SourceForge.net Logo

6.3. Linux Client (FC3)

The Linux Client is assumed to run the Fedora Core 5 distribution with ipsec-tools installed. For other distributions refer to the "IPsec-Tools home page" [41].

Setting up the tunnel consists of authenticating the client, and setting up the encryption keys and policy. In this example:

6.3.1. Authentication

Setup an X.509 Certifying Authority (CA). Using this CA, sign the certificates for the Linux client. This process is described in Section 6.1, “ Certificates ”. Install the client's unencrypted private key, along with the certificates for the CA, SISO server and the client. Then verify the certificate.

SSL_DIR=$PRJ_DIR/openssl
CLIENT_DIR=/etc/ipsec

ssh root@crox.vonk "mkdir $CLIENT_DIR"
scp $SSL_DIR/ca/CAcert.pem \
    $SSL_DIR/ca/CRL.pem \
    $SSL_DIR/certs/crox.vonk-key.pem \
    $SSL_DIR/certs/crox.vonk-cert.pem root@crox.vonk:/etc/ipsec/

HASH=`openssl x509 -noout -hash -in $SSL_DIR/ca/CAcert.pem`
ssh root@crox.vonk "( cd $CLIENT_DIR ; ln -sf CAcert.pem $CLIENT_DIR/$HASH.0 )"
ssh root@crox.vonk "( cd $CLIENT_DIR ; ln -sf CRL.pem    $CLIENT_DIR/$HASH.r0 )"

6.3.2. Encryption keys and authentication policies

Ensure that the IKE daemon racoon [42] is installed on the client. An example configuration file for racoon on the client can be found in Example E.7, “vpn-client:/etc/sysconfig/racoon/racoon.conf”.

6.3.3. Encryption policy

The outgoing encryption policy tells the operating system when an IPsec tunnel should be used to sent traffic. An example policy script can be found in Example E.8, “vpn-client:/etc/sysconfig/ipsec/setkey.conf”.

6.3.4. Succesfull connection

The syslog on Linux IPsec client looks like shown below.

racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) 
racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) 
racoon: INFO: fe80::290:4bff:fe2f:6ed4%wlan0[500] used as isakmp port (fd=8) 
racoon: INFO: fe80::20d:56ff:fe32:dd8b%eth0[500] used as isakmp port (fd=9) 
racoon: INFO: ::1[500] used as isakmp port (fd=11) 
racoon: INFO: 10.0.2.111[500] used as isakmp port (fd=12) 
racoon: INFO: 10.0.1.111[500] used as isakmp port (fd=13) 
racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14) 
racoon: NOTIFY: no in-bound policy found: 10.0.0.2/32[0] 10.0.1.111/32[0] proto=any dir=in 
racoon: INFO: IPsec-SA request for 10.0.0.2 queued due to no phase1 found. 
racoon: INFO: initiate new phase 1 negotiation: 10.0.1.111[500]<=>10.0.0.2[500] 
racoon: INFO: begin Identity Protection mode. 
racoon: INFO: ISAKMP-SA established 10.0.1.111[500]-10.0.0.2[500] spi:9dd5743702d60465:b1770e32da384dcc 
racoon: INFO: initiate new phase 2 negotiation: 10.0.1.111[0]<=>10.0.0.2[0] 
racoon: INFO: IPsec-SA established: ESP/Transport 10.0.0.2->10.0.1.111 spi=6958467(0x6a2d83) 
racoon: INFO: IPsec-SA established: ESP/Transport 10.0.1.111->10.0.0.2 spi=112868448(0x6ba3c60)

The tcpdump for the same section shows the ESP encapsulation for the ICMP (ping) packets.

IP crox.lan.vonk > siso.ext.vonk: ESP(spi=0x06ba3c60,seq=0x1)
IP siso.ext.vonk > crox.lan.vonk: ESP(spi=0x006a2d83,seq=0x1)
IP crox.lan.vonk > siso.ext.vonk: ESP(spi=0x06ba3c60,seq=0x2)
IP siso.ext.vonk > crox.lan.vonk: ESP(spi=0x006a2d83,seq=0x2)