Host to network IPsec VPN with OpenSwan and ScreenOS

May 1, 2012 Cody IPSEC

Whiling attempting to configure what I thought would be a straight forward VPN between a Linux VPS running CentOS 5 on top of KVM with a Netscreen 5gt became more of an adventure then I expected.

I had originally planned on configuring a standard Route Based VPN in ScreenOS 5.4 and tunneling all traffic between the VPS and the remote site. Unforantely I had forgotten the trouble that ScreenOS route based VPN’s can cause when exposing an entire subnet via the tunnel. Even when utilizing proxy-id’s with the route based configuration I had trouble making the SA’s match with OpenSwans IPsec.

The IPsec tunnel I ended up with utilized a ScreenOS policy-based VPN with a pre-shared key and static ip’s. I eventually plan to switch this to agressive mode on the netscreen for a dhcp environment using a peer id so the Netscreen can intialize the VPN regardless if the IP changes in the future.

Configuring a Policy-based IPsec VPN in ScreenOS 5.4

Starting off will be the configuration I used on the Netscreen followed by the Linux ipsec.conf configuration.

1. Define your IKE gateway settings

I enabled NAT-t is this configuration as the Netscreen 5gt performs NAT with a single global ip address with a private lan behind it.

set ike gateway "Remote_VM" address Main outgoing-interface "untrust" preshare "q8jJ0Px8NSPBhks/fiC14pecmtnSXyjc4A==" proposal "pre-g2-3des-md5"
set ike gateway "Remote_VM" nat-traversal
unset ike gateway "Remote_VM" nat-traversal udp-checksum
set ike gateway "Remote_VM" nat-traversal keepalive-frequency 0

2. Define the IPsec policy

set vpn "Tunnel to VPS" gateway "Remote_VM" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5"
set vpn "Tunnel to VPS" monitor
set vpn "Tunnel to VPS" proxy-id local-ip remote-ip "ANY"

3. Define the zone policies that match then tunnels the traffic toward our host.

set address "Trust" "HomeNet" "Home Network"
set address "Untrust" "Remote_VM"

set policy id 36 name "VPS-Tunnel" from "Trust" to "Untrust" "HomeNet" "Remote_VM" "ANY" tunnel vpn "Tunnel to VPS" id 6 pair-policy 35
set policy id 36
set log session-init
set policy id 35 name "VPS-Tunnel" from "Untrust" to "Trust" "Remote_VM" "HomeNet" "ANY" tunnel vpn "Tunnel to VPS" id 6 pair-policy 36
set policy id 35
set log session-init

Per the normal you can use the following commands to debug screenos vpn’s:

Enable ike debugging:

debug ike detail

Read the debug log:

get dbuf stream

View configured security-associations:

get sa> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000006< 500 esp:3des/md5 4ea3531c 3065 unlim A/D 35 0 00000006> 500 esp:3des/md5 ecb4503b 3065 unlim A/D 36 0

Disable ike debugging:

undebug ike all

Now we should be able to successfully configure OpenSwan to connect to this VPN with little trouble.

Configuring OpenSwan IPsec VPN in CentOS 5

This part assumes you already know how to configure CentOS 5 with the proper configuration to stand up a working IPsec implementation. Luckily OpenSwan includes some great tools for debugging and verifing everything you need.

Don’t forget you need to modify you iptables firewall rules to allow UDP ports 500 and 4500 for this configuration. IKE requires UDP port 500 and NAT-transversal requires UDP port 4500.

Create the file /etc/ipsec.conf or edit the package provided file.

# /etc/ipsec.conf - Openswan IPsec configuration file
# Manual: ipsec.conf.5
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

config setup
#Comment out plutodebug once you have setup the vpn.
plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

Test out the ipsec service to make sure it fully starts and runs successfully before defining the first VPN. This will also give you a chance to verify your Centos 5 system is setup properly using the command ‘ipsec verify’.

[root@example ~]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.18-274.12.1.el5…
ipsec_setup: multiple ip addresses, using on eth0
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

[root@example ~]# service ipsec status
IPsec running – pluto pid: 27161
pluto pid 27161
0 tunnels up
no eroutes exist

Here is the output of ‘ipsec verify’ after successfully starting IPsec.

[root@example ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.18-274.12.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for ‘ip’ command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for ‘iptables’ command [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: [MISSING]

Once you are sure IPsec is properly setup on your Linux system then defining the VPN settings is pretty straight forward.

The first order of business will be creating the VPN connection configuratin file. Since we enabled ‘include /etc/ipsec.d/*.conf’ in our ipsec.conf file we can nicely put each VPN connection in its own configuration file for easy system documentation.

Create the following file ‘/etc/ipsec.d/HomeNet.conf’

conn HomeNet
#Define your IKE policy
#Define IPsec Policy
#Define Local then Remote Gateway & proxy-id
# leftid=
# rightid=
#Start the tunnel on boot

Define the Pre-shared key for the VPN

Once again we can specify a seperate file for each VPN secret.

include /etc/ipsec.d/*.secrets

#/etc/ipsec.d/HomeNet.secrets : PSK "example-key"

Attempt to bring the IPsec tunnel up by either making a connection to the remote network or use the following command.

[root@killsudo ~]# ipsec auto –up HomeNet

Check if the ipsec server is running:

[root@example ~]# service ipsec status
IPsec running – pluto pid: 31514
pluto pid 31514
1 tunnels up
some eroutes exist

Watch the VPN log for events:

[root@example ~]# tail -f /var/log/secure
May 1 03:10:24 example pluto[31514]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
May 1 03:10:24 example pluto[31514]: | pending review: connection “Home” checked
May 1 03:10:24 example pluto[31514]: | next event EVENT_PENDING_DDNS in 60 seconds
May 1 03:11:24 example pluto[31514]: |
May 1 03:11:24 example pluto[31514]: | next event EVENT_PENDING_DDNS in 0 seconds
May 1 03:11:24 example pluto[31514]: | *time to handle event
May 1 03:11:24 example pluto[31514]: | handling event EVENT_PENDING_DDNS
May 1 03:11:24 example pluto[31514]: | event after this is EVENT_PENDING_PHASE2 in 60 seconds
May 1 03:11:24 example pluto[31514]: | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
May 1 03:11:24 example pluto[31514]: | next event EVENT_PENDING_DDNS in 60 seconds

Detailed informtion of the running configuration:

[root@example ~]# ipsec whack –status

Show security-associations in CentOS with netstack:

[root@example ~]# ip xfrm state
src dst
proto esp spi 0x4ea35320 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(md5) 0x58c90e95f6302962392a4a0b78462794
enc cbc(des3_ede) 0xb00fb19415f406d64307614b3d17e7d8560c91ee7200dd98
src dst
proto esp spi 0x011e8755 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(md5) 0xc25f8857af6a75055ac3a6bb5cf634cd
enc cbc(des3_ede) 0x107baaf14854e91896e75cf2c5f5c213fb44aee51254df8a

This configuration can be extended in multiple ways and easily reused for Linux host to Linux host. I am interested in exploring StrongSwan with its MOBIKE support.

One Response to “Host to network IPsec VPN with OpenSwan and ScreenOS”

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress. Designed by elogi.