Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i want ipsec to secure my connection from my laptop to my server, where they have blocked SSH, (yes they have! and changing the port does not work! it's a long story...), i have read thousand howtos, but no luck
i think i dont have a good understanding of ipsec, see:
i install openswan, i config ipsec.conf and generate keys in ipsec.secrets
i scp ipsec.conf/secret from server to laptop (where i somehow manage to gain ssh for a few seconds) so they have exact configuration, now i want tell both machines to communicate using ipsec, so i run: "ipsec auto --up conn-name" on both
the server will be running the command, and showing nothing (no verbosity) the laptop gives errors, before i fix them, i want to know "am i actually doing it right?" is it what ipsec is all about? by running the "ipsec auto...." i will have secure connection?
and these are the configs:
Code:
config setup
klipsdebug=all
protostack=netkey
nat_traversal=yes
conn conn-name
authby=secret
pfs=no
rekey=no
left=server ip #ip valid
leftprotoport=17/1701
right=my laptop ip #ip valid
rightprotoport=17/1701
auto=add
leftid=@vhost.mywebsite.com
rightid=@123.231.111.222 #my laptop ip
leftrsasigkey="THE VERY LONG KEY"
rightrsasigkey="THE VERY LONG KEY" #both keys are the same
and ipsec.secrets:
Code:
include /etc/ipsec.d/my.secrets
and my.secrets
Code:
# RSA 2048 bits website Fri Jun 8 08:14:08 2012
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey= same long key which was on ipsec.conf
Modulus: 0x"THE VERY LONG KEY"
PublicExponent: 0x"a number"
# everything after this point is CKA_ID in hex format when using NSS
PrivateExponent: 0x"some string"
Prime1: 0x"same stinrg"
Prime2: 0x"same stinrg"
Exponent1: 0x"same stinrg"
Exponent2: 0x"same stinrg"
Coefficient: 0x"same stinrg"
CKAIDNSS: 0x"same stinrg"
}
Manual IPsec Phase 2 keying is not especially difficult to configure, but it certainly is less secure than IKE. I'd go with IKE if at all possible.
If SSH is blocked by deep packet inspection, expect IPsec to get blocked as well. Compared to SSH on a random port, IPsec is trivial to block.
HTTP tunneling or ICMP tunneling might work, but be advised that depending on who "they" are, you may be violating a TOS or worse by attempting to bypass network restrictions.
I would say use pluto or charon for IKE and turn debugging on - that helped me find the problems and get it working.
You can monitor traffic going through with 'ip xfrm [monitor|state|policy]'
tanx nikmit
but would you be so kind to provide a little bit more basic but not technical information? i can follow the documentation but there is a big gap between my basic and technical knowledge on the subject! i have no idea what am i doing.
following your advice i'd be running pluto, but what is pluto really?
(sorry if I'm talking in a very very basic manner) would i dial a connection to server, with the help of some special application, and get connected, and all my traffic would be sent using ipsec automatically? is ipsec a private network? or is it just encryption?
(probably i'm asking too much but if you had free time) do you know the simplest way to get pluto running?
Last edited by loolooyyyy; 06-11-2012 at 03:16 PM.
Pluto and charon are parts of strongswan/openswan that deal with the automatic key exchange (IKE). I say use them for IKE as presently you are not and are doing a manual key exchange - I don't know how the latter works as I have never done it but I trust Ser Olmy knows.
You start the daemons and debugging for them in the general setup section of you ipsec.conf. This is what I have:
Code:
config setup
plutodebug=none # you should change that to 'all' or at least 'control' until you are up and running
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=no
charonstart=no
plutostart=yes
On my machine the logs from pluto were sent to /var/log/auth.log - I run Debian Squeeze.
It is worth finishing what you have started but still you should know htere are other options too. If you don't know much about VPNs, I think you will find it easier to use OpenVPN. It will create a tun0 interface, and everything you point through that interface will get encrypted. I find it more intuitive. In your case another benefit might be that it is not the standard IPSec VPN, and you choose an arbitrary port for the connection to run over.
Complications could come from the NATting however, I haven't tried making a tunnel from behind NAT.
you indeed have a point there: it's worth finishing what i have started, i have learned many aspects of networking while i never had to deal with it directly
i didn't have any luck with openswan, i'll give strongswan a try, i think i'll do it on a VM first!
thanks again nikmit
It's a great idea to do it in a virtual setup first. If you can create two VM hosts, one bridged to the local NIC and the other NATed to it, then you will have a scenario close to the real setup. What you need is to test this in the same topology/set up but without the blocking policies of the ISP. Keep posting and best of luck.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.