How to Install and Run IPsec on CentOS6.5 with Openswan


  1. Install epel
    • wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
    • rpm -Uvh epel-release-6*.rpm
  2. Install Openswan
    • yum install openswan
  3. Enable kernel IP packet forwarding and disable ICP redirects.
    • echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
    • echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
    • echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
    • for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
    • sysctl -p
  4. Turn off firewall and iptables
    • setenforce 0
    • service iptables stop
    • ipsec verify
  5. Generates an RSA keypair for the host
    • certutil -N -d /etc/ipsec.d/
    • ipsec newhostkey --output my.secrets --bits 1024 --verbose --configdir /etc/pki/nssdb/
      Note:It may take 10 mins.
    • ipsec showhostkey --left(Host 1)
    • ipsec showhostkey --right(Host 2)
  6. Generates Pre-shared key
    • HOST1:
    • certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d /etc/ipsec.d
    • pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
    • scp cacert1.p12 root@10.21.11.108:/etc/ipsec.d/
    • certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u" -d /etc/ipsec.d
    • ipsec ranbits --continuous 128
      Note:0x0e159877e0b62925aa195ef0386d4047
    • vim /etc/ipsec.secrets
    • : RSA usercert1
      10.21.10.25 10.21.11.108 : PSK "0x2ab265cd8d768e5f74e990ff02f69e6e"

      HOST2:
    • cd /etc/ipsec.d
    • pk12util -i cacert1.p12 -d /etc/ipsec.d
    • certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d
    • certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u" -d /etc/ipsec.d
    • vim /etc/ipsec.secrets
    • : RSA usercert2
      10.21.10.25 10.21.11.108 : PSK "0x2ab265cd8d768e5f74e990ff02f69e6e"

  7. Build up tunnel
    • vim /etc/ipsec.cond
    • version 2.0 config setup

        protostack=netkey
        nat_traversal=no
        virtual_private=%v4:10.21.0.0/16
        oe=off
      include /etc/ipsec.d/*.conf


      HOST1:
    • vim /etc/ipsec.d/my_host-to-host.conf
    • conn mytunnel

        left=10.21.10.25(Host 1)
        right=10.21.11.108(Host 2)
        auto=start
        auto=start
        authby=secret
        leftcert=usercert1
        rekey=no
        esp=aes-sha1
        ike=aes-sha1


      HOST2:
    • vim /etc/ipsec.d/my_host-to-host.conf
    • conn mytunnel

        left=10.21.10.25(Host 1)
        right=10.21.11.108(Host 2)
        auto=start
        auto=start
        authby=secret
        leftcert=usercert2
        rekey=no
        esp=aes-sha1
        ike=aes-sha1

    • service ipsec restart
    • ipsec auto --add mytunnel
    • ipsec auto --up mytunnel
  8. Check status
    • ipsec auto --status

IPv6


  1. vim /etc/ipsec.d/my_host-to-host.conf
    • connaddrfamily=ipv6
    • left="2001:e10:6840:21:a00:27ff:fea6:c829"
    • right="2001:e10:6840:21:a00:27ff:fe57:c2db"
  2. vim /etc/ipsec.secrets
    • 2001:e10:6840:21:a00:27ff:fea6:c829 2001:e10:6840:21:a00:27ff:fe57:c2db : PSK "0x2ab265cd8d768e5f74e990ff02f69e6e"