Subscribe via RSS Feed Connect on Google Plus Connect on LinkedIn
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4,00 out of 5)
Loading...Loading...

Configuração Básica IPsec Site to Site com Openswan (CENTOS)

20 de setembro de 2013 4 Comments
ShareTweet about this on TwitterShare on TumblrShare on LinkedInShare on Google+Share on FacebookPin on PinterestEmail this to someonePrint this page

Cenário

 

Linux1

LAN: 200.200.200.0/24

WAN: 10.10.10.60/24

 

Linux2

LAN: 99.99.99.0/24

WAN:10.30.30.50/24

 

Instalação:

yum -y install openswan

 

Configuração

Para configuração básica, editaremos os arquivos /etc/ipsec.conf e /etc/ipsec.secrets. Além desses arquivos é necessário habilitar o roteamento no Linux (veja o post http://www.netadm.com.br/?p=664).

Linux1

[root@localhost ~]# vi /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        oe=off
        nat_traversal=no
        #virtual_private=%v4:99.99.99.0/24,%v4:200.200.200.0/24
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

conn tunnel
   left=10.10.10.60 # left for local
   leftsubnet=200.200.200.0/24
   leftnexthop=10.10.10.1
   right=10.30.30.50 # right for remote
   rightsubnet=99.99.99.0/24
   rightnexthop=10.30.30.1
   pfs=yes # pfs for Perfect Forward Secrecy
   type=tunnel
   authby=secret
   auto=start

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

 

 

[root@localhost ~]# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.10.10.60 10.30.30.50: PSK "teste"

 

 

Linux2

 

[root@localhost ~]# vi /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        oe=off
        nat_traversal=no
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

conn tunnel
   left=10.30.30.50
   leftsubnet=99.99.99.0/24
   leftnexthop=10.30.30.1
   right=10.10.10.60
   rightsubnet=200.200.200.0/24
   rightnexthop=10.10.10.1
   pfs=yes
   type=tunnel
   authby=secret
   auto=start

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

 

 

[root@localhost ~]# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.10.10.60 10.30.30.50: PSK "teste"

 

Comando para subir o tunel:

[root@localhost ~]# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.18-274.el5...
ipsec_setup: no default routes detected
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

 

 

Comandos de verificação:

Nada melhor que um ping! 

Ping na LAN destino com source LAN origem:

[root@localhost ~]# ping -I 200.200.200.200 99.99.99.99
PING 99.99.99.99 (99.99.99.99) from 200.200.200.200 : 56(84) bytes of data.
64 bytes from 99.99.99.99: icmp_seq=1 ttl=64 time=87.6 ms
64 bytes from 99.99.99.99: icmp_seq=2 ttl=64 time=88.4 ms
64 bytes from 99.99.99.99: icmp_seq=3 ttl=64 time=88.4 ms
64 bytes from 99.99.99.99: icmp_seq=4 ttl=64 time=87.4 ms
64 bytes from 99.99.99.99: icmp_seq=5 ttl=64 time=86.3 ms
64 bytes from 99.99.99.99: icmp_seq=6 ttl=64 time=85.1 ms

--- 99.99.99.99 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5002ms
rtt min/avg/max/mdev = 85.101/87.253/88.486/1.221 ms

 

Mais comandos de verificação:

 

[root@localhost ~]# /etc/init.d/ipsec status
IPsec stopped
[root@localhost ~]# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.18-274.el5...
ipsec_setup: no default routes detected
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@localhost ~]# /etc/init.d/ipsec status
IPsec running  - pluto pid: 10001
pluto pid 10001
1 tunnels up
some eroutes exist
[root@localhost ~]#

 

[root@localhost ~]# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.13
000 interface eth1/eth1 10.10.10.60
000 interface eth2/eth2 200.200.200.200
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "tunnel": 200.200.200.0/24===10.10.10.60<10.10.10.60>[+S=C]---10.10.10.1...10.30.30.1---10.30.30.50<10.30.30.50>[+S=C]===99.99.99.0/24; erouted; eroute owner: #2
000 "tunnel":     myip=unset; hisip=unset;
000 "tunnel":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnel":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "tunnel":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "tunnel":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "tunnel2": 200.200.200.0/24===187.38.164.249<187.38.164.249>[+S=C]...184.22.247.6<184.22.247.6>[+S=C]===184.22.226.176/29; unrouted; eroute owner: #0
000 "tunnel2":     myip=unset; hisip=unset;
000 "tunnel2":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnel2":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,29; interface: ;
000 "tunnel2":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "tunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27822s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "tunnel" esp.604990fd@10.30.30.50 esp.a408d1c@10.10.10.60 tun.0@10.30.30.50 tun.0@10.10.10.60 ref=0 refhim=4294901761
000 #1: "tunnel":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2380s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# ipsec auto --up tunnel
117 "tunnel" #3: STATE_QUICK_I1: initiate
004 "tunnel" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x643a56bb <0x8c84e213 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
[root@localhost ~]#

 

 

Observação do nosso cenário:

Como não estamos usando a rota default, no nosso cenário tivemos que adicionar rotas específicas apontando para o gateway por onde estamos fechando o túnel:

 

Linux1

[root@localhost ~]# route add -net 99.99.99.0 netmask 255.255.255.0 10.10.10.1

[root@localhost ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
99.99.99.0      10.10.10.1      255.255.255.0   UG        0 0          0 eth1
200.200.200.0   0.0.0.0         255.255.255.0   U         0 0          0 eth2
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.10.10.0      0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.30.30.0      10.10.10.1      255.255.255.0   UG        0 0          0 eth1

 

 

 

Linux2

[root@localhost ~]# route add -net 200.200.200.0 netmask 255.255.255.0 gw 10.30.30.1

 

[root@localhost ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
99.99.99.0      0.0.0.0         255.255.255.0   U         0 0          0 eth2
200.200.200.0   10.30.30.1      255.255.255.0   UG        0 0          0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.10.10.0      10.30.30.1      255.255.255.0   UG        0 0          0 eth1
10.30.30.0      0.0.0.0         255.255.255.0   U         0 0          0 eth1
[root@localhost ~]#

 

 

Sniffer:

Download ipsec_sniffer.cap

 

 

😉

Seu ip é:
54.162.76.55

ShareTweet about this on TwitterShare on TumblrShare on LinkedInShare on Google+Share on FacebookPin on PinterestEmail this to someonePrint this page

About the Author:

O autor trabalha com tecnologia de redes há 13 anos, participa de congressos no Brasil e no mundo, e contribui para melhoria de protocolos e sistemas com fabricantes de equipamentos de rede.
  • Luiz

    Amigo, boa noite! 

    Muito bom, com isso eu consigo conectar duas rede de uma matriz e outra filial? 

  • Wolfz

    Sim!

  • wellington

    Olá amigo estou seguindo seu tutorial mas não sei se esta dando muito certo.
    Poderia me tirar algumas dúvidas ???

  • Klenilton Pereira de Souza

    BALANCED VPN

    Prezados, boa tarde

    Como configurar 2 IPS Wan para fornecer uma redundância.??

    Pois estou adquirindo mais um Link dedicado para fazer a redundância.

    Segue configuração

    conn spdm

    type=tunnel

    authby=secret

    auth=esp

    ikelifetime=5400s

    keylife=3600s

    esp=aes192-sha1

    ike=aes192-sha1-modp1024

    keyexchange=ike

    pfs=yes

    #local – centos

    left=189.8.94.62

    leftsubnet=172.18.0.0/20

    leftsourceip=172.18.8.60

    #remote – Dualtec

    right=200.169.100.99

    rightsubnet=10.100.46.0/24

    # auto=add

    auto=start

    Att..