*NIX

March 19, 2011, 9:41 p.m.
posted by whitehat

VPN Configuration Steps Using RSA Keys



VPN Configuration Steps Using RSA Keys

One of the more secure ways of setting up a VPN tunnel is to encrypt the data using certificate-based (RSA) keys. There are other VPN parameters too, but Openswan is very forgiving when it establishes a tunnel. It automatically goes through all the various combinations of IKE and IPSec settings with the remote VPN box until it finds a match. You don't have to configure most of these settings explicitly as you often have to do in the case of routers and firewall/VPN appliances.

The /etc/ipsec.conf File

Preparation work requires you to draw a basic network diagram such as Figure. The VPN box on the left is called the left-hand side and the one on the right is called the right-hand side. Left and right parameters must be configured in the /etc/ipsec.conf configuration file. Figure explains each parameter.

Figure Parameters of the /etc/ipsec.conf File

Parameter

Description

Left

Internet IP address of the left-hand side VPN device.

Leftsubnet

The network protected by the left-hand side VPN device.

Leftid

Fully qualified domain name in DNS of the left-hand side VPN device, which is preceded by an "@" sign. If DNS is set up for the IP addresses, remove this entry, because names that don't resolve correctly cause the VPN initialization to fail.

Leftrsasigkey

The entire left RSA sig public key for the left-hand side VPN device. This can be obtained by using the ipsec showhostkey --left command.

Leftnexthop

The next hop router from the left-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.

Right

Internet IP address of the right-hand side VPN device.

Rightsubnet

The network protected by the right-hand side VPN device.

Rightid

Fully qualified domain name in DNS of the right-hand side VPN device, which is preceded by an @ sign. If DNS isn't set up for the IP addresses, remove this entry, because names that don't resolve correctly cause the VPN initialization to fail.

Rightrsasigkey

The entire right RSA sig public key for the right-hand side VPN device. This can be obtained by using the ipsec showhostkey --right command.

Rightnexthop

The next hop router from the right-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.


First you must gather all this information, then you have to enter it in the /etc/ipsec.conf configuration file.

Obtaining RSA Keys

To configure the /etc/ipsec.conf file, you need to get the left RSA public key for the left VPN device and the right key for the right VPN device. You need to generate these and insert them in the /etc/ipsec.conf file of the VPN peer device.

The best approach is to generate files containing these keys and then use the vi editor's read command (r) to read them into your /etc/ipsec.conf file. Cutting and pasting screen output over an SSH session may automatically insert carriage return and line feed characters at the end of each line where the text would normally wrap around on the screen. This can corrupt the keys.

Creating Your Own Keys

The Openswan installation automatically generates the keys. If you want to change them, you can issue the command:

    [root@vpn2 tmp]# ipsec rsasigkey --verbose 2048 > keys.tmp
    [root@vpn2 tmp]#

You can then edit the /etc/ipsec.secrets file and replace the contents between RSA: { and the final } with the contents of the keys.tmp file generated from the ipsec command above.

Get the Left Public Key

On the left VPN server, issue this command to export the left public key to a file named /tmp/left.pub:

    [root@vpn1 tmp]# ipsec showhostkey --left > /tmp/left.pub
    [root@vpn1 tmp]#

Get the Right Public Key

On the right VPN server, export the right public key to a file named /tmp/right.pub:

    [root@vpn2 tmp]# ipsec showhostkey --right > /tmp/right.pub
    [root@vpn2 tmp]#

Edit the /etc/ipsec.conf Configuration File

Each VPN in the /etc/ipsec.conf file has its own subsection. The example creates a subsection called net-to-net, which then receives all the needed parameters:

    #
    # File: /etc/ipsec.conf
    #
    conn net-to-net
      left=97.158.253.25
      leftsubnet=172.16.1.0/24
      leftid=@vpn1.my-site.com
      #
      leftrsasigkey=0sAQNrV9AYdaW94FXvIxu5p54+MRaW0wy0+HHQrdGofklZYQ
      4TCBlL+Ym00Ahfc8mqXlerZY12Os41G8SIV+zzIO04WZ4wmOvEr8DZaldTbfCu
      vUvMhrTtCpZdm53yF5rCaUbg+Vmx71fgyVmGu8/kuhzB7nWtOYqDFO8OHDGePO
      yOVPQi73KfRoDbdb3ND0EtfnRhRPblKJ239OlIq1
      #
      leftnexthop=%defaultroute
      right=6.25.232.1
      rightsubnet=10.0.0.0/24
      rightid=@vpn2.another-site.com
      #
      rightrsasigkey=0sAQNNdxFPWCga+E/AnDgIM+uIDq4UXcZzpomwMFUpyQ9+r
      hUHT9w8nr3rjUR/qTZOKR2Vqd4XoBd1HkPDBQ8oNjtA3Oz+UQOU3KTMHN5ydFw
      e6MpTJV/hL6LvhB0OXQad/NhjMIx8vOnhM8g8SPRnj7pL3abgu7Sg7eFREV1MJ
      SVBhp0DJ0EbVMVV+Xvwlm9++9zbY3mlc+cSXMPAJZ
      #
      rightnexthop=97.158.253.25
      auto=start

Some Important Notes About the /etc/ipsec.conf File

Be sure to maintain the indentation before each parameter. The correct arrangement is:

    conn net-to-net
        left=x.x.x.x
        leftsubnet=y.y.y.y/24

Do not use:

    conn net-to-net
    left=x.x.x.x
    leftsubnet=y.y.y.y/24

The net-to-net subsections must be the same in the /etc/ipsec.conf for both the left- and right-hand side VPN devices. You can configure VPNs to other remote destinations in this file as long as they don't share a subsection name with other VPNs. So in this example, there should be only one net-to-net subsection which uniquely defines the VPN between our two sample sites.

Also, make sure no blank lines separate the net-to-net section's parameters. Lines commented with a # character are acceptable.

Restarting IPSec to reload the configuration file doesn't necessarily restart the tunnels. If you set the auto= parameter to add, you can start the tunnel only manually with the ipsec command. If the parameter is commented out, then the tunnel will never start. A value of start causes the tunnel to start automatically.

Restart Openswan

On both VPN devices, you need to start Openswan for the new /etc/ipsec.conf settings to take effect.

    [root@vpn2 tmp]# service ipsec restart
    ipsec_setup: Stopping Openswan IPsec...
    ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.8-1.521...
    [root@vpn2 tmp]#

Initialize the New Tunnel

To initialize the new tunnel, you can use the ipsec command to start the tunnel net-to-net. Be sure to issue the command simultaneously on the VPN boxes at both ends of the tunnel:

    [root@vpn2 tmp]# ipsec auto --up net-to-net
    104 "net-to-net" #1: STATE_MAIN_I1: initiate
    106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
    108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
    004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established
    112 "net-to-net" #2: STATE_QUICK_I1: initiate
    004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
    {ESP=>0xe0bdd0e9 <0x13ac7645}
    [root@vpn2 tmp]#

The "IPsec SA established" message signifies success.

Testing the New Tunnel

The troubleshooting section at the end of the chapter shows you how to test that everything is working correctly.

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows