Just a small gathering of information on how I’ve setup a tunnel between a Centos 6.3, with openswan and NETKEY ipsec stack, and a Juniper SSG. Before we start configuring, lets define IP’s nets and address (by the way, those are not the real IP’s). We are link two networks with this tunnel, not a network-to-client configuration.
On the Centos side we have:
- Name: Office City A
- External Ip: 22.214.171.124
- Internal Network: 10.20.20.0/24
- Internal Gateway Ip: 10.20.20.254
On the Juniper SSG we have:
- Name: Office City B
- External Ip: 100.101.102.103
- Internal Network: 10.20.10.0/24
- Internal Gateway Ip: 10.20.10.254
Pre-shared Key: my-long-and-secret-key
First we need to install and configure the centos box. That should be fairly simple, start by installing openswan:
yum install openswan
Now we have to edit
/etc/ipsec.conf. The default config should be fine for us, but we have to make sure that the line which includes the configs “.conf” stored under
/etc/ipsec.d/ is uncommented. Your config file should look something like this:
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private= oe=off # Enable this if you see "failed to find any available worker" # nhelpers=0 #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. include /etc/ipsec.d/*.conf
You also need to make sure that file
/etc/ipsec.secrets includes all “.secret” files under
/etc/ipsec.d/. It should read like:
We have to create the config file for our tunnel, let’s name it “office_b_tun”. The new config will be stored under
/etc/ipsec.d/office_b_tun.conf. The content of the file should be:
conn office_b_tun ike=3des-md5 esp=3des-md5 authby=secret keyingtries=0 left=100.101.102.103 leftsubnet=10.20.10.0/24 leftnexthop=%defaultroute right=126.96.36.199 rightsubnet=10.20.20.0/24 rightnexthop=%defaultroute compress=no auto=start
We need to set the PSK for the tunnel, so edit the file
100.101.102.103 188.8.131.52: PSK "my-long-and-secret-key"
As I don’t have two NIC’s on my server, I’ve setup an alias for eth0. This is not needed if you have two NIC’s. Edit
DEVICE=eth0:0 ONBOOT=yes NETWORK=10.20.0.0 NETMASK=255.255.0.0 IPADDR=10.20.20.254
Restart your network, and start ipsec.
Finish configuring the Juniper, and then check the output of
ipsec auto --status, it should read something like “IPsec SA established” and “ISAKMP SA established”. Verify your routes and test the tunnel.
We can configure the junipers using either the WebUI or the CLI, so I’ll describe first how to configure using the WebUi, and latter I’ll show the CLI config lines. I’m doing a Route Based VPN config as it adds more flexibility to my setup, you can use a Policy Based VPN if you wish, but I’m not covering that here (see a sample config here).
Some extra info we need to know on the Juniper side, is that I have a VPN Zone bound to trust-vr. I recommend that you create a zone for your VPN’s tunnels, as it makes easier to add trafic policies to it later.
Go to Network -> Interface, select “Tunnel IF” and click the New button. Select a not used tunnel number, mine is 1. Also, make sure you select the Zone (VR) as “vpn” and that it’s an unnumbered interface. Click Ok. That’s it for the Tunnel Interface.
VPN AutoKey Gateway
Now we need to setup the VPN Gateway, for that go to VPN -> AutoKey Advanced -> Gateway. Click on the New button. Name the gateway as “gw_to_office_a”. Make sure “Static IP Address” is selected, and fill in the IPv4/v6 Address/Hostname field. The remote IP address is 184.108.40.206.
Click on Advanced button. On that page, enter the Pre-shared Key “my-long-and-secret-key”. Select the correct outgoing interface, mine is “Ethernet0/0″.
On the Security Level field, select “pre-g2-3des-md5“. It’s really important that you get this right!
Make sure the Mode (Initiator) is set to Main. That’s it, just click Ok to save the gateway configuration.
VPN AutoKey IKE
Time to setup the AutoKey IKE VPN, so go to VPN -> AutoKey IKE. Click on New button. I’ll name this vpn as “vpn_to_office_a”. Make sure you selected “gw_to_office_a” as the predefined gateway. Click on Advanced.
On the advanced configuration page, set the security level as “g2-esp-3des-md5“. That’s really import, otherwise the tunnel will not work.
Bind the VPN to tunnel interface “tunnel.1″. Check “Proxy-ID Check”, “VPN Monitor”, “Optimize”, “Rekey”. Select as source interface, your external port, mine is “Ethernet0/0″. Fill in the destination IP, the remote internal gateway ip address, 10.20.20.254.
Click Ok to save the tunnel.
We need to setup the Proxy-ID for the tunnel, go to the AutoKey IKE listing, click on Proxy ID for the “vpn_to_office_a” tunnel. Add the following:
Click on New, and that’s it.
We need to set a static route to Centos network, as it’s not running a dynamic routing daemon (such as RIP, OSPF, BGP, …). Go to Network -> Routing -> Destination. Select “trust-vr” and click New.
The route we want to add is 10.20.20.0/24, using as gateway the interface “tunnel.1″ with the address 220.127.116.11. Make the route permanent, set the preference to 20, and add a description “office A network”.
Click Ok to save it.
As I’m connecting two Trusted networks, I’ll allow any trafic incoming from VPN to Trusted and from Trusted to VPN. You can, and should, set tighter policies as you see fit.
You can configure the VPN using the CLI, use the following commands, adapt as need.
set zone id 100 "vpn" set interface "tunnel.1" zone "vpn" set interface tunnel.1 ip unnumbered interface ethernet0/0 set ike gateway "gw_to_office_a" address 18.104.22.168 Main outgoing-interface "ethernet0/0" preshare "my-long-and-secret-key" proposal "pre-g2-3des-md5" set ike respond-bad-spi 1 set ike ikev2 ike-sa-soft-lifetime 60 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set vpn "vpn_to_office_a" gateway "gw_to_office_a" no-replay tunnel idletime 0 proposal "g2-esp-3des-md5" set vpn "vpn_to_office_a" monitor source-interface ethernet0/0 destination-ip 10.20.20.254 optimized rekey set vpn "vpn_to_office_a" id 0xa bind interface tunnel.1 unset interface tunnel.1 acvpn-dynamic-routing set url protocol websense exit set vpn "vpn_to_office_a" proxy-id check set vpn "vpn_to_office_a" proxy-id local-ip 10.20.10.0/24 remote-ip 10.20.20.0/24 "ANY" set route 10.20.20.0/24 interface tunnel.1 gateway 22.214.171.124 preference 20 permanent description "office A network"
On the Office A network, try to ping a machine on B Office network, something like:
On the Office B network, try to ping a machine on A Office network, something like:
If you got ping's, everything is up and running! Have fun!