Wednesday, April 20, 2011

setting IPsec in Linux


IPsec  - is a network level protocol for strong pervasive Security.It can provide privacy and block variety of threats.

First decide the remote host and local host between which IPsec has to be enabled.

There are two types of authentication headers in IPsec

1)Authentication Header
2)Encryption Header

For both types key has to be generated to enable IPsec

For AH you can use 64 bit key
For EH  you can use 96 bit key

You have to declare both SA(security association) and SP(Security Policy) to effectively establish a IPsec.

SA - to define the security needed to be associated between the IPs.

SP  - to define when the SA is to be used
TO define SA:

1)add localIP  remoteIP ah 15700 -A hmac-md5 "123456701234"

ah                            -to indicate it is defined for authentication header
15700                     - Security Index
-A                           - authentication
hmac-md5               - authentication algorithm
"123456701234"    -AH key

2)add localIP  remoteIP esp  12222 -E  desc-cbc   "23123234324324324234234"


esp            -to indicate it is defined for authentication header
12222       -Security Index
-E             -encryption
3dec-cbc  - encryption algoritm
"23123234324324324234234"   -  esp Key

you can also define both together
  

1& 2 together ) add localIP  remoteIP esp  12222  -E  desc-cbc   "23123234324324324234234" -A hmac-md5 "123456701234"

This combined format worked better for me compared to defining separately for both
ah and esp.

This also has to be done for the reverse direction like
add remoteIP localIP  ah 15700 -A hmac-md5 "123456701234" likewise for all the three formats.

To setup the SA you have to copy the add commands into a file like

>cat ff
add 10.1.1.1 12.1.1.1 esp  12222  -E  desc-cbc   "23123234324324324234234" -A hmac-md5 "123456701234"
add 12.1.1.1 10.1.1.1 esp  12222  -E  desc-cbc   "23123234324324324234234" -A hmac-md5 "123456701234"
and then run
>setkey -f ff
AND it has to return no errors.
If so ,you can confirm a IPsec security association has been setup.

To display the setup SA(Security  Association) setup  you can use the command

setkey -D
IF a SA is setup it will show the details
else it will display  "NO SAD entries"

To  setup SP(security policy):

you have to use somewhat the same strategy:

you have to add these commands into a file and call setkey -f filename command

you have to add:
spdadd localip remoteip any -P out ipsec
esp/transport/require
ah/transport/require

these information say for any packet moving out of the localip esp encrypted and ah authenticated header has to be used.

likewise you can define :


spdadd remoteip localip any -P in ipsec
esp/ transport/require
ah/transport/require


these information say for any packet moving into the remoteip  esp encrypted and ah authenticated header has to be used.

Simply put these spdadd commands into a file substuting your localip and remoteip information.
And run setkey -f  filename command

Your SPD will be established.

You can view your registered SPD by typing the command


setkey -DP

if it does't  show any of the the information
you might have committed some error.Double check with spdadd and add commands.

By this have you can easily setup a IPsec Connection between two IP's.


No comments:

Post a Comment