This post describes the procedures
to install and configure IPSec on Rhel 7.x. IPSec is available for both IPv4
and IPv6 address versions.
In Rhel7 , Virtual
Private Network (VPN) can be configured using the Ipsec protocol that can be
configured using libreswan
Prerequisite :
Ensure that Yum
repository is configured in the system. The package of the libreswan can be
found in Rhel / Centos iso dvd.
Below are the steps to
configure IPSec using libreswan on RHEL 7
1. Login to the system
as root user (to both the nodes) using ssh protocol, if not
already logged in.
2. Install the libreswan package with all
its dependencies for IPsec from YUM repository:
# yum install libreswan -y
3. IPsec configurations are
stored inside /etc/ipsec.d/ directory and /etc/ipsec.conf file
Generate a public/private key pair for RSA-based
authentication on both the Nodes that are being configured for IPsec.
Run the following commands one-by-one on both the Target
nodes, that are node1 and node2:
a. Generate the certificate
for IPsec configuration:
# certutil -N -d /etc/ipsec.d/
On <password> prompt, keep
pressing Enter key until command exit.
The following is the sample output:
Enter Password or
Pin for "NSS Certificate DB":
Enter a password
which will be used to encrypt your keys.
The password should
be at least 8 characters long,
and should contain
at least one non-alphabetic character.
Enter new password:
Re-enter password:
Password changed
successfully.
|
b. Generate the IPsec
database and set of public and private certificates inside /etc/ipsec.d/ and adds the key
entries in /etc/ipsec.secrets file:
# rm -f /etc/ipsec.secrets
# ipsec newhostkey --output
/etc/ipsec.secrets --bits 2192 --random /dev/urandom --configdir /etc/ipsec.d/
Note: Ignore the warning message
related to RSA key size (if appears).
Make a note of the public key from /etc/ipsec.secrets using following
command:
# grep "#pubkey="
/etc/ipsec.secrets
The public key is used for IPsec configuration.
4. Ensure that the public
key has been generated on both the nodes and available with the installation
personnel.
5. Check and uncomment the
following entry in /etc/ipsec.conf file on both the
Target nodes.
include /etc/ipsec.d/*.conf
6. Create a new file (if not
already exist) on any of the Target nodes /etc/ipsec.d/nodes_details_ipsec.conf and append the
following lines after updating the parameter values with correct entries:
Note: Ensure proper indentation for entries in /etc/ipsec.d/nodes_details_ipsec.conf file and maintained
otherwise IPsec services will fail to start.
# vi /etc/ipsec.d/nodes_details_ipsec.conf
conn nodes_ipv4
left=<node1_ip>
leftrsasigkey=<public_key_of_node1>
leftnexthop=%defaultroute
right=<node2_ip>
rightrsasigkey=<public_key_of_node2>
rightnexthop=%defaultroute
auto=start
|
In case IPSec is to be configured for IPv6 along with IPv4,
append the file /etc/ipsec.d/nodes_details_ipsec.conf with below lines after
updating the parameter values with correct entries:
conn nodes_v6
connaddrfamily=ipv6
left=<node1_ipv6>
leftrsasigkey=<public_key_of_node1>
leftnexthop=%defaultroute
right=<node2_ipv6>
rightrsasigkey=<public_key_of_node2>
rightnexthop=%defaultroute
auto=start
|
Save the files after making required configuration.
7. After update transfer
the /etc/ipsec.d/nodes_details_ipsec.conf file to another
node on same PATH.
8. Start/Restart the IPsec
service using the following commands:
# systemctl enable ipsec
# systemctl restart ipsec
To verify IPsec services, execute the following command:
# systemctl status ipsec
To test if IPSec is
configured properly, run below command:
The "ipsec whack
--trafficstatus" command shows the tunnels that are currently
established.
Sample Output
[root@techbuzz ~]# ipsec whack --trafficstatus
006 #4: "mm18_nodes", type=ESP, add_time=1535366781, inBytes=84, outBytes=84, id='10.62.241.51'
006 #3: "mm18_nodes_v6", type=ESP, add_time=1535366781, inBytes=104, outBytes=104, id='2001:1a60:81b7:1258:10:62:241:56'
Sample Output
[root@techbuzz ~]# ipsec whack --trafficstatus
006 #4: "mm18_nodes", type=ESP, add_time=1535366781, inBytes=84, outBytes=84, id='10.62.241.51'
006 #3: "mm18_nodes_v6", type=ESP, add_time=1535366781, inBytes=104, outBytes=104, id='2001:1a60:81b7:1258:10:62:241:56'
0 comments:
Post a Comment