Knowledge Base ZPE Systems, Inc. IPSec

            How to Configure IPSec Host to Host Tunnel with RSA Keys

            Version 0.1 (02 May 2018)

            Overview

            Host to Host configurations allow two nodes to establish a tunnel between them. The encrypted communication will be limited just to the two nodes involved.


            Figure 11: Host to Host Configuration Example Details

            Host to Host with RSA Key

            Required tasks:

            1. Prepare both nodes (see: How to Prepare a Nodegrid Node for IPSec)
            2. On both nodes create an RSA Key (see: How to create RSA Keys for IPSec)
            3. Create connection configuration file in /etc/ipsec/ipsec.d/ directory as root user
            4. Fields
              Values
              Comments
              Connection name
              <String>
               
              leftid
              @West
              Identifier for the west/left site.
              Values can be:
              %left  - uses left as value
              @<STRING> - uses the string

              The leftid values is used to identify the PSK
              left
              <IP or FQDN> of the West/Left host
              Additional to an actual IP address can the following values be used. These are resolved when the service starts.
              %defaultgateway
              %eth0
              leftrsasigkey
              Public RSA Key
               
              rightid
              @East
              Identifier for the East/right site.
              Values can be:
              %right - uses left as value
              @<STRING> - uses the string The rightid values is used to identify the PSK
              right
              <IP or FQDN> of the East/Right host
              Additional to an actual IP address can the following values be used. These are resolved when the service starts.
              %defaultgateway
              %eth0
              rightrsasigkey
              Public RSA Key
               
              authby
              rsasig
               
              auto
              start
              The setting regulates when the IPSec tunnel will be established. Following values are accepted: add (manual start), start (starts with the service), ondemand (will be established if traffic exists), ignore (connection will be ignored and not used)
              connaddrfamily
              ipv4
              Possiable values are ipv4 or ipv6

              Format:

              conn 
                   connaddrfamily=ipv4
                    auto=
                    authby=secret
              
                    leftid=
                    left=FQDN>
                    leftrsasigkey=
                    rightid=
                    right=FQDN>
                    rightrsasigkey=

              Example /etc/ipsec/ipsec.d/host-to-host-rsa.conf

              conn host-to-host-rsa
                    connaddrfamily=ipv4
                    auto=start
                    authby=rsasig
              
                    leftid=@West
                    left=192.168.50.4
                    leftrsasigkey=0sAQO1Gr2MY41qhG…………….bbtc7lkT+TxtPBE7sSBWkHr1C5aalkYLwL9kfgK0i7w==
                    rightid=@East
                    right=192.168.58.4
                    rightrsasigkey=0Vaixy810IkQzUU+SmxA6O………..WORl0i3K43tZx9aakmMyvanRg7Bwz4R+ssDe4+MwsGP0=
            5. Copy the configuration file only to the other node. The Secret File dose not need to be copied in this case
            6. Restart IPSec service on both nodes
            7. root@ng-west:~# ipsec restart
              Redirecting to: /etc/init.d/ipsec stop
              Shutting down pluto IKE daemon
              002 shutting down
              
              Redirecting to: /etc/init.d/ipsec start
              Starting pluto IKE daemon for IPsec: .
              root@ng-west:~#
            8. Confirm that the tunnel was established
              1. Short information
              2. root@ng-west:/etc/ipsec/ipsec.d# ipsec whack --trafficstatus
                006 #4: "host-to-host-rsa", type=ESP, add_time=1524097790, inBytes=0, outBytes=0, id='@East'
              3. More Detailed Information
              4. root@ng-west:~# ipsec whack --status |grep host-to-host-rsa
                ……………. 
                000 #4: "host-to-host-rsa":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28035s; isakmp#3; idle; import:not set
                000 #4: "host-to-host-rsa" esp.51e306d2@192.168.58.4 esp.7bdcb6d9@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
                000 #3: "host-to-host-rsa":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2835s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
                000 #5: "host-to-host-rsa":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27555s; newest IPSEC; eroute owner; isakmp#2; idle; import:admin initiate
                000 #5: "host-to-host-rsa" esp.acd469a4@192.168.58.4 esp.6b948bad@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
                000 #2: "host-to-host-rsa":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2114s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

            Updated: 03 May 2018 07:04 PM
            Helpful?  
            Help us to make this article better
            0 0