IPSec VPN Tutorial Part1
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

IPSec VPN Tutorial Part1

on

  • 487 views

IPSec VPN Tutorial Part1

IPSec VPN Tutorial Part1
Point to Point Senario
using PSK, Certificates, Smart Tokens

Statistics

Views

Total Views
487
Views on SlideShare
469
Embed Views
18

Actions

Likes
0
Downloads
14
Comments
0

3 Embeds 18

http://www.slideee.com 16
http://wordpress.com 1
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IPSec VPN Tutorial Part1 Document Transcript

  • 1. Layer 3 IPSEC-VPN Manual 1. Introdaction IPSec is a network protocol used in creating secure network connection known as VPN (Virtual Private Network). IPSEC-VPN uses a family of protocols that provide authentication, key exchange, and encryption. Authentication protocol supports various ways that facilitate the usage of PSK (Pre-Shared Key), X.509 Certificates, Encrypted Tokens, and Smart Cards. Key exchange protocol is known as IKE (Internet Key Exchange), IKE is implemented in its two published updated versions IKE-v1, and IKE-v2). there are many softwares provide IPSec protocol like Strongswan and Openswan, in this tutorial used Strongswan, and apply three methods of authentication with IKE v2, and using XCA software for creating certificates and keys. 2. Requirements 2.1. Software a) Strongswan b) XCA 2.2. Hardware a) Feitian ePass 2003 Token
  • 2. 3. Step Strongswan on Ubuntu 12.04 #apt-get update #apt-get install curl #apt-get build-dep strongswan Get last version of Strongswan from http://www.strongswan.org/download.html Uncompressed it using #tar -xvzf strongswan-5.x.x.tar.gz or #tar -xvjf strongswan-5.x.x.tar.bz2 #./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-pkcs11 --enable-openssl --enable-gcrypt #make #make install 4. Configure Strongswan all configuration in 3 files ipsec.conf, ipsec.secrets, strongswan.conf at /etc/ ipsec.secrets we must create it #touch /etc/ipsec.secrets There are 3 scenarios 1- PSK Pre-shared Key 2- Using Certificates 3- Using Tokens in all scenarios left node, user1, node1 ip =192.168.0.1 right node, user2, node2 ip =192.168.0.2 First you should read CA Tutorial First before Certificates and Tokens scenarios configuration
  • 3. 4.1. PSK Pre-shared Key ipsec.conf should by like config setup charondebug=[4] strictcrlpolicy=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host  connection name left=192.168.0.1  this PC ip address leftsubnet=192.168.0.0/24 leftid=192.168.0.2 leftfirewall=yes right=192.168.0.2  other PC ip address rightsubnet=192.168.0.0/24 rightid=192.168.0.2 authby=psk auto=add ipsec.secrets should by like left node ip : PSK “{key as plain text}” Ex: 192.168.0.1 : PSK "12345" strongswan.conf won't change
  • 4. 4.2. Using Certificates Put Root CA Public key in /etc/ipsec.d/cacert user public key in /etc/ipsec.d/certs user private key in /etc/ipsec.d/private ipsec.conf should by like config setup charondebug=[4] strictcrlpolicy=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host  connection name left=192.168.0.1  this PC ip address leftid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user1, E=user1@iwf.com" leftcert=user1Cert.der  user public key certificate file leftfirewall=yes right=192.168.0.2  other PC ip address rightid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user2, E=user2@iwf.com" auto=add ipsec.secrets should by like left-node-CN right-node-CN : key_generation_algorithm user_Private_keyfile.der Ex: user1 user2: RSA user1Key.der strongswan.conf won't change
  • 5. 4.3. Using Tokens ipsec.conf should by like config setup strictcrlpolicy=no charondebug=4 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host  connection name left=192.168.0.1  this PC ip address leftid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user1, E=user1@iwf.com" leftcert=%smartcard:00 leftfirewall=yes right=192.168.0.2  other PC ip address rightid="C=eg, ST=Cairo, L=Cairo, O=IWF, OU=IWF_OU, CN=user2, E=user2@iwf.mil" auto=add ipsec.secrets should by like : PIN %smartcard: {user key on token id from command pkcs15-tool -k} “{ Token PIN}” Ex: : PIN %smartcard:ddc2b4e4d299a72972fbff880847b21e94860310 "12345678"
  • 6. strongswan.conf we will add red lines inside libstrongswan{} block libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no plugins { pkcs11 { modules { my-xy-module { path = /usr/lib/opensc-pkcs11.so } } } } } 5. Test Connection Start VPN service #ipsec start using this command to up your connection #ipsec up {connection name} #ipsec up host-host using this command to get status of connection #ipsec statusall Finish Good Luck  Abdallah Abuouf http://abuouf.me