Author: Matthias Gorjup
Last Update: 6th Dec 2002
This How To provides information about establishing ipsec conection
with preshared secret between two
subnets. ESP tunnel is created between the gateways connected to internet
via ADSL (pppoe version)i.
H1 === GW1 === ADSL modem ====
internet ==== ADSL modem === GW2 === H2
H1:
192.168.0.10
GW1:
eth0 10.0.0.1
eth1 192.168.0.1
193.77.245.159 is an IP address,
delivered to GW2 by ISP.
Unless this address is static, you need to enter it into ipsec.secrets
of GW1
and ipsec.conf of GW2 after
starting ADSL connection and before starting ipsec.
GW2:
eth0 10.0.0.140
eth1 172.16.0.1
213.225.60.162 is an IP address,
delivered to GW2 by ISP.
Unless this address is static, you need to enter it into ipsec.secrets
of GW2 and ipsec.conf of GW1
after starting ADSL connection and before starting ipsec.
H2:
172.16.0.10
Use the rp-pppoe package
from http://www.roaringpenguin.com/pppoe.
Use ifconfig to set the IP address
for eth0
and eth1 interfaces. Check
the configuration using route and
ping
commands.
GW1)
# ifconfig eth0 10.0.0.1 netmask 255.255.255.0
up
# ifconfig eth1 192.168.0.1 netmask
255.255.255.0 up
# ifconfig
eth0 Link encap:Ethernet
HWaddr 00:40:F4:65:14:DD
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:547 errors:0 dropped:0 overruns:0 frame:0
TX packets:6225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:46002 (44.9 Kb) TX bytes:391861 (382.6 Kb)
Interrupt:11 Base address:0xc000
eth1 Link encap:Ethernet
HWaddr 00:40:F4:60:EE:DB
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:419 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:34293 (33.4 Kb) TX bytes:14500 (14.1 Kb)
Interrupt:10 Base address:0xe000
lo Link
encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:133 errors:0 dropped:0 overruns:0 frame:0
TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8696 (8.4 Kb) TX bytes:8696 (8.4 Kb)
# route -n
Kernel IP routing table
Destination
Gateway Genmask
Flags Metric Ref Use Iface
192.168.0.0
0.0.0.0 255.255.255.0 U
0 0 0 eth1
10.0.0.0
0.0.0.0 255.0.0.0
U 0 0
0 eth0
127.0.0.0
0.0.0.0 255.0.0.0
U 0 0
0 lo
- Make sure route for eth1 is
in top of the routing table!
- You don't need to set any default route !!!
Enable packet forwarding:
a) Red Hat 6.x and 7.x
in the file /etc/sysconfig/network
set net.ipv4.ip_forward=1
b) SuSE
use the command
echo "1" > /proc/sys/net/ipv4/ip_forward
Connect ADSL modem to eth0 and host H1 to eth1.
H1)
# ifconfig eth0 192.168.0.10 netmask
255.255.255.0
# route add default gw 192.168.0.1
# ifconfig
eth0 Link encap:Ethernet
HWaddr 00:00:E2:90:D9:DE
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::200:e2ff:fe90:d9de/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1951 errors:0 dropped:0 overruns:0 frame:0
TX packets:2107 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1178917 (1.1 Mb) TX bytes:292528 (285.6 Kb)
Interrupt:10 Base address:0xa000
lo Link
encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4470 errors:0 dropped:0 overruns:0 frame:0
TX packets:4470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1349607 (1.2 Mb) TX bytes:1349607 (1.2 Mb)
# route -n
Kernel IP routing table
Destination
Gateway Genmask
Flags Metric Ref Use Iface
192.168.0.0
0.0.0.0 255.255.255.0 U
0 0 0 eth0
0.0.0.0
192.168.0.1 0.0.0.0 UG
0 0 0 eth0
Make sure you can ping both eth interfaces of GW1 from H1:
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) from
192.168.0.10 : 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1
ttl=255 time=0.230 ms
--- 192.168.0.1 ping statistics ---
1 packets transmitted, 1 received,
0% loss, time 0ms
rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000
ms
# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) from 192.168.0.10
: 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1
ttl=255 time=0.238 ms
64 bytes from 10.0.0.1: icmp_seq=2
ttl=255 time=0.182 ms
--- 10.0.0.1 ping statistics ---
2 packets transmitted, 2 received,
0% loss, time 999ms
rtt min/avg/max/mdev = 0.182/0.210/0.238/0.028
ms
Setup ADSL connection:
# adsl-setup
Start connection and check it:
# adsl-start
# ifconfig
eth0 Link encap:Ethernet
HWaddr 00:40:F4:65:14:DD
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:787 errors:0 dropped:0 overruns:0 frame:0
TX packets:6573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:70064 (68.4 Kb) TX bytes:421386 (411.5 Kb)
Interrupt:11 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:40:F4:60:EE:DB
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:526 errors:0 dropped:0 overruns:0 frame:0
TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:42763 (41.7 Kb) TX bytes:17398 (16.9 Kb)
Interrupt:10 Base address:0xe000
lo Link
encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:137 errors:0 dropped:0 overruns:0 frame:0
TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9032 (8.8 Kb) TX bytes:9032 (8.8 Kb)
ppp0 Link encap:Point-to-Point
Protocol
inet addr:193.77.245.159 P-t-P:193.77.15.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:74 errors:0 dropped:0 overruns:0 frame:0
TX packets:143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:12386 (12.0 Kb) TX bytes:13628 (13.3 Kb)
# route -n
Kernel IP routing table
Destination
Gateway Genmask
Flags Metric Ref Use Iface
193.77.15.1
0.0.0.0 255.255.255.255 UH
0 0 0 ppp0
192.168.0.0
0.0.0.0 255.255.255.0 U
0 0 0 eth1
10.0.0.0
0.0.0.0 255.0.0.0
U 0 0
0 eth0
127.0.0.0
0.0.0.0 255.0.0.0
U 0 0
0 lo
0.0.0.0
193.77.15.1 0.0.0.0
UG 0 0
0 ppp0
Repeat these steps for GW2.
Now check if you can ping the gateway GW2 from GW1:
# ping 213.225.60.162
PING 213.225.60.162 (213.225.60.162)
from 193.77.245.159 : 56(84) bytes of data.
64 bytes from 213.225.60.162: icmp_seq=0
ttl=56 time=57.442 msec
64 bytes from 213.225.60.162: icmp_seq=1
ttl=56 time=49.957 msec
64 bytes from 213.225.60.162: icmp_seq=2
ttl=56 time=49.955 msec
--- 213.225.60.162 ping statistics
---
3 packets transmitted, 3 packets received,
0% packet loss
round-trip min/avg/max/mdev = 49.955/52.451/57.442/3.533
ms
GW1)
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
pluto=yes
plutostart=vpn
plutoload=vpn
conn vpn
type=tunnel
auto=start
keyexchange=ike
auth=esp
keylife=2h
keyingtries=0
left=%defaultroute
leftsubnet=192.168.0.0/24
right=213.225.60.162
rightsubnet=172.16.0.0/24
GW2)
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
pluto=yes
plutostart=vpn
plutoload=vpn
conn vpn
type=tunnel
auto=start
keyexchange=ike
auth=esp
keylife=2h
keyingtries=0
left=193.77.245.159
leftsubnet=192.168.0.0/24
right=%defaultroute
rightsubnet=172.16.0.0/24
GW1)
193.77.245.159 213.225.60.162 "abcdefghijklmnoprs"
GW2)
213.225.60.162 193.77.245.159 "abcdefghijklmnoprs"
# service ipsec start
(rcipsec start on SuSE distributions)
Check routing table:
# route -n
Kernel IP routing table
Destination
Gateway Genmask
Flags Metric Ref Use Iface
193.77.15.1
0.0.0.0 255.255.255.255 UH
0 0
0 ppp0
193.77.15.1
0.0.0.0 255.255.255.255 UH
0 0
0 ipsec0
172.16.0.0
193.77.15.1 255.255.255.0 UG 0
0 0 ipsec0
192.168.0.0
0.0.0.0 255.255.255.0 U
0 0
0 eth1
10.0.0.0
0.0.0.0 255.0.0.0
U 0 0
0 eth0
127.0.0.0
0.0.0.0 255.0.0.0
U 0 0
0 lo
0.0.0.0
193.77.15.1 0.0.0.0 UG
0 0
0 ppp0
Make sure following entries have been added to /proc/net:
ipsec_eroute
ipsec_klipsdebug
ipsec_spi
ipsec_spigrp
ipsec_tncfg
ipsec_version
Check that IPsec interfaces are attached on top of the specified physical interfaces:
# cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1435) ->
1492
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
Check if the tunnel has been established:
# ipsec look
montreal Fri Dec 6 13:31:45 CET 2002
192.168.0.0/24 -> 172.16.0.0/24 =>
tun0x1002@213.225.60.162 esp0x32c4b8c1@213.225.60.162 (0)
ipsec0->ppp0 mtu=16260(1492)->1492
esp0x32c4b8c1@213.225.60.162 ESP_3DES_HMAC_MD5:
dir=out src=193.77.245.159 iv_bits=64bits iv=0x4e7fb962974582b1 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(2,0,0)
esp0xb9c1151e@193.77.245.159 ESP_3DES_HMAC_MD5:
dir=in src=213.225.60.162 iv_bits=64bits iv=0x79a42cb980ad82be ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(2,0,0)
tun0x1001@193.77.245.159 IPIP: dir=in
src=213.225.60.162 life(c,s,h)=addtime(2,0,0)
tun0x1002@213.225.60.162 IPIP: dir=out
src=193.77.245.159 life(c,s,h)=addtime(2,0,0)
Destination
Gateway Genmask
Flags MSS Window irtt Iface
0.0.0.0
193.77.15.1 0.0.0.0 UG
40 0 0 ppp0
172.16.0.0
193.77.15.1 255.255.255.0 UG 40 0
0 ipsec0
193.77.15.1
0.0.0.0 255.255.255.255 UH
40 0 0 ipsec0
193.77.15.1
0.0.0.0 255.255.255.255 UH
40 0 0 ppp0
And finally, try pinging from H1 to H2 and vice versa:
# ping 172.16.0.10
PING 172.16.0.10 (172.16.0.10) from
192.168.0.10 : 56(84) bytes of data.
64 bytes from 172.16.0.3: icmp_seq=1
ttl=253 time=69.4 ms
64 bytes from 172.16.0.3: icmp_seq=2
ttl=253 time=69.5 ms
64 bytes from 172.16.0.3: icmp_seq=3
ttl=253 time=66.9 ms
--- 172.16.0.10 ping statistics ---
3 packets transmitted, 3 received,
0% loss, time 2016ms
rtt min/avg/max/mdev = 66.979/68.657/69.569/1.188
ms
On GW1 you can check if packets are really encrypted:
# tcpdump -i ppp0
tcpdump: listening on ppp0
13:34:02.634312 192.168.0.10.32795
> 193.189.160.11.domain: 47726+ A? pop.siol.net.local. (36) (DF)
13:34:04.064312 193.77.245.159 > 213.225.60.162:
ESP(spi=0x32c4b8c1,seq=0x11)
13:34:04.134312 213.225.60.162 > 193.77.245.159:
ESP(spi=0xb9c1151e,seq=0xa)
13:34:05.074312 193.77.245.159 > 213.225.60.162:
ESP(spi=0x32c4b8c1,seq=0x12)
13:34:05.144312 213.225.60.162 > 193.77.245.159:
ESP(spi=0xb9c1151e,seq=0xb)
13:34:06.084312 193.77.245.159 > 213.225.60.162:
ESP(spi=0x32c4b8c1,seq=0x13)
13:34:06.154312 213.225.60.162 > 193.77.245.159:
ESP(spi=0xb9c1151e,seq=0xc)
13:34:07.094312 193.77.245.159 > 213.225.60.162:
ESP(spi=0x32c4b8c1,seq=0x14)
13:34:07.164312 213.225.60.162 > 193.77.245.159:
ESP(spi=0xb9c1151e,seq=0xd)
13:34:07.644312 192.168.0.10.32796
> 193.189.160.12.domain: 47726+ A? pop.siol.net.local. (36) (DF)
13:34:08.104312 193.77.245.159 > 213.225.60.162:
ESP(spi=0x32c4b8c1,seq=0x15)
13:34:08.174312 213.225.60.162 > 193.77.245.159:
ESP(spi=0xb9c1151e,seq=0xe)
13:34:09.114312 193.77.245.159 > 213.225.60.162:
ESP(spi=0x32c4b8c1,seq=0x16)