Solved

How do I setup VPN (IPSec Site to Site) on a Cloud Server running RHEL5

Posted on 2010-08-17
56
2,797 Views
Last Modified: 2012-05-10
I have a cloud server (from rackspace cloud service) with linux (RHEL5) and i want to set up a VPN connection to a client using VPN - IPSec Site to Site. The client has setup at their end and has given be the following parameters -  VPN Gateway, Public IP,  Transform set and pre-shared key. I will appreciate a step by step procedure on how to establish a tunnel to the client and also the appropriate VPN client software to use. A quick response will be most appreciated.

Thank you.
0
Comment
Question by:abbeytechos
  • 29
  • 25
  • 2
56 Comments
 
LVL 39

Expert Comment

by:noci
Comment Utility
User openswan they  do have packages for RHEL.

http://www.openswan.org/download/binaries/
Also configuration etc. has been documented. (Also look for FreeSwan)  for all kinds of interoperability setups.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
What is the remote equipment?, it may help in specifying the needed steps.
0
 

Author Comment

by:abbeytechos
Comment Utility
hi Noci, just got your message, I guess the time difference might have added to this.

I confirmed from the client, they use cisco ios for site to site vpn.

I'm actually very new with administration of linux server and vpn setup. I will appreciate well specified steps to get this done. These detail - VPN Gateway, Public IP,  Transform set and pre-shared key have been given already by the client, only waiting for my connection.

Hope to hear from you soon.

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
This has several hints on how to connect to Cisco.

http://wiki.openswan.org/index.php/Interop/InteroperatingCisco

You will need OpenSwan >2.6.24-4 as it fixes some specifics w.r.t. Cisco.
0
 

Author Comment

by:abbeytechos
Comment Utility
Most of the link in the url given are not found. Is there a site or some articles that you can provide that is very comprehensive to beginner on the setup?
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
This was the first link original: (ref to Sans)... I had to google for it.. (SANS appearantly reshaped their site).
http://www.sans.org/reading_room/whitepapers/vpns/implementing-site-to-site-ipsec-cisco-router-linux-frees-wan_753

FreeS/Wan was a precursor for openswan. This is a fairly detailed document.
0
 

Author Comment

by:abbeytechos
Comment Utility
thanks much. I will try it out now and revert back to you on the result. Hopefully it works and I will have much to thank you for.
0
 

Author Comment

by:abbeytechos
Comment Utility
Tried installing following the procedure as given in the pdf file but i keep getting an error installing the freeswan. Although I'm trying to install the latest release, I however tried the old one given in the documentation but still getting error in the installation. Can you help with a way around this.
0
 
LVL 29

Expert Comment

by:fosiul01
Comment Utility
Hi ya

I used to use  open vpn for (via ipcop or pfsense, but it will work with redhat ) site to site vpn

ref : http://openmaniak.com/openvpn.php

now i changed it to cisco site to site vpn

but you can use openvpn server to connect to a cisco box and i belived its much more secure and robust .

http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn



0
 
LVL 39

Expert Comment

by:noci
Comment Utility
PLease, use openswan as software with a version >= 2.6.25.

Freeswan development ceased around 2000, as the software was Complete and functional.
it was granted to the Public as such. Openswan is one of the 2 versions that can out of it.

So use the document from SANS, liberaly replace all occurences of freeswan with openswan.

The config is along the same lines, the Preshared key versions hardly changed. (X.509 support wasn't in FreeSwan f.e.)
Also the newer stuff like IKE with NAT-T support etc. didn't exist when Freeswan was developed.

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
IPSEC has a preference because it retains ALL the qualities of IP for bare frames.
With OpenVPN IP frames get pushed inside either UDP or TCP frames with a context of UDP / TCP expectancies in stead of IP expectancies.

Also IPSEC is part of the IPv6 standard.
0
 

Author Comment

by:abbeytechos
Comment Utility
Ok noci, I will try as suggested and revert back soon.
0
 
LVL 29

Expert Comment

by:fosiul01
Comment Utility
Ok , missed the word ipsec !!! did not realized its ipsec site to site

0
 

Author Comment

by:abbeytechos
Comment Utility
just tried installing the openswan 2.6.25 version and I got the error below on running the 'make programs' command -

make[3]: bison: Command not found
make[3]: *** [parser.tab.c] Error 127
make[3]: Leaving directory `/usr/src/openswan-2.6.25/OBJ.linux.x86_64/lib/libipsecconf'
make[2]: *** [programs] Error 1
make[2]: Leaving directory `/usr/src/openswan-2.6.25/OBJ.linux.x86_64/lib'
make[1]: *** [programs] Error 1
make[1]: Leaving directory `/usr/src/openswan-2.6.25/OBJ.linux.x86_64'
make: *** [programs] Error 2

I'm not sure if these are error to ignore. is there something probably i'm missing out?

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Ok if you are builing from source then you will need development tools.

bison is a package to generate parsers (chop up files in comprehensible chunks like keywords & values.)

Please install bison from the RH kit, that should fix that.
0
 

Author Comment

by:abbeytechos
Comment Utility
hi noci, while following the SAN implementation document, below is the error gotten when the command 'make menuconfig' was used on the linux kernel folder.

[root@gatewaydb1 linux]# make menuconfig
  HOSTCC  scripts/basic/fixdep
In file included from /usr/include/sys/socket.h:35,
                 from /usr/include/netinet/in.h:24,
                 from /usr/include/arpa/inet.h:23,
                 from scripts/basic/fixdep.c:116:
/usr/include/bits/socket.h:310:24: error: asm/socket.h: No such file or directory
make[1]: *** [scripts/basic/fixdep] Error 1
make: *** [scripts_basic] Error 2


I will appreciate any suggestion on way around the error.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Did you install the kernel source, and kernel headers which agree with each other?.
(Internal header files do change a lot unnotified. and sometimes external programs do suffer from this if old kernelheaders are used with current kernels... :-( )

If you use the PF_KEY implementation then i don't think you need to generate a new kernel. (unless NAT-T is involved and the kernel is a bit old).
0
 

Author Comment

by:abbeytechos
Comment Utility
ooops, now you've lost me. I am quite a newbie in linux administration, and a lot of what you put seems above me. I'm sue you can give a more break down on resolving this in a simpler way for me.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
There are two IPSEC implementation.
1) FreeSwan/OpenSwan native driver (this is a cleaner implementation, as a tunnel gets a separated device)
2) PF_KEY the kernel native IPSEC stack, built in to be used with kame an ISAKMP toolkit from freebsd for tunneling.

The pluto (proces that manages the ISAKMP exchanges) program can be built to use either of them.
In Essence you only need the usermode stuff if built for PF_KEY.
0
 

Author Comment

by:abbeytechos
Comment Utility
Though still trying to understand fully the whole concept behind IPSEC. The SAM documentation I have being following suggest I install kernel, should I by-pass this particular step. Looking at the openswan site the installation process is a bit different from that of the SAM doc. Should I continue installation process using the openswan site?
0
 

Author Comment

by:abbeytechos
Comment Utility
hello noci, haven't heard from you. Though i'm going ahead to try both installation guide, i'll still appreciate your expert advice till i see the end of this. hope im not much of a bug? hope to receive your response soon.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
I do have some work to do, with a customer... ;-)
I will irregularly monitor this thread today, tomorrow I am doing some lifeguard work 9:00- 24:00 localtime, on sunday I have to do some system maintenance work with another customer.

As a general rule you should install software according to the doc. with the software. or using the site providing the source.
In this case openswan. (The SANS doc is years old and does describe somewhat different software with definitely an olde kernel, of which 2 a year are issued nowadays... sometimes with Radical changes done to it).

The SANS doc. describes the whole process, (maybe I should have told this before ;-/ ) the software building part should be considered obsolete by now.   But the Cisco configuration options of pluto are the most valuable in there.
0
 

Author Comment

by:abbeytechos
Comment Utility
Still ok. I will make some attempt towards making this work and revert back, say in the next 3 hours. Thanks much.
0
 

Author Comment

by:abbeytechos
Comment Utility
Hi noci, being a while. I have tried severally to establish the VPN connection but still no joy. If you can PLEASE spare some time for quick conversation via instant messenger or skype I will really appreciate it. I have a serious dead line to resolve this today.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Can you show the error messages here?
(I have no Skype, and only run an inhouse IM).


0
 

Author Comment

by:abbeytechos
Comment Utility
here below on the error on trying to start ipsec after installation using 'service ipsec start'


/usr/local/libexec/ipsec/addconn: error while loading shared libraries: libgmp.so.10: cannot open shared object file: No such file or directory
ipsec_setup: Starting Openswan IPsec 2.6.25...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
ipsec_setup: /usr/local/libexec/ipsec/addconn: error while loading shared libraries: libgmp.so.10: cannot open shared object file: No such file or directory

==========================================================
Also on using 'ipsec verify', below is what was gotten -


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.25/K2.6.18-164.15.1.el5xen (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  /usr/local/libexec/ipsec/showhostkey: error while loading shared libraries: libgmp.so.10: cannot open shared object file: No                                such file or directory
Checking that pluto is running                                  [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding            [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


I can give an access to my server to verify yourself, if you so need to.

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
you are missing the gmp packet on your target system (hence the message libgmp)

in your ipsec.conf file add to the global section:
protostack=netkey

That prevents the KLIPS message. (klips is the private stack, slightly better IMHO, but that can be done later if needef).

create a small script named /etc/init.d/disable_redirect
---8<---
#!/bin/sh
#
# Startup script to disable redirects. (no restore etc.).
#
# chkconfig: 2345 01 99
# description: disables redirects
# start early, stop late.

for i in /proc/sys/net/ipv4/conf/*/send_redirects
do
   echo "0"  > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects
do
   echo "0"  > $i
done
---8<---
This need to be run at boot time...
After putting it in the right directory run:
chmod 755 /etc/init.d/disable_redirect
chkconfig --add disable_redirect


After you have installed the gmp rpm and activated the script mentioned before
(and also run it manualy one time with:   /etc/init.d/disable_redirect)

please try to start the ipsec stuff again and report what you find. (if you have a problem installing the library show the errors please).
0
 

Author Comment

by:abbeytechos
Comment Utility
hi, I have installed gmp - using 'yum install gmp'. On starting the ipsec, below is what is gotten -


[root@gatewaydb1 source]# service ipsec start
/usr/local/libexec/ipsec/addconn: error while loading shared libraries: libgmp.so.10: cannot open shared object file: No such file or directory
ipsec_setup: Starting Openswan IPsec 2.6.25...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
ipsec_setup: /usr/local/libexec/ipsec/addconn: error while loading shared libraries: libgmp.so.10: cannot open shared object file: No such file or directory


============================

On running - 'ipsec verify', find below what is gotten -

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.25/K2.6.18-164.15.1.el5xen (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  /usr/local/libexec/ipsec/showhostkey: error while loading shared libraries: libgmp.so.10: cannot open shared object file: No such file or directory
Checking that pluto is running                                  [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Two or more interfaces found, checking IP forwarding            [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]



the Gmp was well installed, but wondering why it's still giving the error.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 39

Expert Comment

by:noci
Comment Utility
You still forgot to add a line to /etc/ipsec.conf
(for netkey).
under the config setup (main section) heading like:

config setup
     protostack=netkey

the path may be wrong, or a different version...
what does rpm -ql gmp show?


it expects library .10 but which is the one that is installed...
0
 

Author Comment

by:abbeytechos
Comment Utility
Yea....I did. It was a commented line and all i did is to uncomment.

Below what rpm -gl gmp shows -

RPM version 4.4.2.3
Copyright (C) 1998-2002 - Red Hat, Inc.



0
 
LVL 39

Expert Comment

by:noci
Comment Utility
not -gl  dash-gee-el but  -ql   dash-que-el  (for query of content of an rpm).
0
 

Author Comment

by:abbeytechos
Comment Utility
My bad, see below what showed -


/usr/lib64/libgmp.so.3
/usr/lib64/libgmp.so.3.3.3
/usr/lib64/libgmpxx.so.3
/usr/lib64/libgmpxx.so.3.0.5
/usr/lib64/libmp.so.3
/usr/lib64/libmp.so.3.1.7
/usr/share/doc/gmp-4.1.4
/usr/share/doc/gmp-4.1.4/COPYING
/usr/share/doc/gmp-4.1.4/COPYING.LIB
/usr/share/doc/gmp-4.1.4/NEWS
/usr/share/doc/gmp-4.1.4/README
/usr/lib/libgmp.so.3
/usr/lib/libgmp.so.3.3.3
/usr/lib/libgmpxx.so.3
/usr/lib/libgmpxx.so.3.0.5
/usr/lib/libmp.so.3
/usr/lib/libmp.so.3.1.7
/usr/lib/sse2/libgmp.so.3
/usr/lib/sse2/libgmp.so.3.3.3
/usr/lib/sse2/libgmpxx.so.3
/usr/lib/sse2/libgmpxx.so.3.0.5
/usr/lib/sse2/libmp.so.3
/usr/lib/sse2/libmp.so.3.1.7
/usr/share/doc/gmp-4.1.4
/usr/share/doc/gmp-4.1.4/COPYING
/usr/share/doc/gmp-4.1.4/COPYING.LIB
/usr/share/doc/gmp-4.1.4/NEWS
/usr/share/doc/gmp-4.1.4/README

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
/usr/lib/libgmp.so.3  is quite a different version from libgmp.so.10....
are you able to build it in an environment more like the Target machine?

It might work if you put the libgmp.so.3 in a special directory  (say : /tmp/special-gmp/) on you target machine and then add a -L/tmp/special-gmp/ as the first of the linking options in the make file.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
In stead of 'on your target machine' i meant to type ' on your build machine'
If you need a build environment but don't want to use an RHEL license. CENTOS might be a better choice then Fedora...
0
 

Author Comment

by:abbeytechos
Comment Utility
i'm wanting to try out putting libgmp.so.3 in another folder and linking it but where is the make file  where I am to add the linking oprions. (pls, bear with the slowness)
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
No problem... Now it is 15:52, @ 18:00 I take dinner, @19:30 I have an appointment. until about 21:30.. I do have other work todo tonight but can keep an eye on mail.

The make file should be in the folder of pluto source (and possibly other tools) too., it is named Makefile.
mostly there is something called LDFLAGS or like wise of maybe even a LIBS symbol.


I do have a centos 5 lying around, but it is 32bit, so i cannot compile one for you but I will get a version of the source with me.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Like this in :openswan-2.6.25/programs/pluto
....

ALLFLAGS = $(CPPFLAGS) $(CFLAGS) ${CROSSFLAGS}

ifneq ($(LD_LIBRARY_PATH),)
LDFLAGS+=-L$(LD_LIBRARY_PATH)
endif

LIBSADNS = $(OPENSWANLIB)
LIBSADNS += -lresolv # -lefence
...

Here it should inserted like:
...
ALLFLAGS = $(CPPFLAGS) $(CFLAGS) ${CROSSFLAGS}
LDFLAGS+=-L/tmp/special-gmp
ifneq ($(LD_LIBRARY_PATH),)
LDFLAGS+=-L$(LD_LIBRARY_PATH)
endif

LIBSADNS = $(OPENSWANLIB)
LIBSADNS += -lresolv # -lefence
...
0
 

Author Comment

by:abbeytechos
Comment Utility
Followed your steps but still getting the same error -


[root@gatewaydb1 lib]# service ipsec start
/usr/local/libexec/ipsec/addconn: error while loading shared libraries: libgmp.s                                                    o.10: cannot open shared object file: No such file or directory
ipsec_setup: Starting Openswan IPsec 2.6.25...
ipsec_setup: No KLIPS support found while requested, desperately falling back to                                                     netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to a                                                    void attempts to use KLIPS. Attempting to continue with NETKEY
ipsec_setup: /usr/local/libexec/ipsec/addconn: error while loading shared librar                                                    ies: libgmp.so.10: cannot open shared object file: No such file or directory
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Is it possible to compile your programs on your RHEL box?
You can temporary install the compiler/bison/flex/*-devel rpm's etc. and later remove them again...
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
I havn't received any mail any more, that's correct?
0
 

Author Comment

by:abbeytechos
Comment Utility
hello noci, glad to hear from you. I have been making several attempts to make this thing work by following in detail all the steps you have given so far, but still no joy. Spent the whole of yesterday working on it, trying to resolve from all angle. At this point, I will need your wizardry in setting up for me, I can give you an access to the server to help with it. You can then give me the steps that I can use consequently when you are done. PLEASE, this will be much appreciated, I have gotten enough tongue lashing from my boss and the next thing might be my job. Hope to hear from you soon.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
see my profile for mail address.
0
 

Author Comment

by:abbeytechos
Comment Utility
Hello noci, I tried sending to mail addy given on your profile. Please, can you confirm you got it?

0
 

Author Comment

by:abbeytechos
Comment Utility
hello Noci, are you still available, haven't heard from you.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
I havn't seen the mail yet, but mail needs to travel through greylisting and spam scanning...

It might help if you resend it about now ('n hour later, just in case the retry is not done around one hour...)
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
The mail has arrived. & I answered.
0
 

Author Comment

by:abbeytechos
Comment Utility
i saw your response, and I have long responded to it. I think it's a bit slow getting the mails across to your box.

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
To Summarize:
A private version of gmp had been installed instead of the gmp-devel kit from RHEL.
After removing the (far too modern for RHEL)  gmp version openswan did compile & install & run.

After correcting the connection parameters the tunnel also started and came to life.
the original information was 80% correct but not exactly right.

HIH.
Kind Regards.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Abbytechos, how did the tests work out?
0
 

Author Comment

by:abbeytechos
Comment Utility
Hello Noci, it going fine. Was able to set up another connection on my own on another server. I'm trying to monitor things before reverting back to you, I noticed that the VPN connection breaks after sometimes. I'm wondering why, do you have any suggestion to fixing that?
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Disconnection might occur when the key isn't renegotiated in time.

please lookup if rekey ing is enabled (if both sides don't rekey, then a new packet will start rekeying, but may get lost)
you can start rekeying earlier (rekeymargin) and rekeyfuzz is to randomize between 0 & rekey margin.

rekeyfuzz =0% (no randomisation)
rekeymargin = (a few minutes).
rekey = yes

http://www.freeswan.org/freeswan_trees/CURRENT-TREE/doc/manpage.d/ipsec.conf.5.html

This might help.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Bet value for rekey fuzz is the default (100%) not the mentioned 0% i meant to type both values but got interrupted.
0
 

Author Comment

by:abbeytechos
Comment Utility
Hi Noci, tried it, tried a number of values, but below the values recently tried and the connection is still breaking -

       rekeyfuzz=100%
       rekeymargin=5s
       rekey=yes

Regards,


0
 
LVL 39

Expert Comment

by:noci
Comment Utility
What is in the log file? (pluto logs to security /var/log/security)
so please be carefull about what you publish
0
 

Author Comment

by:abbeytechos
Comment Utility
Hello noci, I have sent into your mail, the recent log from the secure file. You can check up your mail.
0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
Comment Utility
Summary from mailexchange:

According to the pluto logging, continuation of a link failed.
Just the initial negotiation is accepted, when initiated from Openswan.
From this it was advised to check the remote (cisco) logs for any issues.

After examining the logs from Cisco by your link partner you were advised to modify the pfs setting.
which worked.
In my past experience disagreement in pfs failed to start the connection anyway, either way also the first time
so this is a new one for me too.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The purpose of this article is to demonstrate how we can use conditional statements using Python.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now