Example Hosts
Host 1: 172.18.64.100 (host1)
Host 2: 172.20.16.200 (host2)
Configuration on host1
The numbers for SPI, or Security Parameter Index, are arbitrary. They just need to correlate with each other (IN on host1 goes to OUT on host2). I just picked a set of seven-digit numbers for this example.
# /etc/sysconfig/network-scripts/ifcfg-ipsec0 DST=172.20.16.200 TYPE=IPSEC ONBOOT=yes SPI_ESP_IN=9180000 SPI_AH_IN=8008135 SPI_ESP_OUT=5550100 SPI_AH_OUT=8675309
Configuration on host2
DST=172.18.64.100 TYPE=IPSEC ONBOOT=yes SPI_ESP_IN=5550100 SPI_AH_IN=8675309 SPI_ESP_OUT=9180000 SPI_AH_OUT=8008135
The Difference
Before you activate the IPSEC tunnel (which you have configured to start on boot), you should understand the difference in traffic. Here is an example of a single ping:
16:07:34.401784 IP 172.18.64.100 > 172.20.16.200: ICMP echo request, id 11084, seq 1, length 64 16:07:34.401842 IP 172.20.16.200 > 172.18.64.100: ICMP echo reply, id 11084, seq 1, length 64
You can see that the traffic is identifiable as ICMP.
After "sudo /sbin/ifup ipsec0":
16:09:32.580025 IP 172.18.64.100 > 172.20.16.200: AH(spi=0x00845fed,seq=0x2d): ESP(spi=0x0054b014,seq=0x2d), length 88 16:09:32.580144 IP 172.20.16.200 > 172.18.64.100: AH(spi=0x007a31c7,seq=0x23): ESP(spi=0x000138d5,seq=0x23), length 88
With the IPSEC connection, all the traffic will be IP protocol 50 and 51 (Encapsulating Security Payload and Authentication Header). Here is a secure shell session:
17:00:35.333778 IP 172.18.64.100 > 172.20.16.200: AH(spi=0x00845fed,seq=0x2f): ESP(spi=0x0054b014,seq=0x2f), length 64 17:00:35.333881 IP 172.20.16.200 > 172.18.64.100: AH(spi=0x007a31c7,seq=0x25): ESP(spi=0x000138d5,seq=0x25), length 64 17:00:35.333937 IP 172.18.64.100 > 172.20.16.200: AH(spi=0x00845fed,seq=0x30): ESP(spi=0x0054b014,seq=0x30), length 56 17:00:35.340078 IP 172.20.16.200 > 172.18.64.100: AH(spi=0x007a31c7,seq=0x26): ESP(spi=0x000138d5,seq=0x26), length 72 17:00:35.340183 IP 172.18.64.100 > 172.20.16.200: AH(spi=0x00845fed,seq=0x31): ESP(spi=0x0054b014,seq=0x31), length 56 17:00:35.340299 IP 172.18.64.100 > 172.20.16.200: AH(spi=0x00845fed,seq=0x32): ESP(spi=0x0054b014,seq=0x32), length 72 17:00:35.340355 IP 172.20.16.200 > 172.18.64.100: AH(spi=0x007a31c7,seq=0x27): ESP(spi=0x000138d5,seq=0x27), length 56 17:00:35.340490 IP 172.18.64.100 > 172.20.16.200: AH(spi=0x00845fed,seq=0x33): ESP(spi=0x0054b014,seq=0x33), length 768
tcpdump cannot inspect inside IPSEC to see this is traffic destined for TCP port 22. The traffic is encrypted so if your communication is intercepted, it cannot be deciphered. Clear-text passwords passed for checking mail would not be exposed.
Next time, I'll explain a way to encrypt traffic between hosts you don't have administrative access to, using secure shell.
I never knew about it, But now i get it clear, Thanks a lot.Website Hosting India
ReplyDeletehi, what will happen to the regular ethernet interfaces? will those remain configured as active interfaces , with UP status besides ipsec0 interface? can you provide an ifconfig output on a working host? i'm just asking b/c i'm interested. thanks!
ReplyDeleteMiklos: Yes. The eth0 interface will remain up and will show regular communications with other hosts. Encryption and protocol 50/51 will only occur between the two hosts on tunnel interface ipsec0. The tcpdump output above was with "-i eth0", by the way. I'll post some ifconfig output for you soon.
ReplyDeleteIPsec is protocol suite for security purpose.
ReplyDelete