IPsec encryption configuration (RHEL7/CentOS7, host to host)
Setting up host to host IPsec
Verify connection
Important notes
For the purpose of this memo, LEFT host is left001 and RIGHT host is right001, all hosts are running latest CentOS 7. Setting up host to host (or point to point) IPsec
Initial setup on both sides:
yum install libreswan -y # rm -f /etc/ipsec.d/*db # remove test database ipsec initnss # init new database systemctl start ipsec # systemctl status ipsec # should load without errors systemctl enable ipsec # firewall-cmd --permanent --add-port=500/udp # IKE protocol firewall-cmd --permanent --add-port=4500/udp # IKE NAT-Traversal (if required) firewall-cmd --add-port=500/udp # firewall-cmd --add-port=4500/udp # firewall-cmd --add-rich-rule='rule protocol value="ah" accept' # Authenticated Header (AH) IPsec packets firewall-cmd --add-rich-rule='rule protocol value="esp" accept' # Encapsulated Security Payload (ESP) IPsec packets firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept' # firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept' # # optional #firewall-cmd --add-port=5001/tcp # iperf performance testing default port #firewall-cmd --add-port=5001/udp # #firewall-cmd --permanent --add-port=5001/udp # #firewall-cmd --permanent --add-port=5001/tcp # ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/contoso.com.secrets # create new host keys for both sides
Show newly generated host keys from LEFT and RIGHT sides:
# LEFT:
ipsec showhostkey --left # RIGHT:
ipsec showhostkey --right
Copy left and right keys to the buffer, starting from comment with key ID:
# rsakey AQPQxE0/1 leftrsasigkey=0sAQPQxE0/1[...]= ------------------------------------------------------------------ # rsakey AQPAp8/zB rightrsasigkey=0sAQPAp8/zB[...]=
Now create a new configuration file on LEFT side, scp it to the RIGHT side, and change permissions. Use appropriate connection name, LEFT and RIGHT keys, hostnames and IP addresses:
LEFT:
nano /etc/ipsec.d/left2right.conf # or vi /etc/ipsec.d/left2right.conf ------------------------------------------------------------------ conn left001-right001 # connection name leftid=@left001 # hostname left=10.10.1.251 # IP address # rsakey AQPQxE0/1 leftrsasigkey=0sAQPQxE0/1[...]= # rightid=@right001 # hostname right=10.10.2.252 # IP address # rsakey AQPAp8/zB rightrsasigkey=0sAQPAp8/zB[...]= # authby=rsasig # # load and initiate automatically auto=start ------------------------------------------------------------------ scp /etc/ipsec.d/left2right.conf right001:/etc/ipsec.d/ chmod 600 /etc/ipsec.d/left2right.conf restorecon /etc/ipsec.d/* ssh right001 chmod 600 /etc/ipsec.d/left2right.conf
Restart IPsec on BOTH sides, and add newly created connection:
BOTH:
systemctl restart ipsec ipsec auto --add left001-right001
Bring connection up on LEFT side (actually on any side, but only on one of them):
LEFT:
ipsec auto --up left001-right001 Verify connection
Here are some commands that you can run to check IPsec status:
ipsec --auto status # check for "IPsec SA established" and "newest IPSEC" ipsec auto --status | grep "IPsec SA established" | grep "newest IPSEC" 000 #4: "left001-right001":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1700s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set # check traffic encryption # we see also decrypted incoming traffic between hosts (tcpdump shows packets before and after decryption) [root@left001 ~]# tcpdump -n -i ens160 'dst left001 and src right001' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes 15:39:19.599104 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73b), length 100 15:39:19.599104 IP 10.10.2.252.http > 10.10.1.251.39860: Flags [S.], seq 1803978839, ack 2526001466, win 14480, options [mss 1460,sackOK,TS val 13412232 ecr 3945736,nop,wscale 7], length 0 15:39:19.614573 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73c), length 100 15:39:19.614573 IP 10.10.2.252.http > 10.10.1.251.39861: Flags [S.], seq 3019974780, ack 3757813010, win 14480, options [mss 1460,sackOK,TS val 13412247 ecr 3945751,nop,wscale 7], length 0 15:39:19.626596 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73d), length 100 15:39:19.626596 IP 10.10.2.252.http > 10.10.1.251.39862: Flags [S.], seq 2611708637, ack 2027254906, win 14480, options [mss 1460,sackOK,TS val 13412259 ecr 3945763,nop,wscale 7], length 0 15:39:19.639530 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73e), length 100 15:39:19.639530 IP 10.10.2.252.http > 10.10.1.251.39863: Flags [S.], seq 2164892917, ack 529785392, win 14480, options [mss 1460,sackOK,TS val 13412272 ecr 3945776,nop,wscale 7], length 0 ^C # check traffic encryption # encrypted outgoing packets [root@left001 ~]# tcpdump -n -i ens160 'src left001 and dst right001' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes 15:40:03.623765 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1092), length 100 15:40:03.624083 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1093), length 100 15:40:03.647664 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1094), length 100 15:40:03.647996 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1095), length 100 ^C # packets dumped on any host between left001 and right001 will be encrypted Important notes
Verify connection
Important notes
For the purpose of this memo, LEFT host is left001 and RIGHT host is right001, all hosts are running latest CentOS 7. Setting up host to host (or point to point) IPsec
Initial setup on both sides:
- install libreswan (recommended for RHEL7/CentOS 7, from Base repository)
- remove default and re-create keys database
- start and enable ipsec to start on system boot
- setup firewall/firewalld rules
- generate new RSA host keys
yum install libreswan -y # rm -f /etc/ipsec.d/*db # remove test database ipsec initnss # init new database systemctl start ipsec # systemctl status ipsec # should load without errors systemctl enable ipsec # firewall-cmd --permanent --add-port=500/udp # IKE protocol firewall-cmd --permanent --add-port=4500/udp # IKE NAT-Traversal (if required) firewall-cmd --add-port=500/udp # firewall-cmd --add-port=4500/udp # firewall-cmd --add-rich-rule='rule protocol value="ah" accept' # Authenticated Header (AH) IPsec packets firewall-cmd --add-rich-rule='rule protocol value="esp" accept' # Encapsulated Security Payload (ESP) IPsec packets firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept' # firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept' # # optional #firewall-cmd --add-port=5001/tcp # iperf performance testing default port #firewall-cmd --add-port=5001/udp # #firewall-cmd --permanent --add-port=5001/udp # #firewall-cmd --permanent --add-port=5001/tcp # ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/contoso.com.secrets # create new host keys for both sides
Show newly generated host keys from LEFT and RIGHT sides:
# LEFT:
ipsec showhostkey --left # RIGHT:
ipsec showhostkey --right
Copy left and right keys to the buffer, starting from comment with key ID:
# rsakey AQPQxE0/1 leftrsasigkey=0sAQPQxE0/1[...]= ------------------------------------------------------------------ # rsakey AQPAp8/zB rightrsasigkey=0sAQPAp8/zB[...]=
Now create a new configuration file on LEFT side, scp it to the RIGHT side, and change permissions. Use appropriate connection name, LEFT and RIGHT keys, hostnames and IP addresses:
LEFT:
nano /etc/ipsec.d/left2right.conf # or vi /etc/ipsec.d/left2right.conf ------------------------------------------------------------------ conn left001-right001 # connection name leftid=@left001 # hostname left=10.10.1.251 # IP address # rsakey AQPQxE0/1 leftrsasigkey=0sAQPQxE0/1[...]= # rightid=@right001 # hostname right=10.10.2.252 # IP address # rsakey AQPAp8/zB rightrsasigkey=0sAQPAp8/zB[...]= # authby=rsasig # # load and initiate automatically auto=start ------------------------------------------------------------------ scp /etc/ipsec.d/left2right.conf right001:/etc/ipsec.d/ chmod 600 /etc/ipsec.d/left2right.conf restorecon /etc/ipsec.d/* ssh right001 chmod 600 /etc/ipsec.d/left2right.conf
Restart IPsec on BOTH sides, and add newly created connection:
BOTH:
systemctl restart ipsec ipsec auto --add left001-right001
Bring connection up on LEFT side (actually on any side, but only on one of them):
LEFT:
ipsec auto --up left001-right001 Verify connection
Here are some commands that you can run to check IPsec status:
ipsec --auto status # check for "IPsec SA established" and "newest IPSEC" ipsec auto --status | grep "IPsec SA established" | grep "newest IPSEC" 000 #4: "left001-right001":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1700s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set # check traffic encryption # we see also decrypted incoming traffic between hosts (tcpdump shows packets before and after decryption) [root@left001 ~]# tcpdump -n -i ens160 'dst left001 and src right001' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes 15:39:19.599104 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73b), length 100 15:39:19.599104 IP 10.10.2.252.http > 10.10.1.251.39860: Flags [S.], seq 1803978839, ack 2526001466, win 14480, options [mss 1460,sackOK,TS val 13412232 ecr 3945736,nop,wscale 7], length 0 15:39:19.614573 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73c), length 100 15:39:19.614573 IP 10.10.2.252.http > 10.10.1.251.39861: Flags [S.], seq 3019974780, ack 3757813010, win 14480, options [mss 1460,sackOK,TS val 13412247 ecr 3945751,nop,wscale 7], length 0 15:39:19.626596 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73d), length 100 15:39:19.626596 IP 10.10.2.252.http > 10.10.1.251.39862: Flags [S.], seq 2611708637, ack 2027254906, win 14480, options [mss 1460,sackOK,TS val 13412259 ecr 3945763,nop,wscale 7], length 0 15:39:19.639530 IP 10.10.2.252 > 10.10.1.251: ESP(spi=0x2273bac0,seq=0x73e), length 100 15:39:19.639530 IP 10.10.2.252.http > 10.10.1.251.39863: Flags [S.], seq 2164892917, ack 529785392, win 14480, options [mss 1460,sackOK,TS val 13412272 ecr 3945776,nop,wscale 7], length 0 ^C # check traffic encryption # encrypted outgoing packets [root@left001 ~]# tcpdump -n -i ens160 'src left001 and dst right001' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes 15:40:03.623765 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1092), length 100 15:40:03.624083 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1093), length 100 15:40:03.647664 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1094), length 100 15:40:03.647996 IP 10.10.1.251 > 10.10.2.252: ESP(spi=0xdafd8818,seq=0x1095), length 100 ^C # packets dumped on any host between left001 and right001 will be encrypted Important notes
- adding a connection to Pluto database on both connection sides in non-disruptive:
# LEFT:
ipsec auto --add my-connection-name # RIGHT:
ipsec auto --add my-connection-name - bringing connection up is also non-disruptive, it is performed on one side only:
# LEFT:
ipsec auto --up my-connection-name - bringing connection down on any side IS DISRUPTIVE (especially if you run this command multiple times), you will loose connectivity between hosts:
# LEFT:
ipsec auto --down my-connection-name # RIGHT:
ipsec auto --down my-connection-name connection will be re-established in a minute (on demand) if configuration is valid, and if connection has not been disabled; - disabling connection IS DISRUPTIVE, you must bring down and disable connection on both sides to enable normal unencrypted traffic to pass through
# LEFT:
ipsec auto --delete my-connection-name # RIGHT:
ipsec auto --delete my-connection-name