Scribd
Upload
40 views3 pages

IPsec Tools Checklist

This document provides a checklist for testing an IPsec VPN configuration using IPsec-Tools. The checklist includes verifying: 1) IP forwarding is enabled; 2) clients and gateways can communicate; 3) the kernel supports required IPsec modules; 4) recent versions of IPsec-tools are installed; 5) ESP/AH/IPComp protocols are not firewalled; 6) ESP/AH/IPComp traffic is not NATed at the gateway; and 7) security policies are properly configured in the security policy database. The checklist also suggests verifying racoon is running and negotiating phase 1 and phase 2 SAs.

Uploaded by

Merab Tavartkiladze
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views3 pages

IPsec Tools Checklist

This document provides a checklist for testing an IPsec VPN configuration using IPsec-Tools. The checklist includes verifying: 1) IP forwarding is enabled; 2) clients and gateways can communicate; 3) the kernel supports required IPsec modules; 4) recent versions of IPsec-tools are installed; 5) ESP/AH/IPComp protocols are not firewalled; 6) ESP/AH/IPComp traffic is not NATed at the gateway; and 7) security policies are properly configured in the security policy database. The checklist also suggests verifying racoon is running and negotiating phase 1 and phase 2 SAs.

Uploaded by

Merab Tavartkiladze
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

IPsec Tools checklist http://ipsec-tools.sourceforge.net/checklist.

html

IPsec-Tools Checklist
IP Forwarding is on
your box will serve as gateway for other boxes? if not - skip it.
# cat /proc/sys/net/ipv4/ip_forward
1
#

Dito IPv6, if you use it

Clients can talk with gateway


from client ping gateway and get responce

Gateway can talk to other gateway


In general, any method which shows that packets could go to other gateway
and return back is good. Depending on firewall rules some of the following
methods may not work. But you should achieve for at least one of them to
work.
from gateway ping other gateway and get responce;
tracepath/traceroute to other gateway and get responce at least from
remote gateway's next-hop;
get confirmation from other gateway's admin that there is no obstacles
for the two gateways to communicate.

Kernel has af_key/ esp/ ah/ ipcomp compiled-in/loaded as module


How do we check this?

ipsec-tools are recent enought


for kernels 2.6.10 and up, you have to use ipsec-tools version 0.5.rc1 or later;
0.4 or later is recomended
$ setkey -V
setkey 0.3.3 http://ipsec-tools.sourceforge.net

If you get error messages - you are using version earlier than 0.3.3

ESP/ AH/ IPComp is not firewalled


Below is minimal list of rules what are needed for IPSec to work. Ensure that
they are placed high enought and are not blocked by earlier rules.
1. iptables -A INPUT -p udp -s other-gateway -d my-external-address
--dport 500 --j ACCEPT (for IKE traffic)
2. iptables -A INPUT -p udp -s other-gateway -d my-external-address
--dport 4500 --j ACCEPT (extra port for IKE traffic if you will use NAT-T)
3. iptables -A INPUT -p esp -s other-gateway -d my-external-address -j
ACCEPT (if outermost packet will be ESP)
4. iptables -A INPUT -p ah -s other-gateway -d my-external-address -j
ACCEPT (if outermost packet will be AH)
5. the same for OUTPUT, just arguments for -s and -d swaped, and --dport
changed to --sport
Anything missing? forwarding of traffic to be encapsulated/decapsulated?

ESP/ AH/ IPComp traffic is not NATed/ Masqueraded at gateway


if you do SNAT/ DNAT/ MASQUERADE on gateway, insert rules which allow
to pass through protocols you intend to use (esp=50, ah=51) before rules
with -j SNAT/ DNAT/ MASQUERADE.

1 of 3 12/1/2008 11:30 PM
IPsec Tools checklist http://ipsec-tools.sourceforge.net/checklist.html

iptables -t nat -I POSTROUTING 1 -p 50 -j ACCEPT

Policies are added into SPD


There should be 2 rules -- one in and one out for every pair of network
objects you want to secure traffic.
$ setkey -DP|less
192.168.1.0/24[any] 192.168.2.0/24[any] any
in ipsec
esp/tunnel/remote_gw-local_gw/unique#16387
created: Mar 21 20:53:50 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=96 seq=7 pid=12159
refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
out ipsec
esp/tunnel/local_gw-remote_gw/unique#16386
created: Mar 21 20:53:50 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=89 seq=6 pid=12159
refcnt=1

Parameters in the policies are in right order


order of parameters and direction are very important!
remote_object local_object -P in ipsec esp/tunnel/remote_gw-local_gw
/unique;
local_object remote_object -P out ipsec esp/tunnel/local_gw-remote_gw
/unique;

racoon is running

$ ps ax|grep racoon|grep -v grep|wc -l


1

gateway's traffic goes from secure interface


This could be achieved by routing local traffic via internal (secure) interface:
ip route add other.network/mask via default.gw src
gateway's.private.addr
or alternatively, it is possible to set up extra policies for gateway-
remote_networks, gateway-gateway and local_networks-gateway traffic.

kernel requests racoon to negotiate SA


TODO

racoon is negotiating Phase 1


TODO

racoon is negotiating Phase 2


TODO

tcpdump shows plain text traffic!


If you tcpdump on gateway, and you see both incoming ipsec packets and
incoming plain text packets - it is normal behavior.
In linux incoming ipsec packets enters interface, ipsec headers are checked
and removed and plain text packet enters kernel code one more time as if it
just come from network hardware. This is why tcpdump shows it twice.
To be sure, sniff traffic from third box in between of security gateways and
you will see just encapsulated traffic!

2 of 3 12/1/2008 11:30 PM
IPsec Tools checklist http://ipsec-tools.sourceforge.net/checklist.html

FreeS/WAN: traffic for just one of many policies go through


FreeS/WAN requires different SA for every policy/tunnel.
Change require to unique in your policies.

3 of 3 12/1/2008 11:30 PM

You might also like