List Info

Thread: Enabling Manually keyed IPSEC
Enabling Manually keyed IPSEC
user name
 2006-12-02 14:08:11 

  


  

    Hi 
All,

 


I am novice to 
IPSEC. Please help me by solving my below query.


 


My requirement is to 
establishing IPSEC between My Tool and the Target device. 


The keys, that has 
to used for encryption and authentication,  


will be negotiated 
through Application protocol(SIP) before enabling IPSEC in those two 
machines.


i.e., 
Manually Keyed IPSEC has to established between two machine on 
some particular port 


and the two machines 
are located in same network.


 


         
************************************* ;           ;           ;           ;           ;    
*************************************


         
*       ;      My 
Tool ;           ;       
*       ;           ;           ;           ;         
*       ;          
Target Device        *


         *          
( Fedora 
Core)          ;   * 
<-------------------------------------------->*  ; &nbsp; &nbsp;(Any 
Operating System)&nbsp; &nbsp; *


 &nbsp; &nbsp; &nbsp; &nbsp; 
* &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp;  
* &nbsp; &nbsp;  Manually keyed IPSEC ;  
 &nbsp; &nbsp;  
* &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; *


 &nbsp; &nbsp; &nbsp; &nbsp; * &nbsp; 10.101.210.219 
(some 
port)&nbsp;* &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp; * &nbsp; 10.101.210.16 
(some port) ; &nbsp; *


 &nbsp; &nbsp; &nbsp; &nbsp; 
************************************* ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp;**************************************&nbsp; &nbsp; &nbsp;  


 


By surfing the 
Internet, I came to know that Manual Keying can be done through 
OpenSWAN.


 


When I tried to 
enable it, I could not able to do it. I have listed the step that I have done. 



Please let me know 
if I have done anything wrong.


 


Operating 
System&nbsp; &nbsp; &nbsp;  : Fedora Core 
4


Linux Kernel 
version&nbsp; : 2.6


 


[rootlocalhost gganga]# uname 
-a
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 
EDT 2005 i686 i686 i386 GNU/Linux


STEP 1) ; 


 &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; 
I have installed openSWAN (rpm -r 
openswan-2.4.4-1.i386.rpm)


 


STEP 
2)


 &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; 
I have started the IPSEC service.


[rootlocalhost gganga]# service ipsec 
start
ipsec_setup: Starting Openswan IPsec 
2.4.4...
ipsec_setup: insmod 
/lib/modules/2.6.11-1.1369_FC4/kernel/net/key/af_key.ko 
ipsec_setup: insmod 
/lib/modules/2.6.11-1.1369_FC4/kernel/net/ipv4/xfrm4_tunnel.ko 



STEP 
3)


 &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; 
I have verified IPSEC.


[rootlocalhost gganga]# ipsec 
verify
Checking your system to see if IPsec got 
installed and started correctly:
Version check and ipsec 
on-path&nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; 
[OK]
Linux Openswan U2.4.4/K2.6.11-1.1369_FC4 (netkey)
Checking for IPsec 
support in 
kernel&nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp; 
[OK]
Checking for RSA private key 
(/etc/ipsec.secrets)  ; &nbsp; &nbsp; &nbsp; &nbsp;   ;  
[OK]
Checking that pluto is 
running&nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp;  
[OK]
Two or more interfaces found, checking IP 
forwarding &nbsp; &nbsp; &nbsp; &nbsp;   ; 
[FAILED]
Checking for 'ip' 
command&nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   
[OK]
Checking for 'iptables' 
command&nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; 
[OK]
Checking for 'setkey' command for NETKEY IPsec stack 
support&nbsp; &nbsp; [OK]
Opportunistic Encryption 
Support&nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp;  
[DISABLED]


STEP 
4)


 &nbsp; &nbsp; &nbsp; &nbsp;   ;  
I have added connection peer-to-peer in /etc/ipsec.conf.


[rootlocalhost gganga]# cat 
/etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec 
configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 
paul Exp $


 


# This 
file:&nbsp; /usr/share/doc/openswan/ipsec.conf-sample
#
# 
Manual:&nbsp; &nbsp;  ipsec.conf.5


 


version 2.0 &nbsp;   # conforms to 
second version of ipsec.conf specification


 


config 
setup
&nbsp; &nbsp; &nbsp;   
interfaces="ipsec0=eth0"
   ; &nbsp; &nbsp; 
klipsdebug=all
 ; &nbsp; &nbsp; &nbsp; 
plutodebug=none
&nbsp; &nbsp; &nbsp; &nbsp; 
manualstart="net-to-net"
   ; &nbsp; &nbsp; 
pluto=yes



conn 
peer-to-peer
 &nbsp;   ; &nbsp; &nbsp; &nbsp;  
left=10.101.210.219
  ; &nbsp; &nbsp; &nbsp; &nbsp;   
right=10.101.210.16
  ; &nbsp; &nbsp; &nbsp; &nbsp;   
keyingtries=4
   ; &nbsp; &nbsp; &nbsp; &nbsp;  
spi=0x200 

 &nbsp; &nbsp;   ; &nbsp; &nbsp;  
esp=3des-md5-96 

 &nbsp; &nbsp;   ; &nbsp; &nbsp;  
espenckey=0x00000000_00000000_00000000_00000000_00000000_00000001
 &nbsp; &nbsp; &nbsp;   ; &nbsp;  
espauthkey=0x000000_00000000_00000000_00000001


 


STEP 
5)


 &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; 
I have tried to enable manual IPSEC.


[rootlocalhost gganga]# ipsec manual 
--up peer-to-peer
ipsec manual: fatal 
error in "peer-to-peer": no IPsec-enabled interfaces 
found


 


Please help me 
regarding this.


 


Thanks in 
Advance,


Gangadharan.


 





  

  
  
   
     
    

  

    Enabling Manually keyed IPSEC
  


  

     user name

     2006-12-02 20:04:26
  


  

    
On Sat, 2 Dec 2006, Gangadharan G - TLS,Chennai wrote:

> I am novice to IPSEC. Please help me by solving my
below query.
>
> My requirement is to establishing IPSEC between My Tool
and the Target
> device.
> The keys, that has to used for encryption and
authentication,
> will be negotiated through Application protocol(SIP)
before enabling IPSEC
> in those two machines.
> i.e., Manually Keyed IPSEC has to established between
two machine on some
> particular port
> and the two machines are located in same network.

Sorry to say, but this looks like completely the wrong
approach.

If your SIP would be secure enough to transport manual keys,
why bother
adding IPsec? You have a catch-22 here.

Apart from that, manual keying itself has risks, such as not
having Perfect
Forward Secrecy (PFS).

The proper way is to use IKE to negotiate the IPsec tunnel,
and afterwards
start SIP.

Paul
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155


  


  

    
  

  
  
   
     
    






 [1-2]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )