The Linux Client is assumed to run the Fedora Core 5 distribution with ipsec-tools installed. For other distributions refer to the "IPsec-Tools home page" [41].
Setting up the tunnel consists of authenticating the client, and setting up the encryption keys and policy. In this example:
Authentication will be based on X.509 certificates. If the client has a certificate that was issued by the same Certifying Authority as the server's certificate, the client is considered trustworthy.
Internet Key Exchange (IKE) will exchange randomly generated encryption keys, and generate the authentication policies.
The encryption policy will be set using a script.
Setup an X.509 Certifying Authority (CA). Using this CA, sign the certificates for the Linux client. This process is described in Section 6.1, “ Certificates ”. Install the client's unencrypted private key, along with the certificates for the CA, SISO server and the client. Then verify the certificate.
SSL_DIR=$PRJ_DIR/openssl
CLIENT_DIR=/etc/ipsec
ssh root@crox.vonk "mkdir $CLIENT_DIR"
scp $SSL_DIR/ca/CAcert.pem \
$SSL_DIR/ca/CRL.pem \
$SSL_DIR/certs/crox.vonk-key.pem \
$SSL_DIR/certs/crox.vonk-cert.pem root@crox.vonk:/etc/ipsec/
HASH=`openssl x509 -noout -hash -in $SSL_DIR/ca/CAcert.pem`
ssh root@crox.vonk "( cd $CLIENT_DIR ; ln -sf CAcert.pem $CLIENT_DIR/$HASH.0 )"
ssh root@crox.vonk "( cd $CLIENT_DIR ; ln -sf CRL.pem $CLIENT_DIR/$HASH.r0 )"
Ensure that the IKE daemon racoon
[42] is installed on the client.
An example configuration file for racoon on the client can be found
in Example E.7, “vpn-client:/etc/sysconfig/racoon/racoon.conf”.
The outgoing encryption policy tells the operating system when an IPsec tunnel should be used to sent traffic. An example policy script can be found in Example E.8, “vpn-client:/etc/sysconfig/ipsec/setkey.conf”.
The syslog on Linux IPsec client looks like shown
below.
racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) racoon: INFO: fe80::290:4bff:fe2f:6ed4%wlan0[500] used as isakmp port (fd=8) racoon: INFO: fe80::20d:56ff:fe32:dd8b%eth0[500] used as isakmp port (fd=9) racoon: INFO: ::1[500] used as isakmp port (fd=11) racoon: INFO: 10.0.2.111[500] used as isakmp port (fd=12) racoon: INFO: 10.0.1.111[500] used as isakmp port (fd=13) racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14) racoon: NOTIFY: no in-bound policy found: 10.0.0.2/32[0] 10.0.1.111/32[0] proto=any dir=in racoon: INFO: IPsec-SA request for 10.0.0.2 queued due to no phase1 found. racoon: INFO: initiate new phase 1 negotiation: 10.0.1.111[500]<=>10.0.0.2[500] racoon: INFO: begin Identity Protection mode. racoon: INFO: ISAKMP-SA established 10.0.1.111[500]-10.0.0.2[500] spi:9dd5743702d60465:b1770e32da384dcc racoon: INFO: initiate new phase 2 negotiation: 10.0.1.111[0]<=>10.0.0.2[0] racoon: INFO: IPsec-SA established: ESP/Transport 10.0.0.2->10.0.1.111 spi=6958467(0x6a2d83) racoon: INFO: IPsec-SA established: ESP/Transport 10.0.1.111->10.0.0.2 spi=112868448(0x6ba3c60)
The tcpdump for the same section shows the ESP
encapsulation for the ICMP (ping) packets.
IP crox.lan.vonk > siso.ext.vonk: ESP(spi=0x06ba3c60,seq=0x1) IP siso.ext.vonk > crox.lan.vonk: ESP(spi=0x006a2d83,seq=0x1) IP crox.lan.vonk > siso.ext.vonk: ESP(spi=0x06ba3c60,seq=0x2) IP siso.ext.vonk > crox.lan.vonk: ESP(spi=0x006a2d83,seq=0x2)