Your SlideShare is downloading. ×
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

IPSec VPN Tutorial Part1

1,062

Published on

IPSec VPN Tutorial Part1 …

IPSec VPN Tutorial Part1
Point to Point Senario
using PSK, Certificates, Smart Tokens

Published in: Software, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,062
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Layer 3 IPSEC-VPN Manual 1. Introdaction IPSec is a network protocol used in creating secure network connection known as VPN (Virtual Private Network). IPSEC-VPN uses a family of protocols that provide authentication, key exchange, and encryption. Authentication protocol supports various ways that facilitate the usage of PSK (Pre-Shared Key), X.509 Certificates, Encrypted Tokens, and Smart Cards. Key exchange protocol is known as IKE (Internet Key Exchange), IKE is implemented in its two published updated versions IKE-v1, and IKE-v2). there are many softwares provide IPSec protocol like Strongswan and Openswan, in this tutorial used Strongswan, and apply three methods of authentication with IKE v2, and using XCA software for creating certificates and keys. 2. Requirements 2.1. Software a) Strongswan b) XCA 2.2. Hardware a) Feitian ePass 2003 Token
  • 2. 3. Step Strongswan on Ubuntu 12.04 #apt-get update #apt-get install curl #apt-get build-dep strongswan Get last version of Strongswan from http://www.strongswan.org/download.html Uncompressed it using #tar -xvzf strongswan-5.x.x.tar.gz or #tar -xvjf strongswan-5.x.x.tar.bz2 #./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-pkcs11 --enable-openssl --enable-gcrypt #make #make install 4. Configure Strongswan all configuration in 3 files ipsec.conf, ipsec.secrets, strongswan.conf at /etc/ ipsec.secrets we must create it #touch /etc/ipsec.secrets There are 3 scenarios 1- PSK Pre-shared Key 2- Using Certificates 3- Using Tokens in all scenarios left node, user1, node1 ip =192.168.0.1 right node, user2, node2 ip =192.168.0.2 First you should read CA Tutorial First before Certificates and Tokens scenarios configuration
  • 3. 4.1. PSK Pre-shared Key ipsec.conf should by like config setup charondebug=[4] strictcrlpolicy=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host  connection name left=192.168.0.1  this PC ip address leftsubnet=192.168.0.0/24 leftid=192.168.0.2 leftfirewall=yes right=192.168.0.2  other PC ip address rightsubnet=192.168.0.0/24 rightid=192.168.0.2 authby=psk auto=add ipsec.secrets should by like left node ip : PSK “{key as plain text}” Ex: 192.168.0.1 : PSK "12345" strongswan.conf won't change
  • 4. 4.2. Using Certificates Put Root CA Public key in /etc/ipsec.d/cacert user public key in /etc/ipsec.d/certs user private key in /etc/ipsec.d/private ipsec.conf should by like config setup charondebug=[4] strictcrlpolicy=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host  connection name left=192.168.0.1  this PC ip address leftid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user1, E=user1@iwf.com" leftcert=user1Cert.der  user public key certificate file leftfirewall=yes right=192.168.0.2  other PC ip address rightid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user2, E=user2@iwf.com" auto=add ipsec.secrets should by like left-node-CN right-node-CN : key_generation_algorithm user_Private_keyfile.der Ex: user1 user2: RSA user1Key.der strongswan.conf won't change
  • 5. 4.3. Using Tokens ipsec.conf should by like config setup strictcrlpolicy=no charondebug=4 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host  connection name left=192.168.0.1  this PC ip address leftid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user1, E=user1@iwf.com" leftcert=%smartcard:00 leftfirewall=yes right=192.168.0.2  other PC ip address rightid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user2, E=user2@iwf.mil" auto=add ipsec.secrets should by like : PIN %smartcard: {user key on token id from command pkcs15-tool -k} “{ Token PIN}” Ex: : PIN %smartcard:ddc2b4e4d299a72972fbff880847b21e94860310 "12345678"
  • 6. strongswan.conf we will add red lines inside libstrongswan{} block libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no plugins { pkcs11 { modules { my-xy-module { path = /usr/lib/opensc-pkcs11.so } } } } } 5. Test Connection Start VPN service #ipsec start using this command to up your connection #ipsec up {connection name} #ipsec up host-host using this command to get status of connection #ipsec statusall Finish Good Luck  Abdallah Abuouf http://abuouf.me

×