IPsec Network-to-Network Configuration

IPsec can also be configured to connect an entire network (such as a LAN or WAN) to a remote network using a network-to-network connection. A network-to-network connection requires the setup of IPsec routers on each side of the connecting networks to transparently process and route information from one node on a LAN to a node on a remote LAN. Figure 46.11, "A network-to-network IPsec tunneled connection" shows a network-to-network IPsec tunneled connection.

Figure 46.11. A network-to-network IPsec tunneled connection

This diagram shows two separate LANs separated by the Internet. These LANs use IPsec routers to authenticate and initiate a connection using a secure tunnel through the Internet. Packets that are intercepted in transit would require brute-force decryption in order to crack the cipher protecting the packets between these LANs. The process of communicating from one node in the 192.168.1.0/24 IP range to another in the 192.168.2.0/24 range is completely transparent to the nodes as the processing, encryption/decryption, and routing of the IPsec packets are completely handled by the IPsec router.

The information needed for a network-to-network connection include:

The externally-accessible IP addresses of the dedicated IPsec routers

The network address ranges of the LAN/WAN served by the IPsec routers (such as 192.168.1.0/24 or 10.0.1.0/24)
The IP addresses of the gateway devices that route the data from the network nodes to the Internet
A unique name, for example, ipsec1. This is used to identify the IPsec connection and to distinguish it from other devices or connections.
A fixed encryption key or one automatically generated by racoon
A pre-shared authentication key that is used during the initial stage of the connection and to exchange encryption keys during the session.

Network-to-Network (VPN) Connection

A network-to-network IPsec connection uses two IPsec routers, one for each network, through which the network traffic for the private subnets is routed.

For example, as shown in Figure 46.12, "Network-to-Network IPsec", if the 192.168.1.0/24 private network sends network traffic to the 192.168.2.0/24 private network, the packets go through gateway0, to ipsec0, through the Internet, to ipsec1, to gateway1, and to the 192.168.2.0/24 subnet.

IPsec routers require publicly addressable IP addresses and a second Ethernet device connected to their respective private networks. Traffic only travels through an IPsec router if it is intended for another IPsec router with which it has an encrypted connection.

Figure 46.12. Network-to-Network IPsec

Alternate network configuration options include a firewall between each IP router and the Internet, and an intranet firewall between each IPsec router and subnet gateway. The IPsec router and the gateway for the subnet can be one system with two Ethernet devices: one with a public IP address that acts as the IPsec router; and one with a private IP address that acts as the gateway for the private subnet. Each IPsec router can use the gateway for its private network or a public gateway to send the packets to the other IPsec router.

Use the following procedure to configure a network-to-network IPsec connection:

In a command shell, type system-config-network to start the Network Administration Tool.

On the IPsec tab, click New to start the IPsec configuration wizard.
Click Forward to start configuring a network-to-network IPsec connection.
Enter a unique nickname for the connection, for example, ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click Forward to continue.
Select Network to Network encryption (VPN) as the connection type, and then click Forward.
Select the type of encryption to use: manual or automatic.
If you select manual encryption, an encryption key must be provided later in the process. If you select automatic encryption, the racoon daemon manages the encryption key. The ipsec-tools package must be installed if you want to use automatic encryption.
Click Forward to continue.
On the Local Network page, enter the following information:
- Local Network Address - The IP address of the device on the IPsec router connected to the private network.
Local Subnet Mask - The subnet mask of the local network IP address.
Local Network Gateway - The gateway for the private subnet.

Click Forward to continue.

Figure 46.13. Local Network Information

On the Remote Network page, enter the following information:
- Remote IP Address - The publicly addressable IP address of the IPsec router for the other private network. In our example, for ipsec0, enter the publicly addressable IP address of ipsec1, and vice versa.
Remote Network Address - The network address of the private subnet behind the other IPsec router. In our example, enter 192.168.1.0 if configuring ipsec1, and enter 192.168.2.0 if configuring ipsec0.
Remote Subnet Mask - The subnet mask of the remote IP address.
Remote Network Gateway - The IP address of the gateway for the remote network address.
If manual encryption was selected in step 6, specify the encryption key to use or click Generate to create one.
Specify an authentication key or click Generate to generate one. This key can be any combination of numbers and letters.

Click Forward to continue.

Figure 46.14. Remote Network Information

Verify the information on the IPsec - Summary page, and then click Apply.
Select File > Save to save the configuration.
Select the IPsec connection from the list, and then click Activate to activate the connection.
Enable IP forwarding:
1. Edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1.
Use the following command to enable the change:
```
sysctl -p /etc/sysctl.conf
```
The network script to activate the IPsec connection automatically creates network routes to send packets through the IPsec router if necessary.

Manual IPsec Network-to-Network Configuration

Suppose LAN A (lana.example.com) and LAN B (lanb.example.com) want to connect to each other through an IPsec tunnel. The network address for LAN A is in the 192.168.1.0/24 range, while LAN B uses the 192.168.2.0/24 range. The gateway IP address is 192.168.1.254 for LAN A and 192.168.2.254 for LAN B. The IPsec routers are separate from each LAN gateway and use two network devices: eth0 is assigned to an externally-accessible static IP address which accesses the Internet, while eth1 acts as a routing point to process and transmit LAN packets from one network node to the remote network nodes.

The IPsec connection between each network uses a pre-shared key with the value of r3dh4tl1nux, and the administrators of A and B agree to let racoon automatically generate and share an authentication key between each IPsec router. The administrator of LAN A decides to name the IPsec connection ipsec0, while the administrator of LAN B names the IPsec connection ipsec1.

The following example shows the contents of the ifcfg file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is ipsec0, so the resulting file is called /etc/sysconfig/network-scripts/ifcfg-ipsec0.

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.1.254
DSTGW=192.168.2.254
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X

The following list describes the contents of this file:

TYPE=IPSEC: Specifies the type of connection.

ONBOOT=yes

Specifies that the connection should initiate on boot-up.

IKE_METHOD=PSK

Specifies that the connection uses the pre-shared key method of authentication.

SRCGW=192.168.1.254

The IP address of the source gateway. For LAN A, this is the LAN A gateway, and for LAN B, the LAN B gateway.

DSTGW=192.168.2.254

The IP address of the destination gateway. For LAN A, this is the LAN B gateway, and for LAN B, the LAN A gateway.

SRCNET=192.168.1.0/24

Specifies the source network for the IPsec connection, which in this example is the network range for LAN A.

DSTNET=192.168.2.0/24

Specifies the destination network for the IPsec connection, which in this example is the network range for LAN B.

DST=X.X.X.X

The externally-accessible IP address of LAN B.

The following example is the content of the pre-shared key file called /etc/sysconfig/network-scripts/keys-ipsecX (where X is 0 for LAN A and 1 for LAN B) that both networks use to authenticate each other. The contents of this file should be identical and only the root user should be able to read or write this file.

IKE_PSK=r3dh4tl1nux

To change the keys-ipsecX file so that only the root user can read or edit the file, use the following command after creating the file:

chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1

To change the authentication key at any time, edit the keys-ipsecX file on both IPsec routers. Both keys must be identical for proper connectivity.

The following example is the contents of the /etc/racoon/racoon.conf configuration file for the IPsec connection. Note that the include line at the bottom of the file is automatically generated and only appears if the IPsec tunnel is running.

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
 pfs_group 2;
 lifetime time 1 hour ;
 encryption_algorithm 3des, blowfish 448, rijndael ;
 authentication_algorithm hmac_sha1, hmac_md5 ;
 compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"

The following is the specific configuration for the connection to the remote network. The file is called X.X.X.X.conf (where X.X.X.X is the IP address of the remote IPsec router). Note that this file is automatically generated when the IPsec tunnel is activated and should not be edited directly.

remote X.X.X.X
{
        exchange_mode aggressive, main;
 my_identifier address;
 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  authentication_method pre_shared_key;
  dh_group 2 ;
 }
}

Prior to starting the IPsec connection, IP forwarding should be enabled in the kernel. To enable IP forwarding:

Edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1.

Use the following command to enable the change:
```
sysctl -p /etc/sysctl.conf
```
To start the IPsec connection, use the following command on each router:
```
ifup ipsec0
```
The connections are activated, and both LAN A and LAN B are able to communicate with each other. The routes are created automatically via the initialization script called by running ifup on the IPsec connection. To show a list of routes for the network, use the following command:
```
ip route list
```
To test the IPsec connection, run the tcpdump utility on the externally-routable device (eth0 in this example) to view the network packets being transferred between the hosts (or networks), and verify that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, use the following command:
```
tcpdump -n -i eth0 host lana.example.com
```
The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example (back slashes denote a continuation of one line):
```
12:24:26.155529 lanb.example.com > lana.example.com: AH(spi=0x021c9834,seq=0x358): \
 lanb.example.com > lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \
 (ipip-proto-4)
```