Search:  
Gentoo Wiki

HOWTO_OpenSwan_2.6_kernel

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

Introduction

At the time this document was prepared the following versions are used.

"Openswan is an implementation of IPsec for Linux. It supports kernels 2.0, 2.2, 2.4 and 2.6, and runs on many different platforms, including x86, x86_64, ia64, MIPS and ARM." - http://www.openswan.org/

Openswan provides userspace tools (pluto, etc) for the IPsec implementation in the Linux-2.6.x kernel, as well as kernel modules (KLIPS) for older kernels. It is a mature alternative to IPsec-Tools (http://ipsec-tools.sourceforge.net)

The scope of this document is to get OpenSwan installed and configured using the 2.6 kernel. This document is designed for people who want to link two private networks over the internet as a virtual private network (VPN). for all intent and purpose in this document I will use the following setup:

Image:openswanhowtonetworkexample.jpg

Network A is a private network using the 192.168.10.0 network

Network B is a private network using the 192.168.50.0 network

OpenSwanA is connected to Network A on eth1 and has a real internet address of 209.16.182.140 on eth0

OpenSwanB is connected to Network B on eth1 and has a real internet address of 209.162.138.250 on eth0

Requirements

Installation

# emerge gentoo-sources iptables openswan bind-tools ipsec-tools

ATTENTION: Be sure you use version 2.3.0 or higher (which is currently ~ppc, but stable on x86 and amd64).

Configuring

Configuration can be broken down into 2 sections.

kernel support for ipsec

Code: make menuconfig

this is from the 2.6.9 kernel options

Device Drivers --->
    Networking Support --->
         Networking Options --->
               (M) PF_KEY sockets
               (M) IP: AH transformations
               (M) IP: ESP transformations
               (M) IP: IPComp transformations
               (M) IP: tunnel transformations
               (M) IPsec user configuration interface
Code: make menuconfig

this is from the 2.6.13 kernel options

Networking --->
    Networking Options --->
        (M) PF_KEY sockets
        (M) IP: AH transformations
        (M) IP: ESP transformations
        (M) IP: IPComp transformations
        (M) IP: tunnel transformations
        (M) IPsec user configuration interface
Code: make menuconfig

this is from the 2.6.19 kernel options

Networking --->
    Networking Options --->
        (M) Transformation user configuration interface
        (M) PF_KEY sockets
        (M) IP: AH transformations
        (M) IP: ESP transformations
        (M) IP: IPComp transformations
        (M) IP: IPsec tunnel mode ???
       

load kernel modules

modprobe pf_key
modprobe ah4
modprobe esp4
modprobe ipcomp
modprobe xfrm_user


on kernel 2.6.15 the module built is af_key, not pf_key - tgreen@contentwatch.com
I also had to load module xfrm4_mode_tunnel for it to work - garton.tim [at] gmail.com (It's now xfrm4_tunnel)

Generating ipsec.secrets

The first time that /etc/init.d/ipsec is started, it will generate a 2048 bit secret, by running the following:

ipsec newhostkey --output /etc/ipsec/ipsec.secrets --bits 2048

It uses /dev/random, which generates random numbers based on "environmental noise", collected from device drivers and other sources. However, it takes time to build up the entropy of the pool, and it gets "used up" when producing random streams. When there is not enough entropy in the pool to produce the requested number (and 2048 bits is a large number to ask for), the request blocks until enough entropy is generated. For the user, there appears to be nothing happening. See bug #288 for a discussion of this issue.

There are three ways to work around this:

  1. Generate entropy - by move mouse, I/O operations etc. (recommended).
  2. Feed /dev/random with pseudorandom or binary data
  3. Feed /dev/random with random data from another system
  4. Use /dev/urandom, which generates weaker pseudorandom numbers, to generate the key

The most recommended method in generating high security random data is to create many random noise. Except moving mouse and pressing keys on keyboard very intensive I/O operations may also increase entropy level(which can be observed in /proc/sys/kernel/random/entropy_avail).

 dd if=/dev/hda of=/dev/null &
 dd if=/dev/hdb of=/dev/null &

The most straightforward method is to open another session, and feed the random generator with psuedorandom data:

 dd if=/dev/urandom of=/dev/random bs=1024 count=1M

Feeding data to /dev/random can increase the entropy, if the kernel decides if the incoming data is "random enough". Alternatively, any large file can be used as the source of entropy, but even binary files have less then you would think. In any case, the activity may help generate true environmental noise, and help you feel better as you wait for the key to be generated.

The correct and secure way is to feed truly random data from another system with /dev/random or a suitable replacement. You can try feeding it directly:

 dd if=/dev/random bs=1024 count=5 | ssh user@target_IP sudo dd of=/dev/random 

However, this doesn't appear to work - maybe the user has to be root?. Alternatively, you can perform the transfer manually:

 dd if=/dev/random of=random_data bs=1024 count=5
 scp random_data user@target_IP:random_data
 ssh user@target_IP
 sudo cat random_data /dev/random

To use /dev/urandom directly (which is much quicker, but potentially less secure), edit /usr/libexec/ipsec/newhostkey and change line 59:

File: /usr/libexec/ipsec/newhostkey
ipsec rsasigkey $verbose $host $bits

to

ipsec rsasigkey $verbose --random /dev/urandom $host $bits

Make sure to rm /etc/ipsec/ipsec.secrets.new before trying again.

(NOTE from docunext.com, I have never been able to feed random data to /dev/random, but with rng-tools you can cat random data to /dev/stdinput and it will test it using FIPS. You can also simply use /dev/urandom as the hwrng, which is similar to feeding /dev/random with /dev/urandom. It tests it before it feeds it, which is nice.)

enabling routing

Instantly enable routing:

echo 1 > /proc/sys/net/ipv4/ip_forward

To enable routing automatically at boot time edit /etc/sysctl.conf and insert:

File: /etc/sysctl.conf
net.ipv4.ip_forward = 1

Testing

Start openswan and verify the openswan install

/etc/init.d/ipsec start
Code: ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.2.0/K2.6.9-gentoo-r9 (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)                 [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing                                          [N/A]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: mikeotunnel                     [MISSING]
   Does the machine have at least one non-private address?              [FAILED]


the following errors are caused by gawk being compiled with the --enable-switch option.

if you dont receive the following, skip down to 'Configuring the Tunnel'

Code: gawk error
hostname ~ # /etc/init.d/ipsec start
  * Starting IPSEC ... ...
awk: cmd. line:97: default[""] = ""
awk: cmd. line:97: ^ syntax error
awk: cmd. line:202: for (i in default)
awk: cmd. line:202: ^ syntax error
etc.. etc.. etc..


i manually modified the gawk ebuild removing the line containing '--enable-switch \' and ran the following commands to resolve my problem.

ebuild gawk-3.1.4-r4.ebuild digest
emerge gawk

Addum : I had the same problem but insted of re-emerging gawk I went through /usr/lib/ipsec/_confread and changed the 'default' to 'patcheddefault' and it works fine. The reson this error occurs is because gawk uses default as a pre defined function/variable (didn't quite find out which one) which makes the variable default not work how we want it to.

Versions of openswan newer than 2005/6/13, such anything in the 2.4 series already have an equivalent patch.

You can also watch this patch: http://bugs.gentoo.org/show_bug.cgi?id=94681

Configuring the Tunnel

the computer network A in this example will be considered the left side
the computer network B in this example will be considered the right side

(In the next box the leftrsasigkey and rightrsasigkey are shortened for ease of reading - indicated by "...")

Edit /etc/ipsec/openswana-openswanb.conf

File: /etc/ipsec/openswana-openswanb.conf
conn openswana-openswanb
        left=209.16.182.140
        leftsubnet=192.168.10.0/24
        leftid=@openswana.example.com
        leftrsasigkey=0sAQOvgJC8N2VjhVW...
        leftnexthop=%defaultroute
        right=209.162.138.250
        rightsubnet=192.168.50.0/24
        rightid=@openswanb.example.com
        rightrsasigkey=0sAQPZfhh2U4OrIo...
        rightnexthop=%defaultroute
        authby=rsasig
        auto=start

in the above example

then we need to add the tunnel config to the ipsec configuration by adding the following to the end of /etc/ipsec/ipsec.conf

include /etc/ipsec/openswana-openswanb.conf

this tunnel configuration file needs to be the same on both machines openswana and openswanb. Once you have it on both machines and have added it to the /etc/ipsec/ipsec.conf restart the ipsec service on both machines.

/etc/init.d/ipsec restart

you can then check to see if the tunnel is going by running

ipsec auto --status

you can also at this point go to any workstation and ping across the tunnel to a workstation on the other side.

Commentary:

Don't forget!!!

To pass IPsec traffic through a firewall, you'll need the following ports/protocols open in both directions:


iptables -A INPUT -s x.x.x.x -d y.y.y.y -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s x.x.x.x -d y.y.y.y -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -s x.x.x.x -d y.y.y.y -p 50 -j ACCEPT
iptables -A INPUT -s x.x.x.x -d y.y.y.y -p 51 -j ACCEPT

Related Links

http://wiki.openswan.org/

openswan home page

Guide for openswan

Guide how to use with Zyxel Devices

Openswan Book - From the developers of Openswan.

Interview with Ken Bantoft and Paul Wouters from Openswan

Retrieved from "http://www.gentoo-wiki.info/HOWTO_OpenSwan_2.6_kernel"

Last modified: Tue, 15 Jan 2008 13:20:00 +0000 Hits: 65,480