IPSec Host to Host Connectivity on RedHat Linux using Racoon

Reference Material

[https://access.redhat.com/kb/docs/DOC-9048](https://access.redhat.com/kb/docs/DOC-9048)
[https://access.redhat.com/kb/docs/DOC-8588](https://access.redhat.com/kb/docs/DOC-8588)
System Pre-Requisites
**RHEL or CentOS**Version 3, 4 or 5.

RHEL 6 currently has no ipsec-tools package, as it was deprecated in favor of Openswan. However a number of other users have requested it be added and continue to be supported.

**Packages**
  – ipsec-tool
**Firewall Rules**
  – Must permit UDP port 500 and ESP/AH protocols between hosts unmolested.
Common IKE Configuration
Racoon is used to negotiate IPSec Phase 1 and establish Phase 2 configuration in the Linux kernel. The following 
———————————————————————————————–
**# /etc/racoon/racoon.conf**
**# Organisation specific config file, forces use of AES/SHA1.**
**path include “/etc/racoon”;**
**path pre_shared_key “/etc/racoon/psk.txt”;**
**path certificate “/etc/racoon/certs”;**
**sainfo anonymous**
**{**
**pfs_group 2;**
**lifetime time 1 hour ;**
**encryption_algorithm aes ;**
**authentication_algorithm hmac_sha1 ;**
**compression_**
**}**
**# Generated include files go after this section, **
**# they’re automatically added by interface init scripts:**
———————————————————————————————–
Configurations
The most simplistic view of host to host connectivity is simply from host A’s egress NIC IP to host B’s ingress NIC IP. However in many common network situations today clustering and virtual hosting is used where additional IP’s are utilised on host B.
Access to additional IP addresses on host B cannot use simple transport mode IPSec and must be tunneled.
**Example 01: Transport mode pure host to host connectivity.**
Content of: **/etc/sysconfig/network-scripts/ifcfg-ipsec<% NID %>**
**DST=<%REMOTE HOST%>**
**TYPE=IPSEC**
**ONBOOT=yes**
**IKE_METHOD=PSK**
Content of: **/etc/sysconfig/network-scripts/keys-ipsec<% NID %>**
IKE_PSK=<%PSK%>
Execute: **chmod 0600 /etc/sysconfig/network-scripts/keys-ipsec<% NID %>**
**Example 02: Tunneled host to cluster address connectivity.**
Content of: **/etc/sysconfig/network-scripts/ifcfg-ipsec<% NID %>**
DST=<% REMOTE HOST %>
SRCNET=<% LOCAL HOST %>/32
DSTNET=<% CLUSTER IP ADDRESS %>/32
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
Content of: **/etc/sysconfig/network-scripts/keys-ipsec<% NID %>**
IKE_PSK=<%PSK%>
Execute: **chmod 600 /etc/sysconfig/network-scripts/keys-ipsec<% NID %>**
Enabling IPSec Interfaces
Simply use the standard ifup tool as the root user, or via sudo as an unprivileged user.
**# /sbin/ifup ipsec0**
Test Connectivity
You can now use the ping utility to test connectivity to the remote host IP’s.
**# ping <%REMOTE HOST%>**
**Troubleshooting**
- Ensure local iptables permits UDP/500, ESP and AH protocols.  - Use tcpdump to verify UDP/500, ESP and AH is being sent and received by the servers. - Use the setkey tool like the below, in order to dump information regarding active ESP and AH configuration.
[root@server ~]# echo “dump ah ; ” | setkey -c
172.17.77.12 172.17.77.11
        ah mode=transport spi=250800077(0x0ef2e7cd) reqid=0(0x00000000)
        A: hmac-sha1  28abb3ad 26c3f26e 9b03efef 230e9504 248be4e4
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov 17 12:51:48 2010   current: Nov 17 13:10:29 2010
        diff: 1121(s)   hard: 3600(s)   soft: 2880(s)
        last: Nov 17 13:04:38 2010      hard: 0(s)      soft: 0(s)
        current: 17220(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 81   hard: 0 soft: 0
        sadb_seq=5 pid=18386 refcnt=0
172.17.77.12 172.17.77.11
        ah mode=tunnel spi=151863655(0x090d4167) reqid=0(0x00000000)
        A: hmac-sha1  9065e162 0da105f2 288157b4 5e44ca3f 8c606e7d
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov 17 12:41:42 2010   current: Nov 17 13:10:29 2010
        diff: 1727(s)   hard: 3600(s)   soft: 2880(s)
        last: Nov 17 12:41:43 2010      hard: 0(s)      soft: 0(s)
        current: 3240(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 25   hard: 0 soft: 0
        sadb_seq=4 pid=18386 refcnt=0
…..<%REMOVED%>….
[root@server ~]#
[root@server ~]# echo “dump esp ; ” | setkey -c
172.17.77.12 172.17.77.11
        esp mode=transport spi=46910599(0x02cbcc87) reqid=0(0x00000000)
        E: aes-cbc  3a1cc26b 2c77d7ba 75c22b24 3f9aaeb8
        A: hmac-sha1  3ce49f6a 81e35c79 ab828cf1 f60c92bb ca01fedd
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov 17 12:51:48 2010   current: Nov 17 13:08:25 2010
        diff: 997(s)    hard: 3600(s)   soft: 2880(s)
        last: Nov 17 13:04:38 2010      hard: 0(s)      soft: 0(s)
        current: 13416(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 81   hard: 0 soft: 0
        sadb_seq=5 pid=18326 refcnt=0
172.17.77.12 172.17.77.11
        esp mode=tunnel spi=149425545(0x08e80d89) reqid=0(0x00000000)
        E: aes-cbc  452c0aeb 499744cf eca2e6a9 c1afe94f
        A: hmac-sha1  4983a25f 291ade56 77f55e18 3e4106bd f8ceb607
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov 17 12:41:42 2010   current: Nov 17 13:08:25 2010
        diff: 1603(s)   hard: 3600(s)   soft: 2880(s)
        last: Nov 17 12:41:43 2010      hard: 0(s)      soft: 0(s)
        current: 1604(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 25   hard: 0 soft: 0
        sadb_seq=4 pid=18326 refcnt=0
…..<%REMOVED%>….
[root@server ~]#
- Use setkey with the flush command to remove all IPSec configuration.
** NOTE: This will remove all enabled IPSec configuration. You will need to re-enable the ipsec configurations using the ifup commands.
**echo “ flush ; “ | setkey –c**
**for i in /etc/sysconfig/network-scripts/ifcfg-ipsec* ; do grep ONBOOT=yes ${I} && ifup `echo ${i} | cut –f3 –d’-‘ -` ; done**
**Automation**
Create RPM package/s which include your default racoon.conf and default PSK. 
Include a script to assist in automatic configuration and removal of IPSec interfaces.
Benefits:
- Automates rollout of organisation specific racoon.conf - Pre-populates a default PSK for all connectivity - Enables mass modification/change of PSK’s (provided adequate pre-planning of event has been done to avoid outages) - Simple shell script for configuration based on default PSK - Does not preclude use of unique per-connection PSK’s
Other methods for authentication/encryption that should be considered if you have the capability.
- X.509 certificates combined with DNSSEC distribution
File: **0600 /etc/sysconfig/network-scripts/keys-ipsec-default**
**IKE_PSK=<%PSK%>**
File: **0600 /etc/racoon/racoon.conf.organisation**
******* Content as above in this email. Post-install script should cp –f /etc/racoon/racoon.conf.organisation /etc/racoon/racoon.conf***
File: **0700 /usr/sbin/ipsec-if-config**
** **
**#!/bin/bash** **# ipsec-if-config add <%REMOTE HOST%> [<%SRCNET%> <%DSTNET%>]** ** ** **DST=”${2}”** **SRCNET=”${3}”** **DSTNET=”${4}”** **NID=”`echo ${DST}${SRCNET}${DSTNET} | md5sum – | cut -f1 -d’ ‘ -`”** ** ** **if [ “${1}” == “add” ] ; then** ** ** **  cp /etc/sysconfig/network-scripts/keys-ipsec-default /etc/sysconfig/network-scripts/keys-ipsec${NID}** ** ** **  echo “DST=${DST}** **TYPE=IPSEC** **ONBOOT=yes** **IKE_METHOD=PSK” > /etc/sysconfig/network-scripts/ifcfg-ipsec${NID}** ** ** **  if [ “${SRCNET}x” != “x” ] ; then** **   echo “SRCNET=${SRCNET}** **DSTNET=${DSTNET}” >> /etc/sysconfig/network-scripts/ifcfg-ipsec${NID}** **  fi** ** ** **  echo “Successfully configured ipsec${NID}, you can now run ifup ipsec${NID}”** ** ** **elif [ “${1}” == “delete” ] ; then**

  ifdown ipsec${NID}

  rm -f /etc/sysconfig/network-scripts/keys-ipsec${NID}
  rm -f /etc/sysconfig/network-scripts/ifcfg-ipsec${NID}


else


  echo “Usage: ${0} <add|delete> <%REMOTE HOST%> [<%SRCNET%> <%DSTNET%>]”


  exit 0

fi


# EOF

File: **0700 /usr/sbin/ipsec-psk-roll**
**** **#!/bin/bash** **# ipsec-if-config <%OLD PSK%> <%NEW PSK%>** ** ** **OLD_PSK=”${1}”** **NEW_PSK=”${2}”** ** ** **if [ “${OLD_PSK}x” == “x” ] || [ “${NEW_PSK}x” == “x” ] ; then** ** ** **  echo “Usage: ${0} <%OLD PSK%> <%NEW PSK%>”** ** ** **  exit 0** ** ** **else ** ** ** **  for i in `ls /etc/sysconfig/network-scripts/keys-ipsec* | grep -E -v .bak$` ; do** **    if [ “`grep -E ^PSK=${OLD_PSK}$ ${i}`x” != “x” ] ; then** **      echo “Updating ${i}”** **      cp -f “${i}” “${i}.bak”** **      sed -i “s:${OLD_PSK}:${NEW_PSK}:” ${i}** **    fi** **  done** **fi** ** ** **# EOF**
** **
Author image
About colin-stubbs