 |
NickSoft Linux Cookbook
Quick howto's, Real live examples.
|
|
| View previous topic :: View next topic |
| Vote for this article |
| 1 - useless |
|
0% |
[ 0 ] |
| 2 - bad |
|
0% |
[ 0 ] |
| 3 - not so bad |
|
0% |
[ 0 ] |
| 4 - good |
|
0% |
[ 0 ] |
| 5 - Excelent |
|
0% |
[ 0 ] |
|
| Total Votes : 0 |
|
| Author |
Message |
NickSoft
Site Admin
Joined: 13 Nov 2006
Posts: 22
|
 Posted: Tue Nov 28, 2006 9:50 pm Post subject: Gre Tunnel + IPSec |
 |
|
If I need to control a remote server I usually use SSL enabled web tools, ssh, ssl connection to database etc. But this is not always possible.
As an example if I had to do remote mysql backups, but by default mysql is not compiled with SSL support or backup tool doesn't support ssl an option is IP Sec. It's easy to setup and it's secure enough. So I set up IPSec to crypt data between my ip and remote server ip and set up mysql to be accessed over network. But others will see that mysql is listening and will try to hack it. So it will be better if others see "closed" when they scan your ports - no temptation.
Easiest way to achieve that is Gre tunnel + IPSec.
Here is Gre tunnel howto and IPSec howto
Prepare the IPSec configuration:
IPSec conf file for 192.168.1.1 (the remote side)
| Code: | #!/usr/sbin/setkey -f
# file /etc/setkey.conf
# Configuration for 192.168.1.1
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.1.2 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.1.2 192.168.1.1 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.1 192.168.1.2 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.1.2 192.168.1.1 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 192.168.1.1 192.168.1.2 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.1.2 192.168.1.1 any -P in ipsec
esp/transport//require
ah/transport//require; |
IPSec conf file for 192.168.1.2 (the local side)
| Code: | #!/usr/sbin/setkey -f
# file /etc/setkey.conf
# Configuration for 192.168.1.2
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.1.2 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.1.2 192.168.1.1 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.1 192.168.1.2 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.1.2 192.168.1.1 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 192.168.1.1 192.168.1.2 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.1.2 192.168.1.1 any -P out ipsec
esp/transport//require
ah/transport//require; |
Note: If you swap setkey.conf files you won't see error. It will seam to work, but datawill be transmitted unencrypted
Warning: Use this keys only for testing purposes! Generate your own keys.
How to generate keys:
| Code: | $ # 128 Bit long key
$ dd if=/dev/random count=16 bs=1| xxd -ps
16+0 Records ein
16+0 Records aus
cd0456eff95c5529ea9e918043e19cbe
$ # 192 Bit long key
$ dd if=/dev/random count=24 bs=1| xxd -ps
24+0 Records ein
24+0 Records aus
9d6c4a8275ab12fbfdcaf01f0ba9dcfb5f424c878e97f888 |
Scripts for bring tunnel up and down.
File /usr/local/sbin/tunup for remote side
| Code: | #!/bin/bash
/sbin/modprobe ip_gre
/usr/local/sbin/tundown
/sbin/ip tunnel add neta mode gre remote 84.22.5.22 local 72.232.86.10 ttl 255
/sbin/ip link set neta up
/sbin/ifconfig neta 192.168.1.1 netmask 255.255.255.0
/sbin/setkey -f /etc/setkey.conf |
File /usr/local/sbin/tunup for local side
| Code: | #!/bin/bash
/sbin/modprobe ip_gre
/usr/local/sbin/tundown
/sbin/ip tunnel add neta mode gre remote 72.232.86.10 local 84.22.5.22 ttl 255
/sbin/ip link set neta up
/sbin/ifconfig neta 192.168.1.2 netmask 255.255.255.0
/sbin/setkey -f /etc/setkey.conf |
File /usr/local/sbin/tundown
| Code: | #!/bin/bash
/sbin/setkey -F
/sbin/setkey -FP
/sbin/ip link set neta down >/dev/null 2>&1
/sbin/ip tunnel del neta >/dev/null 2>&1 |
Now type tunup on both machines to start tunnel and tundown to terminate it. |
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
FAQ
Search
Register
Profile
Log in to check your private messages
Log in
