Scribd Logo
Upload

Welcome to Scribd!

  • How To Create A Ipsec Tunnel Connection in Openstack

    Uploaded by

    edvansilva
    174 views8 pages
    Openstack

    Original Title

    How to Create a Ipsec Tunnel Connection in Openstack

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Openstack

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    174 views8 pages

    How To Create A Ipsec Tunnel Connection in Openstack

    Uploaded by

    edvansilva
    Openstack

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Slurm - How_to_create_a_ipsec_tunnel_connection_in_Openstack - # 9

    How to create a ipsec tunnel connection in Openstack


    Scenario
    SO: CentOS7
    headnode: 2 NICs

    10.30.0.X
    192.168.200.X

    Create a vpn gateway in Openstack


    Requirements

    One router (between public and private net)


    One floating IP

    Go to project -> Network -> VPN to create all resources needed.

    Create IKE polices

    In IKE polices, create a new IKE polices:

    10/01/2018 1/8
    Before 5.0 strongswan version, if you use NAT-Transversal and use ike version 1, add to ipsec.conf file in headnode
    nat_traversal=yes. If you use IKE version 2, you can omit this field [1].

    Create IPsec polices

    In n IPsec polices, create a new n IPsec polices:

    10/01/2018 2/8
    Create VPN

    In VPN services, add the router and define private network that will be exposed.

    10/01/2018 3/8
    Create site-to-site connection

    In IPSec Site Connection, create a new site-2-site connection:

    10/01/2018 4/8
    To define a strong PSK, you can use to generate a password this command:

    openssl rand -hex 10

    Access vpn gateway in Openstack by headnode


    To create a SA between Openstack VPN gateway and headnode (and headnode and vpn gateway), first, you need permit in both
    size, UDP 500 traffic (source and destination port) and ip protocol 50 (ESP) or/and 51(AH).

    iptables -A INPUT -p udp --dport 500 -s <SOURCE_IP> -d <DESTINATION_IP> -j ACCEPT


    iptables -A INPUT -p esp -s <SOURCE_IP> -d <DESTINATION_IP> -j ACCEPT

    10/01/2018 5/8
    If you use NAT-Transversal, permit UDP 4500 (source and destination port).

    iptables -A INPUT -p udp --dport 4500 -s <SOURCE_IP> -d <DESTINATION_IP> -j ACCEPT

    Install strongswan

    For install strongswan in CentOS7, first, you need EPEL repo configured. To do this, install epel-release package.

    yum install -y epel-release

    After that, install strongswan package

    yum install -y strongswan

    In Debian distribution-based, the utility used to manage ipsec options is ipsec command. In Red Hat distribution-based, the utility
    used is strongswan command.

    Create ipsec.conf file

    Edit/Create /etc/strongswan/ipsec.conf file:

    # ipsec.conf - strongSwan IPsec configuration file
    # basic configuration

    config setup

    conn %default
            ikelifetime=60m
            keylife=20m
            rekeymargin=3m
            keyingtries=1
            authby=psk
            mobike=no

    conn ops
        keyexchange=ikev2
        left=10.11.4.28
        leftsubnet=192.168.200.0/24
        leftid=10.11.4.28
        leftfirewall=yes
        right=150.165.85.42
        rightsubnet=192.168.15.0/24
        rightid=150.165.85.42
        auto=route
        dpdaction=hold
        dpddelay=30s
        dpdtimeout=120s
        ike=aes128-sha1-modp1536
        ikelifetime=360000s
        esp=aes128-sha1-modp1536
        lifetime=360000s
        type=tunnel

    Where:

    10/01/2018 6/8
    authby = Authentication mode.
    mobike = MOBIKE protocol (RFC 4555). Permit a remote access VPN user to move from one address to another without
    re-establishing all SA with the VPN gateway.
    conn <name> = Connection name.
    left = Local IP.
    leftsubnet = Subnet that will be exposed to on the other side of the connection.
    leftid = Local ID (Use Local IP).
    leftfirewall = add rules that allow traffic to be forwarded.
    right = Remote IP.
    rightsubnet = Subnet that will be exposed to on the other side of the connection.
    rightid = Remote ID (use Remote IP).
    ike = Cryptography algorithm.
    ikelifetime = Cryptography Lifetime.
    esp = Authentication algorithm.
    lifetime = Authentication Lifetime.
    type = Connection mode (Tunnel or Transport).
    dpdaction = Dead Peer Detection Protocol action. hold installs a trap policy, which will catch matching traffic and tries to
    re-negotiate the connection on demand. restart will immediately trigger an attempt to re-negotiate the connection.

    This informations are necessary to negotiate Diffie-Hellman group(default, group 5), cryptography and authentication algorithms (IKE
    Phase 1) and create SA (IKE Phase 2) between nodes.
    A SA is a unidirectional channel. To permit both connect, is necessary create 2 SA (from/to and to/from)

    Strongswan is responsable to create the SAs.


    After establishing a SA, the exchange keys is automaticaly made after expiration.

    Create ipsec.secrets

    In openstack, the connection is only realized using psk (password key). To define what is psk used, edit
    /etc/strongswan/ipsec.secrets:

    <YOUR_IP> : PSK "<PSK>" 

    Connect headnode and openstack vpn gateway

    In headnode:

    strongswan start
    strongswan up <Connection_name>

    If all occours well, this is a spected message:

    initiating IKE_SA ops3[1] to 150.165.85.X
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
    sending packet: from 10.30.0.X[500] to 150.165.85.X[500] (596 bytes)
    received packet: from 150.165.85.X[500] to 10.30.0.X[500] (392 bytes)
    parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
    local host is behind NAT, sending keep alives
    authentication of '10.30.0.X' (myself) with pre-shared key
    establishing CHILD_SA <Connection_name>
    generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    sending packet: from 10.30.0.X[4500] to 150.165.85.X[4500] (332 bytes)
    received packet: from 150.165.85.X[4500] to 10.30.0.X[4500] (220 bytes)
    parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
    authentication of '150.165.85.X' with pre-shared key successful
    IKE_SA ops3[1] established between 10.30.0.X[10.30.0.X]...150.165.85.X[150.165.85.X]
    scheduling reauthentication in 359673s
    maximum IKE_SA lifetime 359853s
    connection '<Connection_name>' established successfully

    10/01/2018 7/8
    As of strongSwan 5.0, NAT traversal is automatic, no configuration is needed [3].

    References:
    [1] https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal
    https://doc.pfsense.org/index.php/IPsec_Troubleshooting#NAT_Problems
    https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
    [3] https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#Server_behind_NAT

    Arquivos
    ike0.png 59,2 KB 21/06/2017 Luis Eduardo
    ipsecp0.png 62,9 KB 21/06/2017 Luis Eduardo
    site-2-site.png 44 KB 21/06/2017 Luis Eduardo
    vpn0.png 32,2 KB 21/06/2017 Luis Eduardo

    10/01/2018 8/8

    You might also like