"23123234324324324234234" - esp Key
you can also define both together
1& 2 together ) add localIP remoteIP esp 12222 -E desc-cbc "23123234324324324234234" -A hmac-md5 "123456701234"
This combined format worked better for me compared to defining separately for both
ah and esp.
This also has to be done for the reverse direction like
add remoteIP localIP ah 15700 -A hmac-md5 "123456701234" likewise for all the three formats.
To setup the SA you have to copy the add commands into a file like
>cat ff
add 10.1.1.1 12.1.1.1 esp 12222 -E desc-cbc "23123234324324324234234" -A hmac-md5 "123456701234"
add 12.1.1.1 10.1.1.1 esp 12222 -E desc-cbc "23123234324324324234234" -A hmac-md5 "123456701234"
and then run
>setkey -f ff
AND it has to return no errors.
If so ,you can confirm a IPsec security association has been setup.
To display the setup SA(Security Association) setup you can use the command
setkey -D
IF a SA is setup it will show the details
else it will display "NO SAD entries"
To setup SP(security policy):
you have to use somewhat the same strategy:
you have to add these commands into a file and call setkey -f filename command
you have to add:
spdadd localip remoteip any -P out ipsec
esp/transport/require
ah/transport/require
these information say for any packet moving out of the localip esp encrypted and ah authenticated header has to be used.
likewise you can define :
spdadd remoteip localip any -P in ipsec
esp/ transport/require
ah/transport/require
these information say for any packet moving into the remoteip esp encrypted and ah authenticated header has to be used.
Simply put these spdadd commands into a file substuting your localip and remoteip information.
And run setkey -f filename command
Your SPD will be established.
You can view your registered SPD by typing the command
setkey -DP
if it does't show any of the the information
you might have committed some error.Double check with spdadd and add commands.
By this have you can easily setup a IPsec Connection between two IP's.
No comments:
Post a Comment