188.8.131.52. Manual IPsec Host-to-Host Configuration
The first step in creating a connection is to gather system and network information from each workstation. For a host-to-host connection, you need the following:
The IP address of each host
A unique name, for example,
. This is used to identify the IPsec
connection and to distinguish it from other devices or connections.
A fixed encryption key or one automatically generated by
A pre-shared authentication key that is used during the initial stage of the connection and to exchange encryption keys during the session.
For example, suppose Workstation A and Workstation B want to connect to each other through an IPsec
tunnel. They want to connect using a pre-shared key with the value of
, and the users agree to let
automatically generate and share an authentication key between each host. Both host users decide to name their connections
You should choose a PSK that uses a mixture of upper- and lower-case characters, numbers and punctuation. An easily-guessable PSK constitutes a security risk.
It is not necessary to use the same connection name for each host. You should choose a name that is convenient and meaningful for your installation.
The following is the IPsec
configuration file for Workstation A for a host-to-host IPsec
connection with Workstation B. The unique name to identify the connection in this example is
, so the resulting file is called
For Workstation A,
is the IP address of Workstation B. For Workstation B,
is the IP address of Workstation A. This connection is not set to initiate on boot-up (
ONBOOT=no) and it uses the pre-shared key method of authentication (
The following is the content of the pre-shared key file (called
/etc/sysconfig/network-scripts/keys-ipsec1) that both workstations need to authenticate each other. The contents of this file should be identical on both workstations, and only the root user should be able to read or write this file.
To change the
keys-ipsec1 file so that only the root user can read or edit the file, use the following command after creating the file:
[[email protected] ~] # chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1
To change the authentication key at any time, edit the
keys-ipsec1 file on both workstations.
Both authentication keys must be identical for proper connectivity
The next example shows the specific configuration for the phase 1 connection to the remote host. The file is called
is the IP address of the remote IPsec
host. Note that this file is automatically generated when the IPsec
tunnel is activated and should not be edited directly.
exchange_mode aggressive, main;
dh_group 2 ;
The default phase 1 configuration file that is created when an IPsec
connection is initialized contains the following statements used by the Fedora implementation of IPsec:
Specifies that the subsequent stanzas of this configuration file apply only to the remote node identified by the
The default configuration for IPsec
on Fedora uses an aggressive authentication mode, which lowers the connection overhead while allowing configuration of several IPsec
connections with multiple hosts.
Specifies the identification method to use when authenticating nodes. Fedora uses IP addresses to identify nodes.
Specifies the encryption cipher used during authentication. By default, Triple Data Encryption Standard
) is used.
Specifies the hash algorithm used during phase 1 negotiation between nodes. By default, Secure Hash Algorithm version 1 is used.
Specifies the authentication method used during node negotiation. By default, Fedora uses pre-shared keys for authentication.
Specifies the Diffie-Hellman group number for establishing dynamically-generated session keys. By default, modp1024 (group 2) is used.
184.108.40.206.1. The Racoon Configuration File
files should be identical on all IPsec
statement. This statement (and the file it references) is generated when the IPsec
tunnel is activated. For Workstation A, the
statement is Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical
file when the IPsec
connection is activated.
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
file includes defined paths for IPsec
configuration, pre-shared key files, and certificates. The fields in
describe the phase 2 SA between the IPsec
nodes — the nature of the IPsec
connection (including the supported encryption algorithms used) and the method of exchanging keys. The following list defines the fields of phase 2:
Denotes that SA can anonymously initialize with any peer provided that the IPsec
Defines the Diffie-Hellman key exchange protocol, which determines the method by which the IPsec
nodes establish a mutual temporary session key for the second phase of IPsec
connectivity. By default, the Fedora implementation of IPsec
uses group 2 (or
) of the Diffie-Hellman cryptographic key exchange groups. Group 2 uses a 1024-bit modular exponentiation that prevents attackers from decrypting previous IPsec
transmissions even if a private key is compromised.
lifetime time 1 hour
This parameter specifies the lifetime of an SA and can be quantified either by time or by bytes of data. The default Fedora implementation of IPsec
specifies a one hour lifetime.
encryption_algorithm 3des, blowfish 448, rijndael
Specifies the supported encryption ciphers for phase 2. Fedora supports 3DES, 448-bit Blowfish, and Rijndael (the cipher used in the Advanced Encryption Standard
, or AES
authentication_algorithm hmac_sha1, hmac_md5
Lists the supported hash algorithms for authentication. Supported modes are sha1 and md5 hashed message authentication codes (HMAC).
Defines the Deflate compression algorithm for IP Payload Compression (IPCOMP) support, which allows for potentially faster transmission of IP datagrams over slow connections.
To start the connection, use the following command on each host:
[[email protected] ~]# /sbin/ifup <nickname>
where <nickname> is the name you specified for the IPsec
To test the IPsec
connection, run the
utility to view the network packets being transfered between the hosts and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example:
[[email protected] ~]# tcpdump -n -i eth0 host <targetSystem>
IP 172.16.45.107 > 172.16.44.192: AH(spi=0x0954ccb6,seq=0xbb): ESP(spi=0x0c9f2164,seq=0xbb)