A Configuring IPSec for Secure Packet Transmission between All Hosts
- Switch to the root user as "su -".
- Enable the service to be started and run the
command:
systemctl enable ipsec [admusr@mps-A~]$ systemctl enable ipsec [admusr@mps-A~]$ Created symlink /etc/systemd/system/multi-user.target.wants/ipsec.service -> /usr/lib/systemd/system/ipsec.service
- Configure the firewall (if enabled) to allow 500 and 4500/UDP ports for the IKE,
ESP, and AH protocols by adding the IPsec
service:
firewall-cmd --add-service="ipsec" firewall-cmd --runtime-to-permanent
- Initialize the new NSS database and run the following command as
root:
ipsec initnss
For example:
[admusr@mps-A~]$ ipsec initnss
[admusr@mps-A ~]$ Initializing NSS database
- Create Host-to-Host VPN Link. Change the directory to
/etc/ipsec.d/
. - Create a new file with the name
my_host-to-host.conf
. - Edit the file and enter all the details shown below:
It is mandatory to maintain the gap of one tab between conn mytunnel and auto=start. Similarly, the user needs to make more than one tunnel using “-also” keyword. For example, "conn mytunnel-also".
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=(ip address of self linux machine) left=(ip address of self linux machine) right=(ip address of remote linux machine) rightid=(ip address of remote linux machine)
If more than one IPSec connection is required, for example, from LSMS to multiple ELAPs, then write as mentioned below:conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=(ip address of self linux machine) left=(ip address of self linux machine) right=(ip address of remote linux machine) rightid=(ip address of remote linux machine)
conn mytunnel-also auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=(ip address of self linux machine) left=(ip address of self linux machine) right=(ip address of remote linux machine) rightid=(ip address of remote linux machine)
- Create a new file with the name ipsec.secrets. Edit the file and enter the
following details. Here, pre-shared-key could be any
passphrase:
siteA-public-IP siteB-public-IP: PSK "pre-shared-key"
In case of multiple sites:siteA-public-IP siteB-public-IP: PSK "pre-shared-key" siteA-public-IP siteC-public-IP: PSK "corresponding-pre-shared-key"
- Edit file /etc/ipsec.conf. Go to line no. 17 and comment the flag oe=off like
and save the file:
#oe=off
- Start the IPsec services and run the
command:
systemctl start ipsec
- If the conf file is modified, restart the IPsec services and run the
command:
systemctl restart ipsec
- To verify the tunnel creations and traffic flow, run the following
command:
ipsec traffic
For example:
[admusr@mps-A~]# ipsec traffic 006 #4: "mytunnel", type=ESP, add_time=1666264187, inBytes=600, outBytes=544,id='x.x.x.x' 006 #6: "mytunnel-also", type=ESP, add_time=1666264189, inBytes=2820, outBytes=2024,id='x.x.x.x'
- Follow the same steps at the peer end.
- Below is the sample site scenario where 1 LSMS and 2 ELAP hosts are
connected:
LSMS Site IP: 10.71.141.10
ELAP Site A: 10.71.141.20
ELAP Site B: 10.71.141.21
Sample Files for LSMS Site (10.71.141.10)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.10 left=10.75.141.10 right=10.75.141.20 rightid=10.75.141.20 conn mytunnel-also auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.10 left=10.75.141.10 right=10.75.141.21 rightid=10.75.141.21
File - /etc/ipsec.d/ipsec.secrets
10.75.141.10 10.75.141.20 : PSK "Abc1234" 10.75.141.10 10.75.141.21 : PSK "Abc1234"
Sample Files for ELAP Site A (10.71.141.20)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.20 left=10.75.141.20 right=10.75.141.10 rightid=10.75.141.10
File - /etc/ipsec.d/ipsec.secrets10.75.141.20 10.75.141.10 : PSK "Abc1234"
Sample Files for ELAP Site B (10.71.141.21)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.71.141.21 left=10.71.141.21 right=10.75.141.10 rightid=10.75.141.10
File - /etc/ipsec.d/ipsec.secrets10.71.141.21 10.75.141.10 : PSK "Abc1234"