Difference between revisions of "IPv6 Enkripsi: Automatic key exchange (IKE)"

From OnnoWiki
Jump to navigation Jump to search
(New page: 20.3. Automatic key exchange (IKE) IPsec requires a key exchange of a secret. This is mostly done automatically by so called IKE daemons. They also handle the authentication of the peers,...)
 
Line 6: Line 6:
  
 
I prefer “pluto” from the *S/WAN implementation because of the easier and one-config-only setup.
 
I prefer “pluto” from the *S/WAN implementation because of the easier and one-config-only setup.
 +
 
20.3.1. IKE daemon “racoon”
 
20.3.1. IKE daemon “racoon”
  
Line 17: Line 18:
 
     Example for an end-to-end encrypted connection in transport mode
 
     Example for an end-to-end encrypted connection in transport mode
  
#!/sbin/setkey -f
+
#!/sbin/setkey -f
flush;
+
flush;
spdflush;
+
spdflush;
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/transport//require;
+
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/transport//require;
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec esp/transport//require;
+
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec esp/transport//require;
  
 
     Example for a end-to-end encrypted connection in tunnel mode
 
     Example for a end-to-end encrypted connection in tunnel mode
  
#!/sbin/setkey -f
+
#!/sbin/setkey -f
flush;
+
flush;
spdflush;
+
spdflush;
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec
+
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/tunnel/2001:db8:1:1::1-2001:db8:2:2::2/require;
¬ esp/tunnel/2001:db8:1:1::1-2001:db8:2:2::2/require;
+
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec esp/tunnel/2001:db8:2:2::2-2001:db8:1:1::1/require;
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec
 
¬ esp/tunnel/2001:db8:2:2::2-2001:db8:1:1::1/require;
 
  
 
For the other peer, you have to replace “in” with “out”.
 
For the other peer, you have to replace “in” with “out”.
Line 40: Line 39:
 
File: /etc/racoon/racoon.conf
 
File: /etc/racoon/racoon.conf
  
# Racoon IKE daemon configuration file.
+
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
+
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
+
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
+
path pre_shared_key "/etc/racoon/psk.txt";
 
+
listen
+
listen
{
+
{
        isakmp 2001:db8:1:1::1;
+
        isakmp 2001:db8:1:1::1;
}
+
}
 
+
remote 2001:db8:2:2::2
+
remote 2001:db8:2:2::2
{
+
{
        exchange_mode main;
+
        exchange_mode main;
        lifetime time 24 hour;
+
        lifetime time 24 hour;
        proposal
+
        proposal
        {
+
        {
                encryption_algorithm 3des;
+
                encryption_algorithm 3des;
                hash_algorithm md5;
+
                hash_algorithm md5;
                authentication_method pre_shared_key;
+
                authentication_method pre_shared_key;
                dh_group 2;
+
                dh_group 2;
        }
+
        }  
}
+
}
 
+
# gateway-to-gateway
+
# gateway-to-gateway
sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
+
sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
{
+
{
        lifetime time 1 hour;
+
        lifetime time 1 hour;
        encryption_algorithm 3des;
+
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
+
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
+
        compression_algorithm deflate;
}
+
}
 
+
sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any
+
sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any
{
+
{
        lifetime time 1 hour;
+
        lifetime time 1 hour;
        encryption_algorithm 3des;
+
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
+
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
+
        compression_algorithm deflate;
}  
+
}  
  
 
Also set up the pre-shared secret:
 
Also set up the pre-shared secret:
Line 84: Line 83:
 
File: /etc/racoon/psk.txt
 
File: /etc/racoon/psk.txt
  
# file for pre-shared keys used for IKE authentication
+
# file for pre-shared keys used for IKE authentication
# format is: 'identifier' 'key'
+
# format is: 'identifier' 'key'
 
+
2001:db8:2:2::2 verysecret  
+
2001:db8:2:2::2 verysecret  
  
 
20.3.1.3. Running IPsec with IKE daemon “racoon”
 
20.3.1.3. Running IPsec with IKE daemon “racoon”
Line 123: Line 122:
 
And using “setkey”, current active parameters are shown:
 
And using “setkey”, current active parameters are shown:
  
# setkey -D
+
# setkey -D
2001:db8:1:1::1 2001:db8:2:2::2
+
2001:db8:1:1::1 2001:db8:2:2::2
        esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000)
+
        esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000)
        E: 3des-cbc  bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd
+
        E: 3des-cbc  bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd
        A: hmac-md5  60c2c505 517dd8b7 c9609128 a5efc2db
+
        A: hmac-md5  60c2c505 517dd8b7 c9609128 a5efc2db
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
+
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jan  1 20:31:10 2005  current: Jan  1 20:40:47 2005
+
        created: Jan  1 20:31:10 2005  current: Jan  1 20:40:47 2005
        diff: 577(s)    hard: 3600(s)  soft: 2880(s)
+
        diff: 577(s)    hard: 3600(s)  soft: 2880(s)
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
+
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
        current: 540(bytes)    hard: 0(bytes)  soft: 0(bytes)
+
        current: 540(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
+
        allocated: 3    hard: 0 soft: 0
        sadb_seq=1 pid=22358 refcnt=0
+
        sadb_seq=1 pid=22358 refcnt=0
2001:db8:2:2::2 2001:db8:1:1::1
+
2001:db8:2:2::2 2001:db8:1:1::1
        esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000)
+
        esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000)
        E: 3des-cbc  c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce
+
        E: 3des-cbc  c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce
        A: hmac-md5  3f957db9 9adddc8c 44e5739d 3f53ca0e
+
        A: hmac-md5  3f957db9 9adddc8c 44e5739d 3f53ca0e
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
+
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jan  1 20:31:10 2005  current: Jan  1 20:40:47 2005
+
        created: Jan  1 20:31:10 2005  current: Jan  1 20:40:47 2005
        diff: 577(s)    hard: 3600(s)  soft: 2880(s)
+
        diff: 577(s)    hard: 3600(s)  soft: 2880(s)
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
+
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
        current: 312(bytes)    hard: 0(bytes)  soft: 0(bytes)
+
        current: 312(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
+
        allocated: 3    hard: 0 soft: 0
        sadb_seq=0 pid=22358 refcnt=0  
+
        sadb_seq=0 pid=22358 refcnt=0  
  
 
20.3.2. IKE daemon “pluto”
 
20.3.2. IKE daemon “pluto”
Line 158: Line 157:
 
File: /etc/ipsec.conf
 
File: /etc/ipsec.conf
  
# /etc/ipsec.conf - Openswan IPsec configuration file
+
# /etc/ipsec.conf - Openswan IPsec configuration file
#
+
#
# Manual:    ipsec.conf.5
+
# Manual:    ipsec.conf.5
version 2.0    # conforms to second version of ipsec.conf specification
+
version 2.0    # conforms to second version of ipsec.conf specification
 
+
# basic configuration
+
# basic configuration
config setup
+
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
+
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
+
        # klipsdebug=none
        # plutodebug="control parsing"
+
        # plutodebug="control parsing"
 
+
#Disable Opportunistic Encryption
+
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
+
include /etc/ipsec.d/examples/no_oe.conf
 
+
conn ipv6-p1-p2
+
conn ipv6-p1-p2  
        connaddrfamily=ipv6      # Important for IPv6!
+
        connaddrfamily=ipv6      # Important for IPv6!
        left=2001:db8:1:1::1
+
        left=2001:db8:1:1::1
        right=2001:db8:2:2::2
+
        right=2001:db8:2:2::2
        authby=secret
+
          authby=secret
        esp=aes128-sha1
+
        esp=aes128-sha1
        ike=aes128-sha-modp1024
+
        ike=aes128-sha-modp1024
        type=transport
+
        type=transport
        #type=tunnel
+
        #type=tunnel
        compress=no
+
        compress=no
        #compress=yes
+
        #compress=yes
        auto=add
+
        auto=add
        #auto=start
+
        #auto=start
  
 
Don't forget to define the pre-shared secret here also.
 
Don't forget to define the pre-shared secret here also.
Line 190: Line 189:
 
File: /etc/ipsec.secrets
 
File: /etc/ipsec.secrets
  
2001:db8:1:1::1 2001:db8:2:2::2 : PSK      "verysecret"
+
2001:db8:1:1::1 2001:db8:2:2::2 : PSK      "verysecret"
  
 
20.3.2.2. Running IPsec with IKE daemon “pluto”
 
20.3.2.2. Running IPsec with IKE daemon “pluto”
Line 196: Line 195:
 
If installation of Openswan was successfully, an initscript should exist for starting IPsec, simply run (on each peer):
 
If installation of Openswan was successfully, an initscript should exist for starting IPsec, simply run (on each peer):
  
# /etc/rc.d/init.d/ipsec start
+
# /etc/rc.d/init.d/ipsec start
  
 
Afterwards, start this connection on one peer. If you saw the line “IPsec SA established”, all worked fine.
 
Afterwards, start this connection on one peer. If you saw the line “IPsec SA established”, all worked fine.
  
# ipsec auto --up ipv6-peer1-peer2
+
# ipsec auto --up ipv6-peer1-peer2
104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
+
104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
+
106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
+
108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established
+
004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established
112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate
+
112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate
004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2,
+
004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa98b7710 <0xa51e1f22}  
¬ IPsec SA established {ESP=>0xa98b7710 <0xa51e1f22}  
 
  
 
Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, “setkey” can be used here too to show current active parameters:
 
Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, “setkey” can be used here too to show current active parameters:
  
# setkey -D
+
# setkey -D
2001:db8:1:1::1 2001:db8:2:2::2
+
2001:db8:1:1::1 2001:db8:2:2::2
        esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001)
+
        esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001)
        E: aes-cbc  082ee274 2744bae5 7451da37 1162b483
+
        E: aes-cbc  082ee274 2744bae5 7451da37 1162b483
        A: hmac-sha1  b7803753 757417da 477b1c1a 64070455 ab79082c
+
        A: hmac-sha1  b7803753 757417da 477b1c1a 64070455 ab79082c
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
+
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jan  1 21:16:32 2005  current: Jan  1 21:22:20 2005
+
        created: Jan  1 21:16:32 2005  current: Jan  1 21:22:20 2005
        diff: 348(s)    hard: 0(s)      soft: 0(s)
+
        diff: 348(s)    hard: 0(s)      soft: 0(s)
        last:                          hard: 0(s)      soft: 0(s)
+
        last:                          hard: 0(s)      soft: 0(s)
        current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
+
        current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
+
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=23825 refcnt=0
+
        sadb_seq=1 pid=23825 refcnt=0
2001:db8:2:2::2 2001:db8:1:1::1
+
2001:db8:2:2::2 2001:db8:1:1::1
        esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001)
+
        esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001)
        E: aes-cbc  6f59cc30 8d856056 65e07b76 552cac18
+
        E: aes-cbc  6f59cc30 8d856056 65e07b76 552cac18
        A: hmac-sha1  c7c7d82b abfca8b1 5440021f e0c3b335 975b508b
+
        A: hmac-sha1  c7c7d82b abfca8b1 5440021f e0c3b335 975b508b
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
+
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jan  1 21:16:31 2005  current: Jan  1 21:22:20 2005
+
        created: Jan  1 21:16:31 2005  current: Jan  1 21:22:20 2005
        diff: 349(s)    hard: 0(s)      soft: 0(s)
+
        diff: 349(s)    hard: 0(s)      soft: 0(s)
        last:                          hard: 0(s)      soft: 0(s)
+
        last:                          hard: 0(s)      soft: 0(s)
        current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
+
        current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
+
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=23825 refcnt=0
+
        sadb_seq=0 pid=23825 refcnt=0

Revision as of 14:09, 27 June 2013

20.3. Automatic key exchange (IKE)

IPsec requires a key exchange of a secret. This is mostly done automatically by so called IKE daemons. They also handle the authentication of the peers, either by a common known secret (so called “pre-shared secret”) or by RSA keys (which can also be used from X.509 certificates).

Currently, two different IKE daemons are available for Linux, which totally differ in configuration and usage.

I prefer “pluto” from the *S/WAN implementation because of the easier and one-config-only setup.

20.3.1. IKE daemon “racoon”

The IKE daemon “racoon” is taken from the KAME project and ported to Linux. Modern Linux distributions contain this daemon in the package “ipsec-tools”. Two executables are required for a proper IPsec setup. Take a look on Linux Advanced Routing & Traffic Control HOWTO / IPSEC, too. 20.3.1.1. Manipulation of the IPsec SA/SP database with the tool “setkey”

“setkey” is important to define the security policy (SP) for the kernel.

File: /etc/racoon/setkey.sh

   Example for an end-to-end encrypted connection in transport mode
#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/transport//require;
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec esp/transport//require;
   Example for a end-to-end encrypted connection in tunnel mode
#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/tunnel/2001:db8:1:1::1-2001:db8:2:2::2/require;
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in  ipsec esp/tunnel/2001:db8:2:2::2-2001:db8:1:1::1/require;

For the other peer, you have to replace “in” with “out”. 20.3.1.2. Configuration of the IKE daemon “racoon”

“racoon” requires a configuration file for proper execution. It includes the related settings to the security policy, which should be set up previously using “setkey”.

File: /etc/racoon/racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

listen
{
        isakmp 2001:db8:1:1::1;
}

remote 2001:db8:2:2::2
{
        exchange_mode main;
        lifetime time 24 hour;
        proposal
        {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        } 
}

# gateway-to-gateway
sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
} 

Also set up the pre-shared secret:

File: /etc/racoon/psk.txt

# file for pre-shared keys used for IKE authentication
# format is: 'identifier' 'key'

2001:db8:2:2::2 verysecret 

20.3.1.3. Running IPsec with IKE daemon “racoon”

At least the daemon needs to be started. For the first time, use debug and foreground mode. The following example shows a successful IKE phase 1 (ISAKMP-SA) and 2 (IPsec-SA) negotiation:

  1. racoon -F -v -f /etc/racoon/racoon.conf

Foreground mode. 2005-01-01 20:30:15: INFO: @(#)ipsec-tools 0.3.3 ¬ (http://ipsec-tools.sourceforge.net) 2005-01-01 20:30:15: INFO: @(#)This product linked ¬ OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) 2005-01-01 20:30:15: INFO: 2001:db8:1:1::1[500] used as isakmp port (fd=7) 2005-01-01 20:31:06: INFO: IPsec-SA request for 2001:db8:2:2::2 ¬ queued due to no phase1 found. 2005-01-01 20:31:06: INFO: initiate new phase 1 negotiation: ¬ 2001:db8:1:1::1[500]<=>2001:db8:2:2::2[500] 2005-01-01 20:31:06: INFO: begin Identity Protection mode. 2005-01-01 20:31:09: INFO: ISAKMP-SA established ¬ 2001:db8:1:1::1[500]-2001:db8:2:2::2[500] spi:da3d3693289c9698:ac039a402b2db401 2005-01-01 20:31:09: INFO: initiate new phase 2 negotiation: ¬ 2001:6f8:900:94::2[0]<=>2001:db8:2:2::2[0] 2005-01-01 20:31:10: INFO: IPsec-SA established: ¬ ESP/Tunnel 2001:db8:2:2::2->2001:db8:1:1::1 spi=253935531(0xf22bfab) 2005-01-01 20:31:10: INFO: IPsec-SA established: ¬ ESP/Tunnel 2001:db8:1:1::1->2001:db8:2:2::2 spi=175002564(0xa6e53c4)

Each direction got its own IPsec-SA (like defined in the IPsec standard). With “tcpdump” on the related interface, you will see as result of an IPv6 ping:

20:35:55.305707 2001:db8:1:1::1 > 2001:db8:2:2::2: ESP(spi=0x0a6e53c4,seq=0x3) 20:35:55.537522 2001:db8:2:2::2 > 2001:db8:1:1::1: ESP(spi=0x0f22bfab,seq=0x3)

As expected, the negotiated SPIs are being used here.

And using “setkey”, current active parameters are shown:

# setkey -D
2001:db8:1:1::1 2001:db8:2:2::2
        esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000)
        E: 3des-cbc  bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd
        A: hmac-md5  60c2c505 517dd8b7 c9609128 a5efc2db
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jan  1 20:31:10 2005   current: Jan  1 20:40:47 2005
        diff: 577(s)    hard: 3600(s)   soft: 2880(s)
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
        current: 540(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
        sadb_seq=1 pid=22358 refcnt=0
2001:db8:2:2::2 2001:db8:1:1::1
        esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000)
        E: 3des-cbc  c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce
        A: hmac-md5  3f957db9 9adddc8c 44e5739d 3f53ca0e
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jan  1 20:31:10 2005   current: Jan  1 20:40:47 2005
        diff: 577(s)    hard: 3600(s)   soft: 2880(s)
        last: Jan  1 20:35:05 2005      hard: 0(s)      soft: 0(s)
        current: 312(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
        sadb_seq=0 pid=22358 refcnt=0 

20.3.2. IKE daemon “pluto”

The IKE daemon “pluto” is included in distributions of the *S/WAN projects. *S/WAN project starts at the beginning as FreeS/WAN. Unfortunately, the FreeS/WAN project stopped further development in 2004. Because of the slow pace of development in the past, two spin-offs started: strongSwan and Openswan. Today, readily installable packages are available for at least Openswan (included in Fedora Core 3).

A major difference to “racoon”, only one configuration file is required. Also, an initscript exists for automatic setup after booting. 20.3.2.1. Configuration of the IKE daemon “pluto”

The configuration is very similar to the IPv4 one, only one important option is necessary.

File: /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn ipv6-p1-p2 
        connaddrfamily=ipv6       # Important for IPv6!
        left=2001:db8:1:1::1
        right=2001:db8:2:2::2
         authby=secret
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        type=transport
        #type=tunnel
        compress=no
        #compress=yes
        auto=add
        #auto=start

Don't forget to define the pre-shared secret here also.

File: /etc/ipsec.secrets

2001:db8:1:1::1 2001:db8:2:2::2 : PSK      "verysecret"

20.3.2.2. Running IPsec with IKE daemon “pluto”

If installation of Openswan was successfully, an initscript should exist for starting IPsec, simply run (on each peer):

# /etc/rc.d/init.d/ipsec start

Afterwards, start this connection on one peer. If you saw the line “IPsec SA established”, all worked fine.

# ipsec auto --up ipv6-peer1-peer2
104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established
112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate
004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa98b7710 <0xa51e1f22} 

Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, “setkey” can be used here too to show current active parameters:

# setkey -D
2001:db8:1:1::1 2001:db8:2:2::2
        esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001)
        E: aes-cbc  082ee274 2744bae5 7451da37 1162b483
        A: hmac-sha1  b7803753 757417da 477b1c1a 64070455 ab79082c
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jan  1 21:16:32 2005   current: Jan  1 21:22:20 2005
        diff: 348(s)    hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=23825 refcnt=0
2001:db8:2:2::2 2001:db8:1:1::1
        esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001)
        E: aes-cbc  6f59cc30 8d856056 65e07b76 552cac18
        A: hmac-sha1  c7c7d82b abfca8b1 5440021f e0c3b335 975b508b
        seq=0x00000000 replay=64 flags=0x00000000 state=mature
        created: Jan  1 21:16:31 2005   current: Jan  1 21:22:20 2005
        diff: 349(s)    hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=23825 refcnt=0