birmingham@ic.fbi.gov , phoenix@ic.fbi.gov , fbise@leo.gov
NickSoft Linux Cookbook Index NickSoft Linux Cookbook
Quick howto's, Real live examples.
 
 FAQFAQ   SearchSearch   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Gre Tunnel + IPSec

 
Post new topic   Reply to topic    NickSoft Linux Cookbook Index -> Routing, Forward, Firewall
View previous topic :: View next topic  

Vote for this article
1 - useless
0%
 0%  [ 0 ]
2 - bad
0%
 0%  [ 0 ]
3 - not so bad
0%
 0%  [ 0 ]
4 - good
0%
 0%  [ 0 ]
5 - Excelent
0%
 0%  [ 0 ]
Total Votes : 0

Author Message
NickSoft
Site Admin


Joined: 13 Nov 2006
Posts: 22

PostPosted: Tue Nov 28, 2006 9:50 pm    Post subject: Gre Tunnel + IPSec Reply with quote

If I need to control a remote server I usually use SSL enabled web tools, ssh, ssl connection to database etc. But this is not always possible.
As an example if I had to do remote mysql backups, but by default mysql is not compiled with SSL support or backup tool doesn't support ssl an option is IP Sec. It's easy to setup and it's secure enough. So I set up IPSec to crypt data between my ip and remote server ip and set up mysql to be accessed over network. But others will see that mysql is listening and will try to hack it. So it will be better if others see "closed" when they scan your ports - no temptation.
Easiest way to achieve that is Gre tunnel + IPSec.
Here is Gre tunnel howto and IPSec howto

Prepare the IPSec configuration:
IPSec conf file for 192.168.1.1 (the remote side)
Code:
#!/usr/sbin/setkey -f
# file /etc/setkey.conf
# Configuration for 192.168.1.1

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.1.2 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.1.2 192.168.1.1 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.1 192.168.1.2 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.1.2 192.168.1.1 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 192.168.1.1 192.168.1.2 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.1.2 192.168.1.1 any -P in ipsec
           esp/transport//require
           ah/transport//require;

IPSec conf file for 192.168.1.2 (the local side)
Code:
#!/usr/sbin/setkey -f
# file /etc/setkey.conf
# Configuration for 192.168.1.2

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.1.2 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.1.2 192.168.1.1 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.1 192.168.1.2 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.1.2 192.168.1.1 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 192.168.1.1 192.168.1.2 any -P in ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.1.2 192.168.1.1 any -P out ipsec
           esp/transport//require
           ah/transport//require;


Note: If you swap setkey.conf files you won't see error. It will seam to work, but datawill be transmitted unencrypted
Warning: Use this keys only for testing purposes! Generate your own keys.
How to generate keys:
Code:
$ # 128 Bit long key
$ dd if=/dev/random count=16 bs=1| xxd -ps
16+0 Records ein
16+0 Records aus
cd0456eff95c5529ea9e918043e19cbe

$ # 192 Bit long key
$ dd if=/dev/random count=24 bs=1| xxd -ps
24+0 Records ein
24+0 Records aus
9d6c4a8275ab12fbfdcaf01f0ba9dcfb5f424c878e97f888


Scripts for bring tunnel up and down.
File /usr/local/sbin/tunup for remote side
Code:
#!/bin/bash
/sbin/modprobe ip_gre
/usr/local/sbin/tundown
/sbin/ip tunnel add neta mode gre remote 84.22.5.22 local 72.232.86.10 ttl 255
/sbin/ip link set neta up
/sbin/ifconfig neta 192.168.1.1 netmask 255.255.255.0

/sbin/setkey -f /etc/setkey.conf


File /usr/local/sbin/tunup for local side
Code:
#!/bin/bash
/sbin/modprobe ip_gre
/usr/local/sbin/tundown
/sbin/ip tunnel add neta mode gre remote 72.232.86.10 local 84.22.5.22 ttl 255
/sbin/ip link set neta up
/sbin/ifconfig neta 192.168.1.2 netmask 255.255.255.0

/sbin/setkey -f /etc/setkey.conf

File /usr/local/sbin/tundown
Code:
#!/bin/bash

/sbin/setkey -F
/sbin/setkey -FP


/sbin/ip link set neta down >/dev/null 2>&1
/sbin/ip tunnel del neta >/dev/null 2>&1


Now type tunup on both machines to start tunnel and tundown to terminate it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    NickSoft Linux Cookbook Index -> Routing, Forward, Firewall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




MLDb.org Magic Eight Ball Croler Web Search Croler Web Directory Bianca Ryan MyBestMatch.net Microlab.info Digger Services Sofia

Powered by 220V

AbuseIPDB Contributor Badge