6.11. IPsec Host-to-Host Configuration

IPsec can be configured to connect one desktop or workstation to another by way of a host-to-host connection. This type of connection uses the network to which each host is connected to create the secure tunnel to each other. The requirements of a host-to-host connection are minimal, as is the configuration of IPsec on each host. The hosts need only a dedicated connection to a carrier network (such as the Internet) and Red Hat Enterprise Linux to create the IPsec connection.

The first step in creating a connection is to gather system and network information from each workstation. For a host-to-host connection, you need the following information:

For example, suppose Workstation A and Workstation B want to connect to each other through an IPsec tunnel. They want to connect using a pre-shared key with the value of foobarbaz and the users agree to let racoon automatically generate and share an authentication key between each host. Both host users decide to name their connections ipsec0.

The following is the ifcfg file for host-to-host IPsec connection for Workstation A. The unique name to identify the connection in this example is ipsec0, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec0.

DST=X.X.X.X
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK

Workstation A would replace X.X.X.X with the IP address of Workstation B, while Workstation B replaces X.X.X.X with the IP address of Workstation A. The connection is set to initiate upon boot-up (ONBOOT=yes) and uses the pre-shared key method of authentication (IKE_METHOD=PSK).

The following is the pre-shared key file (called /etc/sysconfig/network-scripts/keys-ipsec0 that both workstations use to authenticate each other. The contents of this file should be identical on both workstations and only the root user should be able to read or write this file.

IKE_PSK=foobarbaz

ImportantImportant
 

To change the keys-ipsec0 file so that only the root user can read or edit the file, perform the following command after creating the file:

chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0

To change the authentication key at any time, edit the keys-ipsec0 file on both workstations. Both keys must be identical for proper connectivity.

The /etc/racoon/racoon.conf file should be identical except for the include "/etc/racoon/X.X.X.X.conf" statement. This statement (and the file it references) is generated when the IPsec tunnel is activated. For Workstation A, the X.X.X.X in the include statement is Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical racoon.conf file when IPsec connection is activated.

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
	pfs_group 2;
	lifetime time 1 hour ;
	encryption_algorithm 3des, blowfish 448, rijndael ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"

To start the connection, either reboot the workstation or execute the following command as root on each host:

/sbin/ifup ipsec0

To test the IPsec connection, run the tcpdump utility to view the network packets being transfered between the hosts (or networks) and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example:

17:13:20.617872 pinky.example.com > ijin.example.com: \
	    AH(spi=0x0aaa749f,seq=0x335): ESP(spi=0x0ec0441e,seq=0x335) (DF)