Host to host VPN with PSK: Difference between revisions

From Libreswan
Jump to navigation Jump to search
(Created page with "This example sets up an IPsec connection between two hosts called "east" and "west". (these names are also used for our daily tests, and you can find lots of configuration exa...")
 
No edit summary
Line 5: Line 5:
192.0.2.254/24 eth0 WEST eth1 192.1.2.23  --[internet]--  192.1.2.45 eth1 EAST eth0 192.0.1.254/24
192.0.2.254/24 eth0 WEST eth1 192.1.2.23  --[internet]--  192.1.2.45 eth1 EAST eth0 192.0.1.254/24


Libreswan uses the terms "left" and "right" to describe endpoints. We will use left for west and east for right. We will be using PSK and not RSA which is easier.
Libreswan uses the terms "left" and "right" to describe endpoints. We will use left for west and east for right. We will be using PSK in this example.
Generate a pre shared key (PSK) for use in this VPN. PSK is really not password, it's a key and you must make absolutely sure it is transferred to remote end secure way by using PGP/GPG or ssh. Secure PSK should be at least 32 characters secret but 64 chars is better. We can actually cope with even longer PSK sizes but not all implementations can. You can generate psk with openssl, pwgen or some other tool which can really generate random string.


Generate a pre shared key (PSK) for use in this VPN. PSK is really not password, it's shared secret key and you must make absolutely sure it is transferred to remote end secure way by using PGP/GPG or ssh.
Openssl command to create a psk wich is 64 chars long.


<pre>
<pre>
[root@west ~]# ipsec newhostkey --output /etc/ipsec.secrets
[root@west ~]# openssl rand -base64 48
Generated RSA key pair using the NSS database
[root@west ~]# ipsec showhostkey --left
# rsakey AQOrlo+hO
leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ==
[root@west ~]#
</pre>
</pre>


Repeat for east using right:
Also pwgen can be used to generate a psk.


<pre>
<pre>
[root@east ~]# ipsec newhostkey --output /etc/ipsec.secrets
[root@west ~]# pwgen -s 64 1
Generated RSA key pair using the NSS database
a64-charslongrandomstringgeneratedwithpwgenoropensslorothertool
[root@east ~]# ipsec showhostkey --right
# rsakey AQO3fwC6n
rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
</pre>
</pre>


{{ ambox | type = alert | text = The process of generating a RSA new key can take minutes, especially on virtual machines low on entropy }}
Edit /etc/ipsec.secrets with your favourite editor and add PSK entry:


You should now have a file called /etc/ipsec.secrets on both sides, which contain the public component of the RSA key. The secret part is stored in /etc/ipsec.d/*.db files, also called the "NSS database". You can protect this database with a passphrase if you want, but it will prevent the machine from bringing up the tunnel on boot, as a human would need to enter the passphrase. Note that on older openswan versions compiled without HAVE_NSS, the /etc/ipsec.secret file actually contains the secret part of the rsa keypair as well.
<pre>
192.1.2.23 192.1.2.45 PSK : "a64-charslongrandomstringgeneratedwithpwgenoropensslorothertool"
</pre>
 
Exactly same /etc/ipsec.secrets entry is needed on east. Remember to use ssh or other secure moethod to move the data.


Now we are ready to make a simple /etc/ipsec.conf file for our host to host tunnel. The leftrsasigkey/rightrsasigkey from above, are added to the configuration below.
Now we are ready to make a simple /etc/ipsec.conf file for our host to host tunnel. The psk is only in /etc/ipsec.secrets and there are no signs about it in /etc/ipsec.conf.


<pre>
<pre>
# /etc/ipsec.conf
# /etc/ipsec.conf
# The version 2 is only required for compatibility with openswan
version 2


config setup
config setup
Line 43: Line 38:


conn mytunnel
conn mytunnel
    leftid=@west
     left=192.1.2.23
     left=192.1.2.23
    leftrsasigkey=0sAQOrlo+hOafUZDlCQmXFrje/oZm [...] W2n417C/4urYHQkCvuIQ==
    rightid=@east
     right=192.1.2.45
     right=192.1.2.45
    rightrsasigkey=0sAQO3fwC6nSSGgt64DWiYZzuHbc4 [...] D/v8t5YTQ==
     authby=secret
     authby=rsasig
     # use auto=start when done testing the tunnel
     # use auto=start when done testing the tunnel
     auto=add
     auto=add
</pre>
</pre>


You can use the identical configuration file on both east and west. They will auto-detect if they are "left" or "right".
In this simple case you can use the identical configuration file on both east and west. They will auto-detect if they are "left" or "right".


First, ensure ipsec is started:
First, ensure ipsec is started:
Line 60: Line 51:
<pre>
<pre>
ipsec setup start
ipsec setup start
</pre>
Then ensucre the secret is loaded - this is only required if ipsec service was already running:
<pre>
ipsec auto --rereadsecrets
</pre>
</pre>


Line 84: Line 81:
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_128 prf=sha group=MODP2048}
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP<0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
</pre>
</pre>


If you want the tunnel to start when the machine starts, change "auto=add" to "auto=start". Also ensure that your system starts the ipsec service on boot. This can be done using the "service" or "systemctl" command, depending on the init system used for the server.
If you want the tunnel to start when the machine starts, change "auto=add" to "auto=start". Also ensure that your system starts the ipsec service on boot. This can be done using the "service" or "systemctl" command, depending on the init system used for the server.

Revision as of 11:20, 4 September 2014

This example sets up an IPsec connection between two hosts called "east" and "west". (these names are also used for our daily tests, and you can find lots of configuration examples in our test suite)

192.0.2.254/24 eth0 WEST eth1 192.1.2.23 --[internet]-- 192.1.2.45 eth1 EAST eth0 192.0.1.254/24

Libreswan uses the terms "left" and "right" to describe endpoints. We will use left for west and east for right. We will be using PSK in this example. Generate a pre shared key (PSK) for use in this VPN. PSK is really not password, it's a key and you must make absolutely sure it is transferred to remote end secure way by using PGP/GPG or ssh. Secure PSK should be at least 32 characters secret but 64 chars is better. We can actually cope with even longer PSK sizes but not all implementations can. You can generate psk with openssl, pwgen or some other tool which can really generate random string.

Openssl command to create a psk wich is 64 chars long.

[root@west ~]# openssl rand -base64 48

Also pwgen can be used to generate a psk.

[root@west ~]# pwgen -s 64 1
a64-charslongrandomstringgeneratedwithpwgenoropensslorothertool

Edit /etc/ipsec.secrets with your favourite editor and add PSK entry:

192.1.2.23 192.1.2.45 PSK : "a64-charslongrandomstringgeneratedwithpwgenoropensslorothertool"

Exactly same /etc/ipsec.secrets entry is needed on east. Remember to use ssh or other secure moethod to move the data.

Now we are ready to make a simple /etc/ipsec.conf file for our host to host tunnel. The psk is only in /etc/ipsec.secrets and there are no signs about it in /etc/ipsec.conf.

# /etc/ipsec.conf

config setup
    protostack=netkey

conn mytunnel
    left=192.1.2.23
    right=192.1.2.45
    authby=secret
    # use auto=start when done testing the tunnel
    auto=add

In this simple case you can use the identical configuration file on both east and west. They will auto-detect if they are "left" or "right".

First, ensure ipsec is started:

ipsec setup start

Then ensucre the secret is loaded - this is only required if ipsec service was already running:

ipsec auto --rereadsecrets

Then ensure the connection loaded:

ipsec auto --add mytunnel

And then try and bring up the tunnel:

ipsec auto --up mytunnel

If all went well, you should see something like:

# ipsec auto --up  mytunnel
104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

If you want the tunnel to start when the machine starts, change "auto=add" to "auto=start". Also ensure that your system starts the ipsec service on boot. This can be done using the "service" or "systemctl" command, depending on the init system used for the server.