[LARTC] ipsec for linux 2.4 eventually made easy?!

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi there,
I just wanted to share a recent discovery I did on how to setup a secure VPN implementation for linux 2.4.x (I'm using 2.4.20 but it should be working, as far as documentation states, for > 2.4.18) without using FreeS/WAN.

The tool (ipsec_tunnel: http://ringstrom.mine.nu/ipsec_tunnel/, by Tobias Ringström) is a kernel module based on ipip and ip_gre. It uses CyptoAPI to carry out actual encryption, as in the 2.5 implementation.


Installation and setup are a matter of few seconds:
get CrypotAPI (http://www.kernel.org/pub/linux/kernel/crypto/v2.4/cryptoapi-0.1.0.tar.gz), untar and compile as modules:
tar xvfz cryptoapi-0.1.0.tar.gz
cd cryptoapi-0.1.0
make modules KDIR=/path/to/running/kernel
make modules_install
modprobe cryptoapi
modprobe cipher-3des
modprobe digest-sha1

Get ipsec_tunnel (http://ringstrom.mine.nu/ipsec_tunnel/download/ipsec_tunnel-0.9.tar.gz)
tar xvfz ipsec_tunnel-0.9.tar.gz
cd ipsec_tunnel-0.9
./configure (it will ask you the path to cryptoapi source and to you running kernel)
make
make install
modprobe ipsec_tunnel

create an encryption key and an autenthication key:
mkdir /etc/ipsec
chmod 500 /etc/ipsec
ipsecadm key create 3des --file=/etc/ipsec/demo.ciph.key
ipsecadm key create sha1 --file=/etc/ipsec/demo.auth.key

copy them in the remote host (with scp)
scp /etc/ipsec/* root@xxxxxxxxxxx:/etc/ipsec/

Now the actual setup (clearly explained in the ipsec_tunnel documentation):

A) Local host (change 172.16.0.1 with our public IP; 192.168.122.1 will be the address of the host in the VPN)

ipsecadm sa add --spi=0x1000 --dst=172.16.0.1 --src=172.16.0.2 \
--cipher=3des-cbc --cipher-keyfile=/etc/ipsec/demo.ciph.key \
--digest=sha1 --digest-keyfile=/etc/ipsec/demo.auth.key --duplex

ipsecadm tunnel add ipsec1 --local=172.16.0.1 --remote=172.16.0.2
ifconfig ipsec1 192.168.122.1 up
route add -net 192.168.122.0/24 dev ipsec1

B) Remote host (change 172.16.0.2 with it's public ip; 192.128.122.2 will be the addres in the VPN)
psecadm sa add --spi=0x1000 --dst=172.16.0.2 --src=172.16.0.1 \
--cipher=3des-cbc --cipher-keyfile=/etc/ipsec/demo.ciph.key \
--digest=sha1 --digest-keyfile=/etc/ipsec/demo.auth.key --duplex

ipsecadm tunnel add ipsec1 --local=172.16.0.2 --remote=172.16.0.1

ifconfig ipsec1 192.168.122.2 up
route add -net 192.168.122.0/24 dev ipsec1


You have now your secure VPN up and running. I think it's quite cool. What do you think? Shouldn't this get into LARTC? I believe it definitely should!

Best regards,
Andrea Rossato


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux