Pejman Moghadam / Slackware

Slackware 13.1 - IPSec

Public domain

---

Installation

cd /usr/src
wget -c "ftp://ftp.heanet.ie/mirrors/sourceforge/i/ip/ipsec-tools/ipsec-tools/0.8.0/ipsec-tools-0.8.0.tar.bz2"
su - install
cd /usr/src
tar xf ipsec-tools-0.8.0.tar.bz2
cd ipsec-tools-0.8.0
./configure                            \
    --prefix=/usr                      \
    --enable-hybrid                    \
    --enable-frag                      \
    --enable-dpd                       \
    --enable-natt=yes                  \
    --with-kernel-headers=/usr/include \
    --enable-security-context=no

# Slackware 13.1 patch
sed -i -e '/^CFLAGS/s,$, -fno-strict-aliasing,' src/racoon/Makefile

make && make install DESTDIR=/usr/local/encap/ipsec-tools-0.8.0
logout
cd /usr/local/encap/
mv ipsec-tools-0.8.0/usr{/share/man/,}
chown -R root:root ipsec-tools-0.8.0/
epkg  ipsec-tools-0.8.0

---

Commands

mkdir -p /etc/ipsec
touch /etc/ipsec/setkey.conf
chmod 600 /etc/ipsec/setkey.conf

---

83.170.43.20 : /etc/ipsec/setkey.conf

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# AH: Authentication Header
# keys created using: echo 0x$(dd if=/dev/random count=16 bs=1 | xxd -ps)
add 213.191.25.20 83.170.43.20 ah 0x200 -A hmac-md5 0x3c64015e1f7a7bd3dd0068e53778a314;
add 83.170.43.20 213.191.25.20 ah 0x300 -A hmac-md5 0x7db9dd867764c60c5240afbc7f172639;

# ESP: Encapsulating Security Payload
# keys created using:  echo 0x$(dd if=/dev/random count=24 bs=1 | xxd -ps)
add 213.191.25.20 83.170.43.20 esp 0x201 -E 3des-cbc 0x2797e628f67ca5f5d0637ce6705529a778b59f1277132b12;
add 83.170.43.20 213.191.25.20 esp 0x301 -E 3des-cbc 0x7365e5a5bfb5c1d5d4a4509b9596a160ed66ec22b4b0dffd; 

# IPSEC: local_ip remote_ip -P out
spdadd 83.170.43.20 213.191.25.20 any -P out  ipsec esp/transport//require ah/transport//require;
# IPSEC: remote_ip local_ip -P in 
spdadd 213.191.25.20 83.170.43.20 any -P in   ipsec esp/transport//require ah/transport//require;

---

213.191.25.20 : /etc/ipsec/setkey.conf

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# AH: Authentication Header
# keys created using: echo 0x$(dd if=/dev/random count=16 bs=1 | xxd -ps)
add 213.191.25.20 83.170.43.20 ah 0x200 -A hmac-md5 0x3c64015e1f7a7bd3dd0068e53778a314;
add 83.170.43.20 213.191.25.20 ah 0x300 -A hmac-md5 0x7db9dd867764c60c5240afbc7f172639;

# ESP: Encapsulating Security Payload
# keys created using:  echo 0x$(dd if=/dev/random count=24 bs=1 | xxd -ps)
add 213.191.25.20 83.170.43.20 esp 0x201 -E 3des-cbc 0x2797e628f67ca5f5d0637ce6705529a778b59f1277132b12;
add 83.170.43.20 213.191.25.20 esp 0x301 -E 3des-cbc 0x7365e5a5bfb5c1d5d4a4509b9596a160ed66ec22b4b0dffd;

# IPSEC: local_ip remote_ip -P out
spdadd 213.191.25.20 83.170.43.20 any -P out   ipsec esp/transport//require ah/transport//require;
# IPSEC: remote_ip local_ip -P in 
spdadd 83.170.43.20 213.191.25.20 any -P in  ipsec esp/transport//require ah/transport//require;

---

Startup

echo "/usr/sbin/setkey -f /etc/ipsec/setkey.conf" >> /etc/rc.d/rc.local

---

Enable

setkey -f /etc/ipsec/setkey.conf

---

Disable

setkey -P -F

---

---

IKE (internet key exchange)

---

---

83.170.43.20 : /etc/ipsec/setkey.conf

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# IPSEC
spdadd 83.170.43.20 213.191.25.20 any -P out  ipsec esp/transport//require;
spdadd 213.191.25.20 83.170.43.20 any -P in   ipsec esp/transport//require;

---

83.170.43.20 : /etc/ipsec/racoon.conf

path pre_shared_key "/etc/ipsec/psk.txt";
path certificate "/etc/ipsec/certs";

# Security associations info: Phase 2 
sainfo anonymous {
{
    # Diffie-Hellman bit length
    # Group2: 1024 bit, Group14: 2048 bit
    pfs_group 2;
    lifetime time 1 hour;
    encryption_algorithm         3des, blowfish 448, rijndael;
    authentication_algorithm     hmac_sha1, hmac_md5;
    compression_algorithm        deflate;
}

# Host authentication: Phase 1
remote 213.191.25.20 
{
    exchange_mode aggressive, main;
    my_identifier address;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

---

83.170.43.20 : /etc/ipsec/psk.txt

213.191.25.20 test123

---

213.191.25.20 : /etc/ipsec/setkey.conf

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# IPSEC
spdadd 213.191.25.20 83.170.43.20 any -P out ipsec esp/transport//require;
spdadd 83.170.43.20 213.191.25.20 any -P in  ipsec esp/transport//require;

---

213.191.25.20 : /etc/ipsec/racoon.conf

path pre_shared_key "/etc/ipsec/psk.txt";
path certificate "/etc/ipsec/certs";

# Security associations info: Phase 2 
sainfo anonymous {
{
    # Diffie-Hellman bit length
    # Group2: 1024 bit, Group14: 2048 bit
    pfs_group 2;
    lifetime time 1 hour;
    encryption_algorithm         3des, blowfish 448, rijndael;
    authentication_algorithm     hmac_sha1, hmac_md5;
    compression_algorithm        deflate;
}

# Host authentication: Phase 1
remote 83.170.43.20
{
    exchange_mode aggressive, main;
    my_identifier address;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

---

213.191.25.20 : /etc/ipsec/psk.txt

83.170.43.20 test123

---

Commands

chmod  600 /etc/ipsec/psk.txt
# -F forground debug
racoon -f /etc/ipsec/racoon.conf -F
setkey -f /etc/setkey.conf
tail -f /var/log/messages

---

Disable

setkey -F -P
killall racoon

---

BY: Pejman Moghadam
TAG: ipsec, setkey, racoon
DATE: 2012-11-06 10:50:19

---

Pejman Moghadam / Slackware [ TXT ]