Knowledge Base ZPE Systems, Inc. IPSec

            How to Configure IPSec Host to Host tunnel with Certificate

            Version 0.1 (02 May 2018)

            Overview

            Host to Host configurations allow two nodes to established a tunnel between them. The encrypted communication will be limited just to the two nodes involved.


            Figure 11: Host to Host Configuration Example Details

            Host to Host with Certificates

            Required tasks:

            1. Prepare both nodes (see: How to Prepare a Nodegrid Node for IPSec)
            2. Get the required Certificate File for both nodes (see: How to Create Certificates for IPSec)
              1. Root CA certificate as .crt file
              2. Certificate for both nodes in .crt format
              3. Certificate and private key for both nodes in pkcs#12 format

              Example:

              • zpeca.crt
              • ng-east.crt
              • ng-west.crt
              • ng-east.p12
              • ng-west.p12
            3. Import the Root Certificate
              Note: Example executed on the west node.
            4. Format:

              certutil -A -i  -n "" -t "CT,," -d sql:/etc/ipsec/ipsec.d/

              Example:

              root@ng-west:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
            5. Import Intermediate Certificate Authorities if that exist
            6. certutil -A -i  -n "" -t ",," -d sql:/etc/ipsec/ipsec.d/

              Example:

              root@ng-west:~# certutil -A -i euzpeca.crt -n "euzpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
            7. Import the private key and certificate specific to this node
            8. Format:

              ipsec import  -n  -d sql:/etc/ipsec/ipsec.d/

              Example:

              root@ng-west:~#  ipsec import ng-west.p12 -n ng-west -d sql:/etc/ipsec/ipsec.d/
              Enter password for PKCS12 file:
              pk12util: PKCS12 IMPORT SUCCESSFUL
            9. Import the remote node certificates
            10. Format:

              certutil -A -i  -n "" -t "P,," -d sql:/etc/ipsec/ipsec.d/

              Example:

              root@ng-west:~# certutil -A -i ng-east.crt -n "ng-east" -t "P,," -d
              sql:/etc/ipsec/ipsec.d/
            11. Create connection configuration file in /etc/ipsec/ipsec.d/ directory as root user
            12. Fields
              Values
              Comments
              Connection name
              <String>
               
              leftid
              %fromcert
              The liftid will be populated from the certificate
              left
              <IP or FQDN> of the West/Left host
              Additional to an actual IP address can the following values be used. These are resolved when the service starts. %defaultgateway %eth0
              leftrsasigkey
              %cert
              Uses the RSA key of the Certificate
              leftcert
              <IDENTIFIER>
              Certificate Identifier
              rightid
              %fromcert
              The rightid will be populated from the certificate
              right
              <IP or FQDN> of the East/Right host
              Additional to an actual IP address can the following values be used. These are resolved when the service starts.
              %defaultgateway
              %eth0
              rightrsasigkey
              %cert
              Uses the RSA key of the Certificate
              rightcert
              <IDENTIFIER>
              Certificate Identifier
              auto
              start
              The setting regulates when the IPSec tunnel will be established. Following values are accepted: add (manual start), start (starts with the service), ondemand (will be established if traffic exists), ignore (connection will be ignored and not used)
              connaddrfamily
              ipv4
              Possible values are ipv4 or ipv6

              Format:

              conn 
                   connaddrfamily=ipv4
                    auto=
              
                    leftid=%fromcert
                    left=FQDN>
                    leftrsasigkey=%cert
                    leftcert=
                    
                    rightid=%fromcert
                    right=FQDN>
                    rightrsasigkey=%cert
                    rightcert=

              Example /etc/ipsec/ipsec.d/host-to-host-cert.conf

              conn host-to-host-cert
                      connaddrfamily=ipv4
                      auto=start
              
                      leftid=%fromcert
                      left=192.168.50.4
                      leftrsasigkey=%cert
                      leftcert=ng-west
              
                      rightid=%fromcert
                      right=192.168.58.4
                      rightrsasigkey=%cert
                      rightcert=ng-east
            13. Copy the configuration file only to the other node. The Secret File does not need to be copied in this case
            14. Restart IPSec service on both nodes
            15. root@ng-west:~# ipsec restart
              Redirecting to: /etc/init.d/ipsec stop
              Shutting down pluto IKE daemon
              002 shutting down
              
              Redirecting to: /etc/init.d/ipsec start
              Starting pluto IKE daemon for IPsec: .
              root@ng-west:~#
            16. Confirm that the tunnel was established
              1. Short Information
              2. root@ng-west:/etc/ipsec/ipsec.d# ipsec whack --trafficstatus
                006 #4: "host-to-host-cert", type=ESP, add_time=0, inBytes=252, outBytes=252, id='C=US, ST=California, L=Fremont, CN=ng-east'
                006 #3: "host-to-host-cert", type=ESP, add_time=1524106315, inBytes=0, outBytes=0, id='C=US, ST=California, L=Fremont, CN=ng-east'
              3. More Detailed Information
              4. root@ng-west:~# ipsec whack --status |grep host-to-host-cert
                ……………. 
                000 #4: "host-to-host-cert":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27850s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
                000 #4: "host-to-host-cert" esp.8f05c62c@192.168.58.4 esp.33385f41@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=252B ESPout=252B! ESPmax=4194303B
                000 #1: "host-to-host-cert":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2409s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
                000 #3: "host-to-host-cert":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28316s; isakmp#2; idle; import:not set
                000 #3: "host-to-host-cert" esp.759f48b6@192.168.58.4 esp.62dcc0e@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
                000 #2: "host-to-host-cert":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3116s; lastdpd=-1s(seq in:0 out:0); idle; import:not set

            Helpful?  
            Help us to make this article better
            0 0