B Configuring IPSec for Secure Packet Transmission between All Hosts
Perform the following steps to enable IPSec service between nodes. For example, Active and Standby PDBA EPAP nodes, PDB and RTDB EPAP nodes, and so on.
- Switch to the root user as "su -".
- Enable the service to be started and run the command:
systemctl enable ipsec[admusr@mps-A~]$ systemctl enable ipsec[admusr@mps-A~]$ Created symlink /etc/systemd/system/multi-user.target.wants/ipsec.service -> /usr/lib/systemd/system/ipsec.service - Configure the firewall (if enabled) to allow 500 and 4500/UDP ports for
the IKE, ESP, and AH protocols by adding the IPsec service:
firewall-cmd --add-service="ipsec"firewall-cmd --runtime-to-permanent - Initialize the new NSS database and run the following command as root:
ipsec initnssFor example:
[admusr@mps-A~]$ ipsec initnss[admusr@mps-A ~]$ Initializing NSS database - Create Host-to-Host VPN Link. Change the directory to
/etc/ipsec.d/. - Create a new file with the name
my_host-to-host.conf. - Edit the file and enter all the details shown below:
It is mandatory to maintain the gap of one tab between conn mytunnel and auto=start. Similarly, the user needs to make more than one tunnel using “-also” keyword. For example, "conn mytunnel-also".
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=(ip address of self linux machine) left=(ip address of self linux machine) right=(ip address of remote linux machine) rightid=(ip address of remote linux machine)If more than one IPSec connection is required, for example, from PROV EPAP to multiple Non-PROV EPAPs, then write as mentioned below:
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=(ip address of self linux machine) left=(ip address of self linux machine) right=(ip address of remote linux machine) rightid=(ip address of remote linux machine) conn mytunnel-also auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=(ip address of self linux machine) left=(ip address of self linux machine) right=(ip address of remote linux machine) rightid=(ip address of remote linux machine) -
Create a new file with the name
ipsec.secrets. Edit the file and enter the following details. Here, pre-shared-key could be any passphrase:siteA-public-IP siteB-public-IP: PSK "pre-shared-key"In case of multiple sites:
siteA-public-IP siteB-public-IP: PSK "pre-shared-key" siteA-public-IP siteC-public-IP: PSK "corresponding-pre-shared-key" -
Edit file
/etc/ipsec.conf. Go to line no. 17 and comment the flag oe=off like and save the file:#oe=off - Start the IPsec services and run the
command:
systemctl start ipsec -
If the conf file is modified, restart the IPsec services and run the command:
systemctl restart ipsec -
To verify the tunnel creations and traffic flow, run the following command:
ipsec trafficFor example:
[admusr@mps-A~]# ipsec traffic006 #4: "mytunnel", type=ESP, add_time=1666264187, inBytes=600, outBytes=544,id='x.x.x.x' 006 #6: "mytunnel-also", type=ESP, add_time=1666264189, inBytes=2820, outBytes=2024,id='x.x.x.x' - Follow the same steps at the peer end.
- Below is the sample site scenario where 1 CPA and 2 EPAP hosts are
connected:
CPA Site IP: 10.71.141.10
EPAP Site A: 10.71.141.20
EPAP Site B: 10.71.141.21
Sample Files for CPA Site (10.71.141.10)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.10 left=10.75.141.10 right=10.75.141.20 rightid=10.75.141.20 conn mytunnel-also auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.10 left=10.75.141.10 right=10.75.141.21 rightid=10.75.141.21File - /etc/ipsec.d/ipsec.secrets
10.75.141.10 10.75.141.20 : PSK "Abc1234" 10.75.141.10 10.75.141.21 : PSK "Abc1234"Sample Files for EPAP Site A (10.71.141.20)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.20 left=10.75.141.20 right=10.75.141.10 rightid=10.75.141.10File - /etc/ipsec.d/ipsec.secrets
10.75.141.20 10.75.141.10 : PSK "Abc1234"Sample Files for EPAP Site B (10.71.141.21)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.71.141.21 left=10.71.141.21 right=10.75.141.10 rightid=10.75.141.10File - /etc/ipsec.d/ipsec.secrets
10.71.141.21 10.75.141.10 : PSK "Abc1234" - Below is the sample site scenario where 1 Prov and 2 Non-prov hosts are
connected:
Prov Site IP: 10.71.141.30
Nov-Prov Site 1: 10.71.141.40
Non-Prov Site 2: 10.71.141.50
Sample Files for PROV Site (10.71.141.30)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.30 left=10.75.141.30 right=10.75.141.40 rightid=10.75.141.40 conn mytunnel-also auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.30 left=10.75.141.30 right=10.71.141.50 rightid=10.71.141.50File - /etc/ipsec.d/ipsec.secrets
10.75.141.30 10.75.141.40 : PSK "Abc1234" 10.75.141.30 10.71.141.50 : PSK "Abc1234"Sample Files for Non-Prov Site (10.71.141.40)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.75.141.40 left=10.75.141.40 right=10.75.141.30 rightid=10.75.141.30File - /etc/ipsec.d/ipsec.secrets
10.75.141.40 10.75.141.30 : PSK "Abc1234"Sample Files for Non-Prov Site (10.71.141.50)
File - /etc/ipsec.d/my_host-to-host.conf
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=10.71.141.50 left=10.71.141.50 right=10.75.141.30 rightid=10.75.141.30File - /etc/ipsec.d/ipsec.secrets
10.71.141.50 10.75.141.30 : PSK "Abc1234"