A Configuring IPSec for Secure Packet Transmission between All Hosts

Perform the following steps to enable IPSec service between nodes, for example, between LSMS and ELAP nodes, and so on.

1. Switch to the root user as "su -".
2. Enable the service to be started and run the command:

   systemctl enable ipsec
   [admusr@mps-A~]$ systemctl enable ipsec
   [admusr@mps-A~]$ Created symlink /etc/systemd/system/multi-user.target.wants/ipsec.service -> 
   /usr/lib/systemd/system/ipsec.service
   

3. Configure the firewall (if enabled) to allow 500 and 4500/UDP ports for the IKE, ESP, and AH protocols by adding the IPsec service:

   firewall-cmd --add-service="ipsec" 
   firewall-cmd --runtime-to-permanent
   

4. Initialize the new NSS database and run the following command as root:

   ipsec initnss
   

   For example:

   [admusr@mps-A~]$ ipsec initnss

   [admusr@mps-A ~]$ Initializing NSS database

5. Create Host-to-Host VPN Link. Change the directory to /etc/ipsec.d/.
6. Create a new file with the name my_host-to-host.conf.
7. Edit the file and enter all the details shown below:

   It is mandatory to maintain the gap of one tab between conn mytunnel and auto=start. Similarly, the user needs to make more than one tunnel using “-also” keyword. For example, "conn mytunnel-also".

   conn mytunnel
       auto=start
       keyexchange=ike
       phase2=esp
       pfs=no
       type=tunnel
       authby=secret
       leftid=(ip address of self linux machine)
       left=(ip address of self linux machine)
       right=(ip address of remote linux machine)
       rightid=(ip address of remote linux machine)

   If more than one IPSec connection is required, for example, from LSMS to multiple ELAPs, then write as mentioned below:

   conn mytunnel
       auto=start
       keyexchange=ike
       phase2=esp
       pfs=no
       type=tunnel
       authby=secret
       leftid=(ip address of self linux machine)
       left=(ip address of self linux machine)
       right=(ip address of remote linux machine)
       rightid=(ip address of remote linux machine)
   

   conn mytunnel-also
       auto=start    
       keyexchange=ike
       phase2=esp
       pfs=no
       type=tunnel
       authby=secret
       leftid=(ip address of self linux machine)
       left=(ip address of self linux machine)
       right=(ip address of remote linux machine)
       rightid=(ip address of remote linux machine)

8. Create a new file with the name ipsec.secrets. Edit the file and enter the following details. Here, pre-shared-key could be any passphrase:

   siteA-public-IP siteB-public-IP: PSK "pre-shared-key"
   

   In case of multiple sites:

   siteA-public-IP siteB-public-IP: PSK "pre-shared-key"
   siteA-public-IP siteC-public-IP: PSK "corresponding-pre-shared-key"
   

9. Edit file /etc/ipsec.conf. Go to line no. 17 and comment the flag oe=off like and save the file:

   #oe=off
   

10. Start the IPsec services and run the command:

    systemctl start ipsec
    

11. If the conf file is modified, restart the IPsec services and run the command:

    systemctl restart ipsec
    

12. To verify the tunnel creations and traffic flow, run the following command:

    ipsec traffic
    

    For example:

    [admusr@mps-A~]# ipsec traffic 006 #4: "mytunnel", type=ESP, add_time=1666264187, inBytes=600, outBytes=544,id='x.x.x.x' 006 #6: "mytunnel-also", type=ESP, add_time=1666264189, inBytes=2820, outBytes=2024,id='x.x.x.x'
13. Follow the same steps at the peer end.
14. Below is the sample site scenario where 1 LSMS and 2 ELAP hosts are connected:

    LSMS Site IP: 10.71.141.10

    ELAP Site A: 10.71.141.20

    ELAP Site B: 10.71.141.21

    Sample Files for LSMS Site (10.71.141.10)

    File - /etc/ipsec.d/my_host-to-host.conf

    conn mytunnel
        auto=start
        keyexchange=ike
        phase2=esp
        pfs=no
        type=tunnel
        authby=secret
        leftid=10.75.141.10
        left=10.75.141.10
        right=10.75.141.20
        rightid=10.75.141.20
    
    conn mytunnel-also
        auto=start
        keyexchange=ike
        phase2=esp
        pfs=no
        type=tunnel
        authby=secret
        leftid=10.75.141.10
        left=10.75.141.10
        right=10.75.141.21
        rightid=10.75.141.21

    File - /etc/ipsec.d/ipsec.secrets

    10.75.141.10 10.75.141.20 : PSK "Abc1234"
    10.75.141.10 10.75.141.21 : PSK "Abc1234"
    

    Sample Files for ELAP Site A (10.71.141.20)

    File - /etc/ipsec.d/my_host-to-host.conf

    conn mytunnel
        auto=start
        keyexchange=ike
        phase2=esp
        pfs=no
        type=tunnel
        authby=secret
        leftid=10.75.141.20
        left=10.75.141.20
        right=10.75.141.10
        rightid=10.75.141.10
    

    File - /etc/ipsec.d/ipsec.secrets

    10.75.141.20 10.75.141.10 : PSK "Abc1234"
    

    Sample Files for ELAP Site B (10.71.141.21)

    File - /etc/ipsec.d/my_host-to-host.conf

    conn mytunnel
        auto=start
        keyexchange=ike
        phase2=esp
        pfs=no
        type=tunnel
        authby=secret
        leftid=10.71.141.21
        left=10.71.141.21
        right=10.75.141.10
        rightid=10.75.141.10

    File - /etc/ipsec.d/ipsec.secrets

    10.71.141.21 10.75.141.10 : PSK "Abc1234"